ws-wss4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r979810 - in /webservices/wss4j/branches/1_5_x-fixes: src/org/apache/ws/security/action/ src/org/apache/ws/security/handler/ test/wssec/
Date Tue, 27 Jul 2010 19:13:42 GMT
Author: coheigea
Date: Tue Jul 27 19:13:41 2010
New Revision: 979810

URL: http://svn.apache.org/viewvc?rev=979810&view=rev
Log:
[WSS-233] - Allow configuration of UsernameTokenSpec 1.1 derived key functionality through
WSHandler.
 - For backwards compatibility reasons, the password is referenced through USERNAME_TOKEN
on the outbound side, and USERNAME_TOKEN_UNKNOWN on the inbound side. This unfortunate state
of affairs will be fixed on trunk.

Modified:
    webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/action/UsernameTokenSignedAction.java
    webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/RequestData.java
    webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/WSHandler.java
    webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/WSHandlerConstants.java
    webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecurityUTSignature.java

Modified: webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/action/UsernameTokenSignedAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/action/UsernameTokenSignedAction.java?rev=979810&r1=979809&r2=979810&view=diff
==============================================================================
--- webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/action/UsernameTokenSignedAction.java
(original)
+++ webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/action/UsernameTokenSignedAction.java
Tue Jul 27 19:13:41 2010
@@ -53,8 +53,15 @@ public class UsernameTokenSignedAction i
 
         WSSecUsernameToken builder = new WSSecUsernameToken();
         builder.setWsConfig(reqData.getWssConfig());
-        builder.setPasswordType(reqData.getPwType());  // enhancement by Alberto Coletti
-        builder.setSecretKeyLength(reqData.getSecretKeyLength());
+        
+        if (reqData.isUseDerivedKey()) {
+            int iterations = reqData.getDerivedKeyIterations();
+            boolean useMac = reqData.isUseDerivedKeyForMAC();
+            builder.addDerivedKey(useMac, null, iterations);
+        } else {
+            builder.setPasswordType(reqData.getPwType());  // enhancement by Alberto Coletti
+            builder.setSecretKeyLength(reqData.getSecretKeyLength());
+        }
         
         builder.setUserInfo(reqData.getUsername(), password);
         builder.addCreated();
@@ -82,7 +89,12 @@ public class UsernameTokenSignedAction i
 
         sign.setUsernameToken(builder);
         sign.setKeyIdentifierType(WSConstants.UT_SIGNING);
-        sign.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
+
+        if (reqData.getSigAlgorithm() != null) {
+            sign.setSignatureAlgorithm(reqData.getSigAlgorithm());
+        } else {
+            sign.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
+        }
 
         sign.prepare(doc, null, reqData.getSecHeader());
 

Modified: webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/RequestData.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/RequestData.java?rev=979810&r1=979809&r2=979810&view=diff
==============================================================================
--- webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/RequestData.java
(original)
+++ webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/RequestData.java
Tue Jul 27 19:13:41 2010
@@ -24,6 +24,7 @@ import org.apache.ws.security.WSConstant
 import org.apache.ws.security.WSSConfig;
 import org.apache.ws.security.components.crypto.Crypto;
 import org.apache.ws.security.message.WSSecHeader;
+import org.apache.ws.security.message.token.UsernameToken;
 
 import java.util.Vector;
 import java.security.cert.X509Certificate;
@@ -61,6 +62,9 @@ public class RequestData {
     private WSSecHeader secHeader = null;
     private boolean encSymmetricEncryptionKey = true;
     private int secretKeyLength = WSConstants.WSE_DERIVED_KEY_LEN;
+    private boolean useDerivedKey = false;
+    private int derivedKeyIterations = UsernameToken.DEFAULT_ITERATION;
+    private boolean useDerivedKeyForMAC = true;
 
     public void clear() {
         soapConstants = null;
@@ -76,6 +80,9 @@ public class RequestData {
         encSymmetricEncryptionKey = true;
         secretKeyLength = WSConstants.WSE_DERIVED_KEY_LEN;
         signatureUser = null;
+        useDerivedKey = false;
+        derivedKeyIterations = UsernameToken.DEFAULT_ITERATION;
+        useDerivedKeyForMAC = true;
     }
 
     public Object getMsgContext() {
@@ -295,4 +302,53 @@ public class RequestData {
     public void setSecHeader(WSSecHeader secHeader) {
         this.secHeader = secHeader;
     }
+    
+    /**
+     * @param derivedKey Set whether to derive keys as per the 
+     *        UsernameTokenProfile 1.1 spec. Default is false.
+     */
+    public void setUseDerivedKey(boolean derivedKey) {
+        useDerivedKey = derivedKey;
+    }
+    
+    /**
+     * Return whether to derive keys as per the UsernameTokenProfile 
+     * 1.1 spec. Default is false.
+     */
+    public boolean isUseDerivedKey() {
+        return useDerivedKey;
+    }
+    
+    /**
+     * Set the derived key iterations. Default is 1000.
+     * @param iterations The number of iterations to use when deriving a key
+     */
+    public void setDerivedKeyIterations(int iterations) {
+        derivedKeyIterations = iterations;
+    }
+    
+    /**
+     * Get the derived key iterations.
+     * @return The number of iterations to use when deriving a key
+     */
+    public int getDerivedKeyIterations() {
+        return derivedKeyIterations;
+    }
+    
+    /**
+     * Whether to use the derived key for a MAC.
+     * @param useMac Whether to use the derived key for a MAC.
+     */
+    public void setUseDerivedKeyForMAC(boolean useMac) {
+        useDerivedKeyForMAC = useMac;
+    }
+    
+    /**
+     * Whether to use the derived key for a MAC.
+     * @return Whether to use the derived key for a MAC.
+     */
+    public boolean isUseDerivedKeyForMAC() {
+        return useDerivedKeyForMAC;
+    }
+    
 }

Modified: webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/WSHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/WSHandler.java?rev=979810&r1=979809&r2=979810&view=diff
==============================================================================
--- webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/WSHandler.java
(original)
+++ webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/WSHandler.java
Tue Jul 27 19:13:41 2010
@@ -529,6 +529,24 @@ public abstract class WSHandler {
         if (add != null) {
             reqData.setUtElements(StringUtil.split(add, ' '));
         }
+        
+        String derived = getString(WSHandlerConstants.USE_DERIVED_KEY, mc);
+        boolean useDerivedKey = Boolean.parseBoolean(derived);
+        if (useDerivedKey) {
+            reqData.setUseDerivedKey(useDerivedKey);
+        }
+        
+        String derivedMAC = getString(WSHandlerConstants.USE_DERIVED_KEY, mc);
+        boolean useDerivedKeyForMAC = Boolean.parseBoolean(derivedMAC);
+        if (useDerivedKeyForMAC) {
+            reqData.setUseDerivedKeyForMAC(useDerivedKeyForMAC);
+        }
+        
+        String iterations = getString(WSHandlerConstants.DERIVED_KEY_ITERATIONS, mc);
+        if (iterations != null) {
+            int iIterations = Integer.parseInt(iterations);
+            reqData.setDerivedKeyIterations(iIterations);
+        }
     }
 
     protected void decodeSignatureParameter(RequestData reqData) 

Modified: webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/WSHandlerConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/WSHandlerConstants.java?rev=979810&r1=979809&r2=979810&view=diff
==============================================================================
--- webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/WSHandlerConstants.java
(original)
+++ webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/WSHandlerConstants.java
Tue Jul 27 19:13:41 2010
@@ -602,6 +602,25 @@ public class WSHandlerConstants {
      * The default value is 16 bytes.
      */
     public static final String WSE_SECRET_KEY_LENGTH = "wseSecretKeyLength";
+    
+    /**
+     * This parameter sets whether to use UsernameToken Key Derivation, as defined 
+     * in the UsernameTokenProfile 1.1 specification. The default is false for
+     * backwards compatibility reasons, and defaults to WSE key derivation.
+     */
+    public static final String USE_DERIVED_KEY = "useDerivedKey";
+    
+    /**
+     * This parameter sets whether to use the Username Token derived key for a MAC
+     * or not. The default is true.
+     */
+    public static final String USE_DERIVED_KEY_FOR_MAC = "useDerivedKeyForMAC";
+    
+    /**
+     * This parameter sets the number of iterations to use when deriving a key
+     * from a Username Token. The default is 1000. 
+     */
+    public static final String DERIVED_KEY_ITERATIONS = "derivedKeyIterations";
 
     /**
      * The name of the crypto property file to use for SOAP Encryption.

Modified: webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecurityUTSignature.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecurityUTSignature.java?rev=979810&r1=979809&r2=979810&view=diff
==============================================================================
--- webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecurityUTSignature.java (original)
+++ webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecurityUTSignature.java Tue Jul
27 19:13:41 2010
@@ -28,12 +28,15 @@ import org.apache.axis.message.SOAPEnvel
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSConfig;
 import org.apache.ws.security.WSSecurityEngineResult;
 import org.apache.ws.security.WSSecurityException;
 import org.apache.ws.security.WSPasswordCallback;
 import org.apache.ws.security.WSSecurityEngine;
 import org.apache.ws.security.components.crypto.Crypto;
 import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.handler.RequestData;
+import org.apache.ws.security.handler.WSHandlerConstants;
 import org.apache.ws.security.message.WSSecHeader;
 import org.apache.ws.security.message.WSSecSignature;
 import org.apache.ws.security.message.WSSecUsernameToken;
@@ -202,6 +205,98 @@ public class TestWSSecurityUTSignature e
     }
     
     /**
+     * Test using a UsernameToken derived key for signing a SOAP body via WSHandler
+     */
+    public void testHandlerSignature() throws Exception {
+        
+        final WSSConfig cfg = WSSConfig.getNewInstance();
+        RequestData reqData = new RequestData();
+        reqData.setWssConfig(cfg);
+        java.util.Map messageContext = new java.util.TreeMap();
+        messageContext.put(WSHandlerConstants.PW_CALLBACK_REF, this);
+        messageContext.put(WSHandlerConstants.USE_DERIVED_KEY, "true");
+        reqData.setMsgContext(messageContext);
+        reqData.setUsername("bob");
+        
+        final java.util.Vector actions = new java.util.Vector();
+        actions.add(new Integer(WSConstants.UT_SIGN));
+        
+        Document doc = unsignedEnvelope.getAsDocument();
+        MyHandler handler = new MyHandler();
+        handler.send(
+            WSConstants.UT_SIGN, 
+            doc, 
+            reqData, 
+            actions,
+            true
+        );
+        
+        String outputString = 
+            org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+        assertTrue(outputString.indexOf("wsse:Username") != -1);
+        assertTrue(outputString.indexOf("wsse:Password") == -1);
+        assertTrue(outputString.indexOf("wsse11:Salt") != -1);
+        assertTrue(outputString.indexOf("wsse11:Iteration") != -1);
+        if (LOG.isDebugEnabled()) {
+            LOG.debug(outputString);
+        }
+        
+        Vector results = verify(doc);
+        WSSecurityEngineResult actionResult =
+            WSSecurityUtil.fetchActionResult(results, WSConstants.UT_SIGN);
+        java.security.Principal principal = 
+            (java.security.Principal) actionResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+        assertTrue(principal.getName().indexOf("bob") != -1);
+    }
+    
+    /**
+     * Test using a UsernameToken derived key for signing a SOAP body via WSHandler
+     */
+    public void testHandlerSignatureIterations() throws Exception {
+        
+        final WSSConfig cfg = WSSConfig.getNewInstance();
+        RequestData reqData = new RequestData();
+        reqData.setWssConfig(cfg);
+        java.util.Map messageContext = new java.util.TreeMap();
+        messageContext.put(WSHandlerConstants.PW_CALLBACK_REF, this);
+        messageContext.put(WSHandlerConstants.USE_DERIVED_KEY, "true");
+        messageContext.put(WSHandlerConstants.DERIVED_KEY_ITERATIONS, "1234");
+        reqData.setMsgContext(messageContext);
+        reqData.setUsername("bob");
+        
+        final java.util.Vector actions = new java.util.Vector();
+        actions.add(new Integer(WSConstants.UT_SIGN));
+        
+        Document doc = unsignedEnvelope.getAsDocument();
+        MyHandler handler = new MyHandler();
+        handler.send(
+            WSConstants.UT_SIGN, 
+            doc, 
+            reqData, 
+            actions,
+            true
+        );
+        
+        String outputString = 
+            org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+        assertTrue(outputString.indexOf("wsse:Username") != -1);
+        assertTrue(outputString.indexOf("wsse:Password") == -1);
+        assertTrue(outputString.indexOf("wsse11:Salt") != -1);
+        assertTrue(outputString.indexOf("wsse11:Iteration") != -1);
+        assertTrue(outputString.indexOf("1234") != -1);
+        if (LOG.isDebugEnabled()) {
+            LOG.debug(outputString);
+        }
+        
+        Vector results = verify(doc);
+        WSSecurityEngineResult actionResult =
+            WSSecurityUtil.fetchActionResult(results, WSConstants.UT_SIGN);
+        java.security.Principal principal = 
+            (java.security.Principal) actionResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+        assertTrue(principal.getName().indexOf("bob") != -1);
+    }
+    
+    /**
      * Verifies the soap envelope.
      * 
      * @param env soap envelope
@@ -220,6 +315,9 @@ public class TestWSSecurityUTSignature e
                 if (pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN
                     && "bob".equals(pc.getIdentifier())) {
                     pc.setPassword("security");
+                } else if (pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN
+                    && "bob".equals(pc.getIdentifier())) {
+                    pc.setPassword("security");
                 } else {
                     throw new IOException("Authentication failed");
                 }



---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org


Mime
View raw message