ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1124706 - in /webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str: DerivedKeyTokenSTRParser.java EncryptedKeySTRParser.java SecurityTokenRefSTRParser.java SignatureSTRParser.java
Date Thu, 19 May 2011 12:23:15 GMT
Author: coheigea
Date: Thu May 19 12:23:14 2011
New Revision: 1124706

URL: http://svn.apache.org/viewvc?rev=1124706&view=rev
Log:
Changed STR Parsers so that KeyIdentifier references now check for a previously processed
security result.

Modified:
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/EncryptedKeySTRParser.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java?rev=1124706&r1=1124705&r2=1124706&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
Thu May 19 12:23:14 2011
@@ -27,7 +27,6 @@ import org.apache.ws.security.WSSecurity
 import org.apache.ws.security.WSSecurityException;
 import org.apache.ws.security.components.crypto.Crypto;
 import org.apache.ws.security.handler.RequestData;
-import org.apache.ws.security.message.token.Reference;
 import org.apache.ws.security.message.token.SecurityTokenReference;
 import org.apache.ws.security.message.token.UsernameToken;
 import org.apache.ws.security.saml.SAMLKeyInfo;
@@ -76,64 +75,24 @@ public class DerivedKeyTokenSTRParser im
         SecurityTokenReference secRef = new SecurityTokenReference(strElement, bspCompliant);
         
         String uri = null;
-        String keyIdentifierValueType = null;
-        String keyIdentifierValue = null;
-        
-        WSSecurityEngineResult result = null;
         if (secRef.containsReference()) {
-            Reference ref = secRef.getReference();
-            uri = ref.getURI();
+            uri = secRef.getReference().getURI();
             if (uri.charAt(0) == '#') {
                 uri = uri.substring(1);
             }
-            result = wsDocInfo.getResult(uri);
-        } else {
-            // Contains key identifier
-            keyIdentifierValue = secRef.getKeyIdentifierValue();
-            keyIdentifierValueType = secRef.getKeyIdentifierValueType();
-            result = wsDocInfo.getResult(keyIdentifierValue);
+        } else if (secRef.containsKeyIdentifier()) {
+            uri = secRef.getKeyIdentifierValue();
         }
         
+        WSSecurityEngineResult result = wsDocInfo.getResult(uri);
         if (result != null) {
-            int action = ((Integer)result.get(WSSecurityEngineResult.TAG_ACTION)).intValue();
-            if (WSConstants.UT_NOPASSWORD == action || WSConstants.UT == action) {
-                if (bspCompliant) {
-                    BSPEnforcer.checkUsernameTokenBSPCompliance(secRef);
-                }
-                UsernameToken usernameToken = 
-                    (UsernameToken)result.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
-                usernameToken.setRawPassword(data);
-                secretKey = usernameToken.getDerivedKey();
-            } else if (WSConstants.ENCR == action) {
-                if (bspCompliant) {
-                    BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
-                }
-                secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
-            } else if (WSConstants.SCT == action) {
-                secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
-            } else if (WSConstants.ST_UNSIGNED == action || WSConstants.ST_SIGNED == action)
{
-                AssertionWrapper assertion = 
-                    (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
-                if (bspCompliant) {
-                    BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
-                }
-                SAMLKeyInfo keyInfo = 
-                    SAMLUtil.getCredentialFromSubject(assertion, 
-                                                      data, wsDocInfo, bspCompliant);
-                // TODO Handle malformed SAML tokens where they don't have the 
-                // secret in them
-                secretKey = keyInfo.getSecret();
-            } else {
-                throw new WSSecurityException(
-                    WSSecurityException.FAILED_CHECK, "unsupportedKeyId"
-                );
-            }
-        } else if (result == null && uri != null) {
+            processPreviousResult(result, secRef, data, wsDocInfo, bspCompliant);
+        } else if (secRef.containsReference()) { 
             // Now use the callback and get it
             secretKey = 
-                getSecretKeyFromToken(uri, null, WSPasswordCallback.SECURITY_CONTEXT_TOKEN,

-                                      data);
-        } else if (keyIdentifierValue != null && keyIdentifierValueType != null)
{
+                getSecretKeyFromToken(uri, null, WSPasswordCallback.SECURITY_CONTEXT_TOKEN,
data);
+        } else if (secRef.containsKeyIdentifier()) {
+            String keyIdentifierValueType = secRef.getKeyIdentifierValueType();
             if (bspCompliant 
                 && keyIdentifierValueType.equals(SecurityTokenReference.ENC_KEY_SHA1_URI))
{
                 BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
@@ -142,7 +101,7 @@ public class DerivedKeyTokenSTRParser im
             if (certs == null || certs.length < 1 || certs[0] == null) {
                 secretKey = 
                     this.getSecretKeyFromToken(
-                        keyIdentifierValue, keyIdentifierValueType, 
+                        secRef.getKeyIdentifierValue(), keyIdentifierValueType, 
                         WSPasswordCallback.SECRET_KEY, data
                    ); 
             } else {
@@ -232,4 +191,48 @@ public class DerivedKeyTokenSTRParser im
         return pwcb.getKey();
     }
     
+    /**
+     * Process a previous security result
+     */
+    private void processPreviousResult(
+        WSSecurityEngineResult result,
+        SecurityTokenReference secRef,
+        RequestData data,
+        WSDocInfo wsDocInfo,
+        boolean bspCompliant
+    ) throws WSSecurityException {
+        int action = ((Integer)result.get(WSSecurityEngineResult.TAG_ACTION)).intValue();
+        if (WSConstants.UT_NOPASSWORD == action || WSConstants.UT == action) {
+            if (bspCompliant) {
+                BSPEnforcer.checkUsernameTokenBSPCompliance(secRef);
+            }
+            UsernameToken usernameToken = 
+                (UsernameToken)result.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
+            usernameToken.setRawPassword(data);
+            secretKey = usernameToken.getDerivedKey();
+        } else if (WSConstants.ENCR == action) {
+            if (bspCompliant) {
+                BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
+            }
+            secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+        } else if (WSConstants.SCT == action) {
+            secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+        } else if (WSConstants.ST_UNSIGNED == action || WSConstants.ST_SIGNED == action)
{
+            AssertionWrapper assertion = 
+                (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+            if (bspCompliant) {
+                BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
+            }
+            SAMLKeyInfo keyInfo = 
+                SAMLUtil.getCredentialFromSubject(assertion, 
+                                                  data, wsDocInfo, bspCompliant);
+            // TODO Handle malformed SAML tokens where they don't have the 
+            // secret in them
+            secretKey = keyInfo.getSecret();
+        } else {
+            throw new WSSecurityException(
+                WSSecurityException.FAILED_CHECK, "unsupportedKeyId"
+            );
+        }
+    }
 }

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/EncryptedKeySTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/EncryptedKeySTRParser.java?rev=1124706&r1=1124705&r2=1124706&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/EncryptedKeySTRParser.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/EncryptedKeySTRParser.java
Thu May 19 12:23:14 2011
@@ -76,21 +76,21 @@ public class EncryptedKeySTRParser imple
         }
         
         SecurityTokenReference secRef = new SecurityTokenReference(strElement, bspCompliant);
-        //
-        // Handle X509IssuerSerial here. First check if all elements are available,
-        // get the appropriate data, check if all data is available.
-        // Then look up the certificate alias according to issuer name and serial number.
-        //
-        if (secRef.containsX509Data() || secRef.containsX509IssuerSerial()) {
-            certs = secRef.getX509IssuerSerial(crypto);
+        
+        String uri = null;
+        if (secRef.containsReference()) {
+            uri = secRef.getReference().getURI();
+            if (uri.charAt(0) == '#') {
+                uri = uri.substring(1);
+            }
+        } else if (secRef.containsKeyIdentifier()) {
+            uri = secRef.getKeyIdentifierValue();
         }
-        //
-        // If wsse:KeyIdentifier found, then the public key of the attached cert was used
to
-        // encrypt the session (symmetric) key that encrypts the data. Extract the certificate
-        // using the BinarySecurity token (was enhanced to handle KeyIdentifier too).
-        // This method is _not_ recommended by OASIS WS-S specification, X509 profile
-        //
-        else if (secRef.containsKeyIdentifier()) {
+        
+        WSSecurityEngineResult result = wsDocInfo.getResult(uri);
+        if (result != null) {
+            processPreviousResult(result, secRef, data, wsDocInfo, bspCompliant);
+        } else if (secRef.containsKeyIdentifier()) {
             if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())
                 || WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType()))
{
                 AssertionWrapper assertion = 
@@ -110,70 +110,28 @@ public class EncryptedKeySTRParser imple
                 }
                 certs = secRef.getKeyIdentifier(crypto);
             }
+        } else if (secRef.containsX509Data() || secRef.containsX509IssuerSerial()) {
+            certs = secRef.getX509IssuerSerial(crypto);
         } else if (secRef.containsReference()) {
-            if (wsDocInfo != null) {
-                String uri = secRef.getReference().getURI();
-                WSSecurityEngineResult result = wsDocInfo.getResult(uri);
-                
-                if (result != null) {
-                    int action = ((Integer)result.get(WSSecurityEngineResult.TAG_ACTION)).intValue();
-                    if (WSConstants.BST == action) {
-                        if (bspCompliant) {
-                            BinarySecurity token = 
-                                (BinarySecurity)result.get(
-                                    WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN
-                                );
-                            BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, token);
-                        }
-                        certs = 
-                            (X509Certificate[])result.get(
-                                WSSecurityEngineResult.TAG_X509_CERTIFICATES
-                            );
-                    } else if (WSConstants.ST_UNSIGNED == action || WSConstants.ST_SIGNED
== action) {
-                        AssertionWrapper assertion = 
-                            (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
-                        if (bspCompliant) {
-                            BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
-                        }
-                        SAMLKeyInfo keyInfo = 
-                            SAMLUtil.getCredentialFromSubject(assertion, 
-                                                              data,
-                                                              wsDocInfo, bspCompliant);
-                        certs = keyInfo.getCerts();
-                    } else {
-                        throw new WSSecurityException(
-                            WSSecurityException.UNSUPPORTED_SECURITY_TOKEN,
-                            "unsupportedBinaryTokenType",
-                            null
-                        );
-                    }
-                }
-            }
-            if (certs == null) {
-                Element bstElement = 
-                    secRef.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler());
-    
-                // at this point ... check token type: Binary
-                QName el = new QName(bstElement.getNamespaceURI(), bstElement.getLocalName());
-                if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
-                    X509Security token = new X509Security(bstElement);
-                    if (bspCompliant) {
-                        BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, token);
-                    }
-                    certs = new X509Certificate[]{token.getX509Certificate(crypto)};
-                } else {
-                    throw new WSSecurityException(
-                        WSSecurityException.UNSUPPORTED_SECURITY_TOKEN,
-                        "unsupportedBinaryTokenType",
-                        null
-                    );
+            Element bstElement = 
+                secRef.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler());
+
+            // at this point ... check token type: Binary
+            QName el = new QName(bstElement.getNamespaceURI(), bstElement.getLocalName());
+            if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
+                X509Security token = new X509Security(bstElement);
+                if (bspCompliant) {
+                    BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, token);
                 }
+                certs = new X509Certificate[]{token.getX509Certificate(crypto)};
+            } else {
+                throw new WSSecurityException(
+                    WSSecurityException.UNSUPPORTED_SECURITY_TOKEN,
+                    "unsupportedBinaryTokenType",
+                    null
+                );
             }
-        } else {
-            throw new WSSecurityException(
-                WSSecurityException.INVALID_SECURITY, "unsupportedKeyId"
-            );
-        }
+        } 
         
         if (LOG.isDebugEnabled() && certs != null && certs[0] != null) {
             LOG.debug("cert: " + certs[0]);
@@ -223,4 +181,47 @@ public class EncryptedKeySTRParser imple
         return false;
     }
     
+    /**
+     * Process a previous security result
+     */
+    private void processPreviousResult(
+        WSSecurityEngineResult result,
+        SecurityTokenReference secRef,
+        RequestData data,
+        WSDocInfo wsDocInfo,
+        boolean bspCompliant
+    ) throws WSSecurityException {
+        int action = ((Integer)result.get(WSSecurityEngineResult.TAG_ACTION)).intValue();
+        if (WSConstants.BST == action) {
+            if (bspCompliant) {
+                BinarySecurity token = 
+                    (BinarySecurity)result.get(
+                        WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN
+                    );
+                BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, token);
+            }
+            certs = 
+                (X509Certificate[])result.get(
+                    WSSecurityEngineResult.TAG_X509_CERTIFICATES
+                );
+        } else if (WSConstants.ST_UNSIGNED == action || WSConstants.ST_SIGNED == action)
{
+            AssertionWrapper assertion = 
+                (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+            if (bspCompliant) {
+                BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
+            }
+            SAMLKeyInfo keyInfo = 
+                SAMLUtil.getCredentialFromSubject(assertion, 
+                                                  data,
+                                                  wsDocInfo, bspCompliant);
+            certs = keyInfo.getCerts();
+        } else {
+            throw new WSSecurityException(
+                WSSecurityException.UNSUPPORTED_SECURITY_TOKEN,
+                "unsupportedBinaryTokenType",
+                null
+            );
+        }
+    }
+    
 }

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java?rev=1124706&r1=1124705&r2=1124706&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
Thu May 19 12:23:14 2011
@@ -77,54 +77,30 @@ public class SecurityTokenRefSTRParser i
         }
         
         SecurityTokenReference secRef = new SecurityTokenReference(strElement, bspCompliant);
-
+        
+        String uri = null;
         if (secRef.containsReference()) {
-            Reference reference = secRef.getReference();
-            String uri = reference.getURI();
-            String id = uri;
-            if (id.charAt(0) == '#') {
-                id = id.substring(1);
+            uri = secRef.getReference().getURI();
+            if (uri.charAt(0) == '#') {
+                uri = uri.substring(1);
             }
-            WSSecurityEngineResult result = wsDocInfo.getResult(id);
-            if (result != null) {
-                int action = ((Integer)result.get(WSSecurityEngineResult.TAG_ACTION)).intValue();
-                if (WSConstants.ENCR == action) {
-                    if (bspCompliant) {
-                        BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
-                    }
-                    secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
-                } else if (WSConstants.DKT == action) {
-                    DerivedKeyToken dkt = 
-                        (DerivedKeyToken)result.get(WSSecurityEngineResult.TAG_DERIVED_KEY_TOKEN);
-                    byte[] secret = 
-                        (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
-                    String algorithm = (String)parameters.get(SIGNATURE_METHOD);
-                    secretKey = dkt.deriveKey(WSSecurityUtil.getKeyLength(algorithm), secret);
-                } else if (WSConstants.ST_UNSIGNED == action || WSConstants.ST_SIGNED ==
action) {
-                    AssertionWrapper assertion = 
-                        (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
-                    if (bspCompliant) {
-                        BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
-                    }
-                    SAMLKeyInfo keyInfo = 
-                        SAMLUtil.getCredentialFromSubject(assertion, 
-                                                          data, wsDocInfo, bspCompliant);
-                    // TODO Handle malformed SAML tokens where they don't have the 
-                    // secret in them
-                    secretKey = keyInfo.getSecret();
-                } else if (WSConstants.SCT == action) {
-                    secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
-                }
-            } else {
-                // Try asking the CallbackHandler for the secret key
-                secretKey = getSecretKeyFromToken(id, reference.getValueType(), data);
-                if (secretKey == null) {
-                    throw new WSSecurityException(
-                        WSSecurityException.FAILED_CHECK, "unsupportedKeyId", new Object[]{id}
-                    );
-                }
+        } else if (secRef.containsKeyIdentifier()) {
+            uri = secRef.getKeyIdentifierValue();
+        }
+        
+        WSSecurityEngineResult result = wsDocInfo.getResult(uri);
+        if (result != null) {
+            processPreviousResult(result, secRef, data, parameters, wsDocInfo, bspCompliant);
+        } else if (secRef.containsReference()) {
+            Reference reference = secRef.getReference();
+            // Try asking the CallbackHandler for the secret key
+            secretKey = getSecretKeyFromToken(uri, reference.getValueType(), data);
+            if (secretKey == null) {
+                throw new WSSecurityException(
+                    WSSecurityException.FAILED_CHECK, "unsupportedKeyId", new Object[] {uri}
+                );
             }
-        } else if (secRef.containsKeyIdentifier()){
+        } else if (secRef.containsKeyIdentifier()) {
             String valueType = secRef.getKeyIdentifierValueType();
             if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(valueType)
                 || WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(valueType)) { 
@@ -133,24 +109,16 @@ public class SecurityTokenRefSTRParser i
                         secRef, strElement, 
                         data, wsDocInfo
                     );
-                if (bspCompliant) {
-                    BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
-                }
-                SAMLKeyInfo samlKi = 
-                    SAMLUtil.getCredentialFromSubject(assertion,
-                                                      data,
-                                                      wsDocInfo, bspCompliant);
-                // TODO Handle malformed SAML tokens where they don't have the 
-                // secret in them
-                secretKey = samlKi.getSecret();
+                secretKey = 
+                    getSecretKeyFromAssertion(assertion, secRef, data, wsDocInfo, bspCompliant);
             } else {
                 if (bspCompliant && SecurityTokenReference.ENC_KEY_SHA1_URI.equals(valueType))
{
                     BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
                 } 
                 secretKey = 
                     getSecretKeyFromToken(
-                        secRef.getKeyIdentifierValue(), secRef.getKeyIdentifierValueType(),

-                        data);
+                        secRef.getKeyIdentifierValue(), secRef.getKeyIdentifierValueType(),
data
+                    );
             }
         } else {
             throw new WSSecurityException(WSSecurityException.FAILED_CHECK, "noReference");
@@ -233,5 +201,59 @@ public class SecurityTokenRefSTRParser i
         return pwcb.getKey();
     }
     
+    /**
+     * Get a SecretKey from a SAML Assertion
+     */
+    private byte[] getSecretKeyFromAssertion(
+        AssertionWrapper assertion, 
+        SecurityTokenReference secRef,
+        RequestData data,
+        WSDocInfo wsDocInfo,
+        boolean bspCompliant
+    ) throws WSSecurityException {
+        if (bspCompliant) {
+            BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
+        }
+        SAMLKeyInfo samlKi = 
+            SAMLUtil.getCredentialFromSubject(assertion, data, wsDocInfo, bspCompliant);
+        // TODO Handle malformed SAML tokens where they don't have the 
+        // secret in them
+        return samlKi.getSecret();
+    }
+    
+    /**
+     * Process a previous security result
+     */
+    private void processPreviousResult(
+        WSSecurityEngineResult result,
+        SecurityTokenReference secRef,
+        RequestData data,
+        Map<String, Object> parameters,
+        WSDocInfo wsDocInfo,
+        boolean bspCompliant
+    ) throws WSSecurityException {
+        int action = ((Integer)result.get(WSSecurityEngineResult.TAG_ACTION)).intValue();
+        if (WSConstants.ENCR == action) {
+            if (bspCompliant) {
+                BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
+            }
+            secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+        } else if (WSConstants.DKT == action) {
+            DerivedKeyToken dkt = 
+                (DerivedKeyToken)result.get(WSSecurityEngineResult.TAG_DERIVED_KEY_TOKEN);
+            byte[] secret = 
+                (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+            String algorithm = (String)parameters.get(SIGNATURE_METHOD);
+            secretKey = dkt.deriveKey(WSSecurityUtil.getKeyLength(algorithm), secret);
+        } else if (WSConstants.ST_UNSIGNED == action || WSConstants.ST_SIGNED == action)
{
+            AssertionWrapper assertion = 
+                (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+            secretKey = 
+                getSecretKeyFromAssertion(assertion, secRef, data, wsDocInfo, bspCompliant);
+        } else if (WSConstants.SCT == action) {
+            secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+        }
+    }
+    
     
 }

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java?rev=1124706&r1=1124705&r2=1124706&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
Thu May 19 12:23:14 2011
@@ -106,143 +106,74 @@ public class SignatureSTRParser implemen
         // processed, in particular the crypto implementation, and already
         // detected BST that may be used later during dereferencing.
         //
+        String uri = null;
         if (secRef.containsReference()) {
-            org.apache.ws.security.message.token.Reference ref = secRef.getReference();
-
-            String uri = ref.getURI();
+            uri = secRef.getReference().getURI();
             if (uri.charAt(0) == '#') {
                 uri = uri.substring(1);
             }
-            WSSecurityEngineResult result = wsDocInfo.getResult(uri);
-            if (result == null) {
-                Element token = 
-                    secRef.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler());
-                QName el = new QName(token.getNamespaceURI(), token.getLocalName());
-                if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
-                    certs = getCertificatesTokenReference(secRef, token, crypto, bspCompliant);
-                } else if (el.equals(WSSecurityEngine.SAML_TOKEN) 
-                    || el.equals(WSSecurityEngine.SAML2_TOKEN)) {
-                    Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.SAML_TOKEN);
-                    //
-                    // Just check to see whether the token was processed or not
-                    //
-                    Element processedToken = 
-                        secRef.findProcessedTokenElement(
-                            strElement.getOwnerDocument(), wsDocInfo, 
-                            data.getCallbackHandler(), uri, ref.getValueType()
-                        );
-                    AssertionWrapper assertion = null;
-                    if (processedToken == null) {
-                        List<WSSecurityEngineResult> samlResult =
-                            proc.handleToken(token, data, wsDocInfo);
-                        assertion = 
-                            (AssertionWrapper)samlResult.get(0).get(
-                                WSSecurityEngineResult.TAG_SAML_ASSERTION
-                            );
-                    } else {
-                        assertion = new AssertionWrapper(processedToken);
-                        assertion.parseHOKSubject(data, wsDocInfo);
-                    }
-                    if (bspCompliant) {
-                        BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
-                    }
-                    SAMLKeyInfo keyInfo = assertion.getSubjectKeyInfo();
-                    X509Certificate[] foundCerts = keyInfo.getCerts();
-                    if (foundCerts != null) {
-                        certs = new X509Certificate[]{foundCerts[0]};
-                    }
-                    secretKey = keyInfo.getSecret();
-                    principal = createPrincipalFromSAML(assertion);
-                } else if (el.equals(WSSecurityEngine.ENCRYPTED_KEY)) {
-                    if (bspCompliant) {
-                        BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
-                    }
-                    Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.ENCRYPTED_KEY);
-                    List<WSSecurityEngineResult> encrResult =
+        } else if (secRef.containsKeyIdentifier()) {
+            uri = secRef.getKeyIdentifierValue();
+        }
+        
+        WSSecurityEngineResult result = wsDocInfo.getResult(uri);
+        if (result != null) {
+            processPreviousResult(result, secRef, data, parameters, bspCompliant);
+        } else if (secRef.containsReference()) {
+            Element token = 
+                secRef.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler());
+            QName el = new QName(token.getNamespaceURI(), token.getLocalName());
+            if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
+                certs = getCertificatesTokenReference(secRef, token, crypto, bspCompliant);
+            } else if (el.equals(WSSecurityEngine.SAML_TOKEN) 
+                || el.equals(WSSecurityEngine.SAML2_TOKEN)) {
+                Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.SAML_TOKEN);
+                //
+                // Just check to see whether the token was processed or not
+                //
+                Element processedToken = 
+                    secRef.findProcessedTokenElement(
+                        strElement.getOwnerDocument(), wsDocInfo, 
+                        data.getCallbackHandler(), uri, secRef.getReference().getValueType()
+                    );
+                AssertionWrapper assertion = null;
+                if (processedToken == null) {
+                    List<WSSecurityEngineResult> samlResult =
                         proc.handleToken(token, data, wsDocInfo);
-                    secretKey = 
-                        (byte[])encrResult.get(0).get(
-                            WSSecurityEngineResult.TAG_SECRET
+                    assertion = 
+                        (AssertionWrapper)samlResult.get(0).get(
+                            WSSecurityEngineResult.TAG_SAML_ASSERTION
                         );
-                    principal = new CustomTokenPrincipal(token.getAttribute("Id"));
                 } else {
-                    String id = secRef.getReference().getURI();
-                    secretKey = getSecretKeyFromToken(id, null, data);
-                    principal = new CustomTokenPrincipal(id);
+                    assertion = new AssertionWrapper(processedToken);
+                    assertion.parseHOKSubject(data, wsDocInfo);
                 }
-            } else {
-                int action = ((Integer)result.get(WSSecurityEngineResult.TAG_ACTION)).intValue();
-                if (WSConstants.UT_NOPASSWORD == action || WSConstants.UT == action) {
-                    if (bspCompliant) {
-                        BSPEnforcer.checkUsernameTokenBSPCompliance(secRef);
-                    }
-                    UsernameToken usernameToken = 
-                        (UsernameToken)result.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
-
-                    usernameToken.setRawPassword(data);
-                    if (usernameToken.isDerivedKey()) {
-                        secretKey = usernameToken.getDerivedKey();
-                    } else {
-                        int keyLength = ((Integer)parameters.get(SECRET_KEY_LENGTH)).intValue();
-                        secretKey = usernameToken.getSecretKey(keyLength);
-                    }
-                    principal = usernameToken.createPrincipal();
-                } else if (WSConstants.BST == action) {
-                    if (bspCompliant) {
-                        BinarySecurity token = 
-                            (BinarySecurity)result.get(
-                                WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN
-                            );
-                        BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, token);
-                    }
-                    certs = 
-                        (X509Certificate[])result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
-                    Boolean validatedToken = 
-                        (Boolean)result.get(WSSecurityEngineResult.TAG_VALIDATED_TOKEN);
-                    if (validatedToken.booleanValue()) {
-                        trustedCredential = true;
-                    }
-                } else if (WSConstants.ENCR == action) {
-                    if (bspCompliant) {
-                        BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
-                    }
-                    secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
-                    String id = (String)result.get(WSSecurityEngineResult.TAG_ID);
-                    principal = new CustomTokenPrincipal(id);
-                } else if (WSConstants.SCT == action) {
-                    secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
-                    SecurityContextToken sct = 
-                        (SecurityContextToken)result.get(
-                                WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN
-                        );
-                    principal = new CustomTokenPrincipal(sct.getIdentifier());
-                } else if (WSConstants.DKT == action) {
-                    DerivedKeyToken dkt = 
-                        (DerivedKeyToken)result.get(WSSecurityEngineResult.TAG_DERIVED_KEY_TOKEN);
-                    int keyLength = dkt.getLength();
-                    if (keyLength <= 0) {
-                        String algorithm = (String)parameters.get(SIGNATURE_METHOD);
-                        keyLength = WSSecurityUtil.getKeyLength(algorithm);
-                    }
-                    byte[] secret = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
-                    secretKey = dkt.deriveKey(keyLength, secret); 
-                    principal = dkt.createPrincipal();
-                    ((WSDerivedKeyTokenPrincipal)principal).setSecret(secret);
-                } else if (WSConstants.ST_UNSIGNED == action || WSConstants.ST_SIGNED ==
action) {
-                    AssertionWrapper assertion = 
-                        (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
-                    if (bspCompliant) {
-                        BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
-                    }
-                    SAMLKeyInfo keyInfo = assertion.getSubjectKeyInfo();
-                    X509Certificate[] foundCerts = keyInfo.getCerts();
-                    if (foundCerts != null) {
-                        certs = new X509Certificate[]{foundCerts[0]};
-                    }
-                    secretKey = keyInfo.getSecret();
-                    publicKey = keyInfo.getPublicKey();
-                    principal = createPrincipalFromSAML(assertion);
+                if (bspCompliant) {
+                    BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
                 }
+                SAMLKeyInfo keyInfo = assertion.getSubjectKeyInfo();
+                X509Certificate[] foundCerts = keyInfo.getCerts();
+                if (foundCerts != null) {
+                    certs = new X509Certificate[]{foundCerts[0]};
+                }
+                secretKey = keyInfo.getSecret();
+                principal = createPrincipalFromSAML(assertion);
+            } else if (el.equals(WSSecurityEngine.ENCRYPTED_KEY)) {
+                if (bspCompliant) {
+                    BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
+                }
+                Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.ENCRYPTED_KEY);
+                List<WSSecurityEngineResult> encrResult =
+                    proc.handleToken(token, data, wsDocInfo);
+                secretKey = 
+                    (byte[])encrResult.get(0).get(
+                                                  WSSecurityEngineResult.TAG_SECRET
+                    );
+                principal = new CustomTokenPrincipal(token.getAttribute("Id"));
+            } else {
+                String id = secRef.getReference().getURI();
+                secretKey = getSecretKeyFromToken(id, null, data);
+                principal = new CustomTokenPrincipal(id);
             }
         } else if (secRef.containsX509Data() || secRef.containsX509IssuerSerial()) {
             X509Certificate[] foundCerts = secRef.getX509IssuerSerial(crypto);
@@ -342,8 +273,6 @@ public class SignatureSTRParser implemen
     public boolean isTrustedCredential() {
         return trustedCredential;
     }
-    
-    
     /**
      * Extracts the certificate(s) from the Binary Security token reference.
      *
@@ -454,5 +383,89 @@ public class SignatureSTRParser implemen
         return pwcb.getKey();
     }
     
+    /**
+     * Process a previous security result
+     */
+    private void processPreviousResult(
+        WSSecurityEngineResult result,
+        SecurityTokenReference secRef,
+        RequestData data,
+        Map<String, Object> parameters,
+        boolean bspCompliant
+    ) throws WSSecurityException {
+        int action = ((Integer)result.get(WSSecurityEngineResult.TAG_ACTION)).intValue();
+        if (WSConstants.UT_NOPASSWORD == action || WSConstants.UT == action) {
+            if (bspCompliant) {
+                BSPEnforcer.checkUsernameTokenBSPCompliance(secRef);
+            }
+            UsernameToken usernameToken = 
+                (UsernameToken)result.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
+
+            usernameToken.setRawPassword(data);
+            if (usernameToken.isDerivedKey()) {
+                secretKey = usernameToken.getDerivedKey();
+            } else {
+                int keyLength = ((Integer)parameters.get(SECRET_KEY_LENGTH)).intValue();
+                secretKey = usernameToken.getSecretKey(keyLength);
+            }
+            principal = usernameToken.createPrincipal();
+        } else if (WSConstants.BST == action) {
+            if (bspCompliant) {
+                BinarySecurity token = 
+                    (BinarySecurity)result.get(
+                        WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN
+                    );
+                BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, token);
+            }
+            certs = 
+                (X509Certificate[])result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
+            Boolean validatedToken = 
+                (Boolean)result.get(WSSecurityEngineResult.TAG_VALIDATED_TOKEN);
+            if (validatedToken.booleanValue()) {
+                trustedCredential = true;
+            }
+        } else if (WSConstants.ENCR == action) {
+            if (bspCompliant) {
+                BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
+            }
+            secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+            String id = (String)result.get(WSSecurityEngineResult.TAG_ID);
+            principal = new CustomTokenPrincipal(id);
+        } else if (WSConstants.SCT == action) {
+            secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+            SecurityContextToken sct = 
+                (SecurityContextToken)result.get(
+                        WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN
+                );
+            principal = new CustomTokenPrincipal(sct.getIdentifier());
+        } else if (WSConstants.DKT == action) {
+            DerivedKeyToken dkt = 
+                (DerivedKeyToken)result.get(WSSecurityEngineResult.TAG_DERIVED_KEY_TOKEN);
+            int keyLength = dkt.getLength();
+            if (keyLength <= 0) {
+                String algorithm = (String)parameters.get(SIGNATURE_METHOD);
+                keyLength = WSSecurityUtil.getKeyLength(algorithm);
+            }
+            byte[] secret = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+            secretKey = dkt.deriveKey(keyLength, secret); 
+            principal = dkt.createPrincipal();
+            ((WSDerivedKeyTokenPrincipal)principal).setSecret(secret);
+        } else if (WSConstants.ST_UNSIGNED == action || WSConstants.ST_SIGNED == action)
{
+            AssertionWrapper assertion = 
+                (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+            if (bspCompliant) {
+                BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
+            }
+            SAMLKeyInfo keyInfo = assertion.getSubjectKeyInfo();
+            X509Certificate[] foundCerts = keyInfo.getCerts();
+            if (foundCerts != null) {
+                certs = new X509Certificate[]{foundCerts[0]};
+            }
+            secretKey = keyInfo.getSecret();
+            publicKey = keyInfo.getPublicKey();
+            principal = createPrincipalFromSAML(assertion);
+        }
+    }
+    
     
 }



Mime
View raw message