ws-wss4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r787976 - in /webservices/wss4j/trunk: src/org/apache/ws/security/ src/org/apache/ws/security/handler/ src/org/apache/ws/security/message/token/ src/org/apache/ws/security/processor/ test/wssec/
Date Wed, 24 Jun 2009 11:11:32 GMT
Author: coheigea
Date: Wed Jun 24 11:11:31 2009
New Revision: 787976

URL: http://svn.apache.org/viewvc?rev=787976&view=rev
Log:
[WSS-199] - Add support for WCF non-standard Username Tokens
 - I added a new config variable WSHandlerConstants.ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES
 - The default is false. An exception will be thrown in this case when processing a Username
Token with a (Wsse) namespace qualified password type

Added:
    webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS199.java   (with props)
Modified:
    webservices/wss4j/trunk/src/org/apache/ws/security/WSSConfig.java
    webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java
    webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandlerConstants.java
    webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java
    webservices/wss4j/trunk/src/org/apache/ws/security/processor/UsernameTokenProcessor.java
    webservices/wss4j/trunk/test/wssec/PackageTests.java

Modified: webservices/wss4j/trunk/src/org/apache/ws/security/WSSConfig.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/WSSConfig.java?rev=787976&r1=787975&r2=787976&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/WSSConfig.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/WSSConfig.java Wed Jun 24 11:11:31
2009
@@ -204,6 +204,14 @@
      */
     protected boolean handleCustomPasswordTypes = false;
     
+    /**
+     * This variable controls whether (wsse) namespace qualified password types are
+     * accepted when processing UsernameTokens.
+     * 
+     * By default this is set to false.
+     */
+    protected boolean allowNamespaceQualifiedPasswordTypes = false;
+    
     
     /**
      * The default wsu:Id allocator is a simple "start at 1 and increment up"
@@ -386,7 +394,22 @@
     public boolean getHandleCustomPasswordTypes() {
         return handleCustomPasswordTypes;
     }
-
+    
+    /**
+     * @param allowNamespaceQualifiedTypes
+     * whether (wsse) namespace qualified password types are accepted or not
+     */
+    public void setAllowNamespaceQualifiedPasswordTypes(boolean allowNamespaceQualifiedTypes)
{
+        allowNamespaceQualifiedPasswordTypes = allowNamespaceQualifiedTypes;
+    }
+    
+    /**
+     * @return whether (wsse) namespace qualified password types are accepted or not
+     */
+    public boolean getAllowNamespaceQualifiedPasswordTypes() {
+        return allowNamespaceQualifiedPasswordTypes;
+    }
+    
     /**
      * @return Returns if we shall throw an exception on expired request
      *         semantic

Modified: webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java?rev=787976&r1=787975&r2=787976&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java Wed Jun 24 11:11:31
2009
@@ -255,6 +255,9 @@
         wssConfig.setTimeStampStrict(decodeTimestampStrict(reqData));
         wssConfig.setTimeStampTTL(decodeTimeToLive(reqData));
         wssConfig.setHandleCustomPasswordTypes(decodeCustomPasswordTypes(reqData));
+        wssConfig.setAllowNamespaceQualifiedPasswordTypes(
+            decodeNamespaceQualifiedPasswordTypes(reqData)
+        );
         reqData.setWssConfig(wssConfig);
 
         if ((doAction & WSConstants.SIGN) == WSConstants.SIGN) {
@@ -729,6 +732,28 @@
             "WSHandler: illegal handleCustomPasswordTypes parameter"
         );
     }
+    
+    protected boolean decodeNamespaceQualifiedPasswordTypes(RequestData reqData) 
+        throws WSSecurityException {
+        String value = getString(
+            WSHandlerConstants.ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES,
+            reqData.getMsgContext()
+        );
+    
+        if (value == null) {
+            return false;
+        }
+        if ("0".equals(value) || "false".equals(value)) {
+            return false;
+        } 
+        if ("1".equals(value) || "true".equals(value)) {
+            return true;
+        }
+    
+        throw new WSSecurityException(
+            "WSHandler: illegal allowNamespaceQualifiedPasswordTypes parameter"
+        );
+    }
 
     protected boolean decodeTimestampStrict(RequestData reqData) 
         throws WSSecurityException {

Modified: webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandlerConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandlerConstants.java?rev=787976&r1=787975&r2=787976&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandlerConstants.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandlerConstants.java Wed
Jun 24 11:11:31 2009
@@ -497,6 +497,15 @@
      * reject custom token types in the callback handler.
      */
     public static final String HANDLE_CUSTOM_PASSWORD_TYPES = "handleCustomPasswordTypes";
+    
+    /**
+     * This variable controls whether (wsse) namespace qualified password types are
+     * accepted when processing UsernameTokens.
+     * 
+     * By default this is set to false.
+     */
+    public static final String ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES 
+        = "allowNamespaceQualifiedPasswordTypes";
 
     /**
      * Parameter to generate additional elements in <code>UsernameToken</code>.

Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java?rev=787976&r1=787975&r2=787976&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java Wed
Jun 24 11:11:31 2009
@@ -75,7 +75,7 @@
     protected String passwordType = null;
     protected boolean hashed = true;
     private String rawPassword;        // enhancement by Alberto Coletti
-
+    
     static {
         try {
             random = WSSecurityUtil.resolveSecureRandom();
@@ -85,7 +85,7 @@
             }
         }
     }
-
+    
     /**
      * Constructs a <code>UsernameToken</code> object and parses the
      * <code>wsse:UsernameToken</code> element to initialize it.
@@ -95,6 +95,23 @@
      * @throws WSSecurityException
      */
     public UsernameToken(Element elem) throws WSSecurityException {
+        this (elem, false);
+    }
+
+    /**
+     * Constructs a <code>UsernameToken</code> object and parses the
+     * <code>wsse:UsernameToken</code> element to initialize it.
+     * 
+     * @param elem the <code>wsse:UsernameToken</code> element that contains
+     *             the UsernameToken data
+     * @param allowNamespaceQualifiedPasswordTypes whether to allow (wsse)
+     *        namespace qualified password types or not (for interop with WCF)
+     * @throws WSSecurityException
+     */
+    public UsernameToken(
+        Element elem, 
+        boolean allowNamespaceQualifiedPasswordTypes
+    ) throws WSSecurityException {
         element = elem;
         QName el = new QName(element.getNamespaceURI(), element.getLocalName());
         if (!el.equals(TOKEN)) {
@@ -151,9 +168,26 @@
             }
             return;
         }
-        if (elementPassword != null 
-            && elementPassword.hasAttribute(WSConstants.PASSWORD_TYPE_ATTR)) {
-            passwordType = elementPassword.getAttribute(WSConstants.PASSWORD_TYPE_ATTR);
+        if (elementPassword != null) {
+            if (elementPassword.hasAttribute(WSConstants.PASSWORD_TYPE_ATTR)) {
+                passwordType = elementPassword.getAttribute(WSConstants.PASSWORD_TYPE_ATTR);
+            } else if (elementPassword.hasAttributeNS(
+                WSConstants.WSSE_NS, WSConstants.PASSWORD_TYPE_ATTR)
+            ) {
+                if (allowNamespaceQualifiedPasswordTypes) {
+                    passwordType = 
+                        elementPassword.getAttributeNS(
+                            WSConstants.WSSE_NS, WSConstants.PASSWORD_TYPE_ATTR
+                        );
+                } else {
+                    throw new WSSecurityException(
+                        WSSecurityException.INVALID_SECURITY_TOKEN,
+                        "badTokenType01", 
+                        new Object[] {el}
+                    );
+                }
+            }
+            
         }
         if (WSConstants.PASSWORD_DIGEST.equals(passwordType)) {
             hashed = true;

Modified: webservices/wss4j/trunk/src/org/apache/ws/security/processor/UsernameTokenProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/UsernameTokenProcessor.java?rev=787976&r1=787975&r2=787976&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/processor/UsernameTokenProcessor.java
(original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/processor/UsernameTokenProcessor.java
Wed Jun 24 11:11:31 2009
@@ -45,6 +45,7 @@
     private String utId;
     private UsernameToken ut;
     private boolean handleCustomPasswordTypes;
+    private boolean allowNamespaceQualifiedPasswordTypes;
     
     public void handleToken(Element elem, Crypto crypto, Crypto decCrypto, CallbackHandler
cb, 
         WSDocInfo wsDocInfo, List returnResults, WSSConfig wsc) throws WSSecurityException
{
@@ -52,6 +53,7 @@
             log.debug("Found UsernameToken list element");
         }
         handleCustomPasswordTypes = wsc.getHandleCustomPasswordTypes();
+        allowNamespaceQualifiedPasswordTypes = wsc.getAllowNamespaceQualifiedPasswordTypes();
         
         Principal lastPrincipalFound = handleUsernameToken(elem, cb);
         returnResults.add(
@@ -87,7 +89,7 @@
         //
         // Parse the UsernameToken element
         //
-        ut = new UsernameToken(token);
+        ut = new UsernameToken(token, allowNamespaceQualifiedPasswordTypes);
         String user = ut.getName();
         String password = ut.getPassword();
         String nonce = ut.getNonce();

Modified: webservices/wss4j/trunk/test/wssec/PackageTests.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/PackageTests.java?rev=787976&r1=787975&r2=787976&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wssec/PackageTests.java (original)
+++ webservices/wss4j/trunk/test/wssec/PackageTests.java Wed Jun 24 11:11:31 2009
@@ -76,6 +76,7 @@
         suite.addTestSuite(SignatureConfirmationTest.class);
         suite.addTestSuite(TestWSSecurityWSS194.class);
         suite.addTestSuite(TestModifiedRequest.class);
+        suite.addTestSuite(TestWSSecurityWSS199.class);
         
         return suite;
     }

Added: webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS199.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS199.java?rev=787976&view=auto
==============================================================================
--- webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS199.java (added)
+++ webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS199.java Wed Jun 24 11:11:31 2009
@@ -0,0 +1,164 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package wssec;
+
+import junit.framework.Test;
+import junit.framework.TestCase;
+import junit.framework.TestSuite;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.WSPasswordCallback;
+import org.apache.ws.security.WSSecurityEngine;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSConfig;
+import org.apache.ws.security.message.WSSecUsernameToken;
+import org.apache.ws.security.message.WSSecHeader;
+import org.apache.ws.security.util.Base64;
+import org.w3c.dom.Document;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import java.io.IOException;
+import java.security.MessageDigest;
+
+
+/**
+ * A test-case for WSS-199 - "Add support for WCF non-standard Username Tokens"
+ * (see also WSS-148 - "WCF interop issue: Namespace not honored incase of attributes.").
+ * The issue is that WCF generated Username Tokens where the password type is namespace
+ * qualified (incorrectly). WSS-199 added the ability to process these Username Tokens.
+ */
+public class TestWSSecurityWSS199 extends TestCase implements CallbackHandler {
+    private static final Log LOG = LogFactory.getLog(TestWSSecurityWSS199.class);
+    private static final String SOAPUTMSG = 
+        "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" 
+        + "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"
"
+        + "xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" "
+        + "xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">"
+        + "<SOAP-ENV:Header>"
+        + "<wsse:Security SOAP-ENV:mustUnderstand=\"1\" "
+        + "xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\">"
+        + "<wsse:UsernameToken wsu:Id=\"UsernameToken-29477163\" xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">"
+        + "<wsse:Username>wernerd</wsse:Username>"
+        + "<wsse:Password " 
+        + "wsse:Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText\">verySecret</wsse:Password>"
+        + "</wsse:UsernameToken></wsse:Security></SOAP-ENV:Header>"
+        + "<SOAP-ENV:Body>" 
+        + "<add xmlns=\"http://ws.apache.org/counter/counter_port_type\">" 
+        + "<value xmlns=\"\">15</value>" + "</add>" 
+        + "</SOAP-ENV:Body>\r\n       \r\n" + "</SOAP-ENV:Envelope>";
+    
+    private WSSecurityEngine secEngine = new WSSecurityEngine();
+
+    /**
+     * TestWSSecurity constructor
+     * 
+     * @param name name of the test
+     */
+    public TestWSSecurityWSS199(String name) {
+        super(name);
+    }
+
+    /**
+     * JUnit suite
+     * 
+     * @return a junit test suite
+     */
+    public static Test suite() {
+        return new TestSuite(TestWSSecurityWSS199.class);
+    }
+
+
+    /**
+     * Test that adds a UserNameToken with a namespace qualified type. This should fail
+     * as WSS4J rejects these tokens by default.
+     */
+    public void testNamespaceQualifiedTypeRejected() throws Exception {
+        Document doc = SOAPUtil.toSOAPPart(SOAPUTMSG);
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("Message with UserNameToken PW Digest:");
+            String outputString = 
+                org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+            LOG.debug(outputString);
+        }
+        try {
+            verify(doc);
+            fail("Failure expected on a bad password type");
+        } catch (WSSecurityException ex) {
+            // expected
+        }
+    }
+    
+    
+    /**
+     * Test that adds a UserNameToken with a namespace qualified type. This should pass
+     * as WSS4J has been configured to accept these tokens.
+     */
+    public void testNamespaceQualifiedTypeAccepted() throws Exception {
+        Document doc = SOAPUtil.toSOAPPart(SOAPUTMSG);
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("Message with UserNameToken PW Digest:");
+            String outputString = 
+                org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+            LOG.debug(outputString);
+        }
+        WSSConfig wssConfig = secEngine.getWssConfig();
+        wssConfig.setAllowNamespaceQualifiedPasswordTypes(true);
+        secEngine.setWssConfig(wssConfig);
+        verify(doc);
+    }
+    
+    
+    /**
+     * Verifies the soap envelope
+     * 
+     * @param env soap envelope
+     * @throws java.lang.Exception Thrown when there is a problem in verification
+     */
+    private void verify(Document doc) throws Exception {
+        LOG.info("Before verifying UsernameToken....");
+        secEngine.processSecurityHeader(doc, null, this, null);
+        LOG.info("After verifying UsernameToken....");
+    }
+
+    public void handle(Callback[] callbacks)
+        throws IOException, UnsupportedCallbackException {
+        for (int i = 0; i < callbacks.length; i++) {
+            if (callbacks[i] instanceof WSPasswordCallback) {
+                WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
+                assertEquals(pc.getPasswordType(), WSConstants.PASSWORD_TEXT);
+                if (pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN
+                    && "wernerd".equals(pc.getIdentifier())) {
+                    pc.setPassword("verySecret");
+                } else if (
+                    pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN
+                ) {
+                    throw new IOException("Authentication failed");
+                }
+            } else {
+                throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
+            }
+        }
+    }
+}

Propchange: webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS199.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS199.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date



---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org


Mime
View raw message