ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1159165 - in /webservices/wss4j/trunk/src: main/java/org/apache/ws/security/ main/java/org/apache/ws/security/processor/ main/java/org/apache/ws/security/str/ main/java/org/apache/ws/security/validate/ test/java/org/apache/ws/security/mess...
Date Thu, 18 Aug 2011 11:06:27 GMT
Author: coheigea
Date: Thu Aug 18 11:06:26 2011
New Revision: 1159165

URL: http://svn.apache.org/viewvc?rev=1159165&view=rev
Log:
[WSS-307] - Added provisional support for signature verification using a Kerberos Ticket
 - It relies on a Kerberos Ticket Parser that is not yet committed
 - Changed SignatureSTRParser to use the BSTProcessor to get a token instead.

Modified:
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSSecurityEngineResult.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SAMLTokenProcessor.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/UsernameTokenProcessor.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/Credential.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/KerberosTokenValidator.java
    webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSSecurityEngineResult.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSSecurityEngineResult.java?rev=1159165&r1=1159164&r2=1159165&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSSecurityEngineResult.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSSecurityEngineResult.java
Thu Aug 18 11:06:26 2011
@@ -87,9 +87,9 @@ public class WSSecurityEngineResult exte
     public static final java.lang.String TAG_SIGNATURE_CONFIRMATION = "signature-confirmation";
 
     /**
-     * Tag denoting the X.509 certificate found, if applicable.
+     * Tag denoting the BinarySecurityToken found, if applicable.
      *
-     * The value under this tag is of type java.security.cert.X509Certificate.
+     * The value under this tag is of type BinarySecurity.
      */
     public static final String TAG_BINARY_SECURITY_TOKEN = "binary-security-token";
     

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java?rev=1159165&r1=1159164&r2=1159165&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java
Thu Aug 18 11:06:26 2011
@@ -52,6 +52,19 @@ public class BinarySecurityTokenProcesso
         RequestData data,
         WSDocInfo wsDocInfo
     ) throws WSSecurityException {
+        // See if the token has been previously processed
+        String id = elem.getAttributeNS(WSConstants.WSU_NS, "Id");
+        if (!"".equals(id)) {
+            Element foundElement = wsDocInfo.getTokenElement(id);
+            if (elem.equals(foundElement)) {
+                WSSecurityEngineResult result = wsDocInfo.getResult(id);
+                return java.util.Collections.singletonList(result);
+            } else if (foundElement != null) {
+                throw new WSSecurityException(
+                    WSSecurityException.INVALID_SECURITY_TOKEN, "duplicateError"
+                );
+            }
+        }
         
         BinarySecurity token = createSecurityToken(elem, data.getWssConfig());
         X509Certificate[] certs = null;
@@ -67,7 +80,6 @@ public class BinarySecurityTokenProcesso
         WSSecurityEngineResult result = 
             new WSSecurityEngineResult(WSConstants.BST, token, certs);
         wsDocInfo.addTokenElement(elem);
-        String id = elem.getAttributeNS(WSConstants.WSU_NS, "Id");
         result.put(WSSecurityEngineResult.TAG_ID, id);
         
         if (validator != null) {
@@ -78,6 +90,7 @@ public class BinarySecurityTokenProcesso
             
             Credential returnedCredential = validator.validate(credential, data);
             result.put(WSSecurityEngineResult.TAG_VALIDATED_TOKEN, Boolean.TRUE);
+            result.put(WSSecurityEngineResult.TAG_SECRET, returnedCredential.getSecretKey());
             
             if (returnedCredential.getTransformedToken() != null) {
                 result.put(
@@ -101,7 +114,7 @@ public class BinarySecurityTokenProcesso
     /**
      * Extracts the certificate(s) from the Binary Security token reference.
      *
-     * @param token The BinarySecurity instance corrresponding to either X509Security or

+     * @param token The BinarySecurity instance corresponding to either X509Security or 
      *              PKIPathSecurity
      * @return The X509Certificates associated with this reference
      * @throws WSSecurityException

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SAMLTokenProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SAMLTokenProcessor.java?rev=1159165&r1=1159164&r2=1159165&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SAMLTokenProcessor.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SAMLTokenProcessor.java
Thu Aug 18 11:06:26 2011
@@ -57,6 +57,18 @@ public class SAMLTokenProcessor implemen
             log.debug(DOM2Writer.nodeToString(elem));
         }
         
+        // See if the token has been previously processed
+        String id = assertion.getId();
+        Element foundElement = wsDocInfo.getTokenElement(id);
+        if (elem.equals(foundElement)) {
+            WSSecurityEngineResult result = wsDocInfo.getResult(id);
+            return java.util.Collections.singletonList(result);
+        } else if (foundElement != null) {
+            throw new WSSecurityException(
+                WSSecurityException.INVALID_SECURITY_TOKEN, "duplicateError"
+            );
+        }
+
         wsDocInfo.addTokenElement(elem);
         WSSecurityEngineResult result = null;
         if (assertion.isSigned()) {

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/UsernameTokenProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/UsernameTokenProcessor.java?rev=1159165&r1=1159164&r2=1159165&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/UsernameTokenProcessor.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/UsernameTokenProcessor.java
Thu Aug 18 11:06:26 2011
@@ -47,6 +47,19 @@ public class UsernameTokenProcessor impl
         if (log.isDebugEnabled()) {
             log.debug("Found UsernameToken list element");
         }
+        // See if the token has been previously processed
+        String id = elem.getAttributeNS(WSConstants.WSU_NS, "Id");
+        if (!"".equals(id)) {
+            Element foundElement = wsDocInfo.getTokenElement(id);
+            if (elem.equals(foundElement)) {
+                WSSecurityEngineResult result = wsDocInfo.getResult(id);
+                return java.util.Collections.singletonList(result);
+            } else if (foundElement != null) {
+                throw new WSSecurityException(
+                    WSSecurityException.INVALID_SECURITY_TOKEN, "duplicateError"
+                );
+            }
+        }
         
         Validator validator = data.getValidator(WSSecurityEngine.USERNAME_TOKEN);
         Credential credential = handleUsernameToken(elem, validator, data);

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java?rev=1159165&r1=1159164&r2=1159165&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
Thu Aug 18 11:06:26 2011
@@ -32,11 +32,9 @@ import org.apache.ws.security.components
 import org.apache.ws.security.handler.RequestData;
 import org.apache.ws.security.message.token.BinarySecurity;
 import org.apache.ws.security.message.token.DerivedKeyToken;
-import org.apache.ws.security.message.token.PKIPathSecurity;
 import org.apache.ws.security.message.token.SecurityContextToken;
 import org.apache.ws.security.message.token.SecurityTokenReference;
 import org.apache.ws.security.message.token.UsernameToken;
-import org.apache.ws.security.message.token.X509Security;
 import org.apache.ws.security.processor.Processor;
 import org.apache.ws.security.saml.SAMLKeyInfo;
 import org.apache.ws.security.saml.SAMLUtil;
@@ -125,7 +123,17 @@ public class SignatureSTRParser implemen
                 secRef.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler());
             QName el = new QName(token.getNamespaceURI(), token.getLocalName());
             if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
-                certs = getCertificatesTokenReference(secRef, token, crypto, bspCompliant);
+                Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.BINARY_TOKEN);
+                List<WSSecurityEngineResult> bstResult =
+                    proc.handleToken(token, data, wsDocInfo);
+                BinarySecurity bstToken = 
+                    (BinarySecurity)bstResult.get(0).get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+                if (bspCompliant) {
+                    BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, bstToken);
+                }
+                certs = (X509Certificate[])bstResult.get(0).get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
+                secretKey = (byte[])bstResult.get(0).get(WSSecurityEngineResult.TAG_SECRET);
+                principal = (Principal)bstResult.get(0).get(WSSecurityEngineResult.TAG_PRINCIPAL);
             } else if (el.equals(WSSecurityEngine.SAML_TOKEN) 
                 || el.equals(WSSecurityEngine.SAML2_TOKEN)) {
                 Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.SAML_TOKEN);
@@ -167,9 +175,7 @@ public class SignatureSTRParser implemen
                 List<WSSecurityEngineResult> encrResult =
                     proc.handleToken(token, data, wsDocInfo);
                 secretKey = 
-                    (byte[])encrResult.get(0).get(
-                                                  WSSecurityEngineResult.TAG_SECRET
-                    );
+                    (byte[])encrResult.get(0).get(WSSecurityEngineResult.TAG_SECRET);
                 principal = new CustomTokenPrincipal(token.getAttribute("Id"));
             } else {
                 String id = secRef.getReference().getURI();
@@ -274,64 +280,6 @@ public class SignatureSTRParser implemen
     public boolean isTrustedCredential() {
         return trustedCredential;
     }
-    /**
-     * Extracts the certificate(s) from the Binary Security token reference.
-     *
-     * @param elem The element containing the binary security token. This is
-     *             either X509 certificate(s) or a PKIPath.
-     * @return an array of X509 certificates
-     * @throws WSSecurityException
-     */
-    private static X509Certificate[] getCertificatesTokenReference(
-        SecurityTokenReference secRef,
-        Element elem, 
-        Crypto crypto,
-        boolean bspCompliant)
-        throws WSSecurityException {
-        if (crypto == null) {
-            throw new WSSecurityException(WSSecurityException.FAILURE, "noSigCryptoFile");
-        }
-        BinarySecurity token = createSecurityToken(elem, bspCompliant);
-        if (bspCompliant) {
-            BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, token);
-        }
-        if (token instanceof PKIPathSecurity) {
-            return ((PKIPathSecurity) token).getX509Certificates(crypto);
-        } else {
-            X509Certificate cert = ((X509Security) token).getX509Certificate(crypto);
-            return new X509Certificate[]{cert};
-        }
-    }
-    
-    /**
-     * Checks the <code>element</code> and creates appropriate binary security
object.
-     *
-     * @param element The XML element that contains either a <code>BinarySecurityToken
-     *                </code> or a <code>PKIPath</code> element. Other
element types a not
-     *                supported
-     * @param bspCompliant Whether BSP compliance is enforced or not
-     * @return the BinarySecurity object, either a <code>X509Security</code>
or a
-     *         <code>PKIPathSecurity</code> object.
-     * @throws WSSecurityException
-     */
-    private static BinarySecurity createSecurityToken(
-        Element element, 
-        boolean bspCompliant
-    ) throws WSSecurityException {
-        String type = element.getAttribute("ValueType");
-        if (X509Security.X509_V3_TYPE.equals(type)) {
-            X509Security x509 = new X509Security(element, bspCompliant);
-            return (BinarySecurity) x509;
-        } else if (PKIPathSecurity.getType().equals(type)) {
-            PKIPathSecurity pkiPath = new PKIPathSecurity(element, bspCompliant);
-            return (BinarySecurity) pkiPath;
-        }
-        throw new WSSecurityException(
-            WSSecurityException.UNSUPPORTED_SECURITY_TOKEN,
-            "unsupportedBinaryTokenType", 
-            new Object[]{type}
-        );
-    }
     
     /**
      * A method to create a Principal from a SAML Assertion
@@ -422,6 +370,7 @@ public class SignatureSTRParser implemen
             }
             certs = 
                 (X509Certificate[])result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
+            secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
             Boolean validatedToken = 
                 (Boolean)result.get(WSSecurityEngineResult.TAG_VALIDATED_TOKEN);
             if (validatedToken.booleanValue()) {

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/Credential.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/Credential.java?rev=1159165&r1=1159164&r2=1159165&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/Credential.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/Credential.java
Thu Aug 18 11:06:26 2011
@@ -43,6 +43,24 @@ public class Credential {
     private AssertionWrapper assertion;
     private AssertionWrapper transformedToken;
     private Principal principal;
+    private byte[] secretKey;
+    
+    /**
+     * Set a SecretKey (byte[]) to be validated
+     * @param secretKey a SecretKey (byte) to be validated
+     */
+    public void setSecretKey(byte[] secretKey) {
+        this.secretKey = secretKey;
+    }
+    
+    /**
+     * Get a SecretKey (byte[]) to be validated
+     * @return a SecretKey (byte[]) to be validated
+     */
+    public byte[] getSecretKey() {
+        return secretKey;
+    }
+    
     
     /**
      * Set a PublicKey to be validated

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/KerberosTokenValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/KerberosTokenValidator.java?rev=1159165&r1=1159164&r2=1159165&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/KerberosTokenValidator.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/KerberosTokenValidator.java
Thu Aug 18 11:06:26 2011
@@ -32,6 +32,7 @@ import org.apache.ws.security.handler.Re
 import org.apache.ws.security.message.token.BinarySecurity;
 import org.apache.ws.security.message.token.KerberosSecurity;
 import org.apache.ws.security.message.token.KerberosServiceAction;
+//import org.apache.ws.security.message.token.KerberosTicketDecoder;
 
 /**
  */
@@ -172,6 +173,12 @@ public class KerberosTokenValidator impl
         }
         credential.setPrincipal(principal);
         
+        // Get the session key and store it in the returned Credential
+        //KerberosTicketDecoder decode = new KerberosTicketDecoder(token, subject);
+        //sun.security.krb5.EncryptionKey sessionKey = decode.getSessionKey();
+        //byte[] sessionKeyBytes = sessionKey.getBytes();
+        //credential.setSecretKey(sessionKeyBytes);
+        
         if (log.isDebugEnabled()) {
             log.debug("Successfully validated a ticket");
         }

Modified: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java?rev=1159165&r1=1159164&r2=1159165&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java
(original)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java
Thu Aug 18 11:06:26 2011
@@ -28,7 +28,6 @@ import org.apache.ws.security.common.SOA
 import org.apache.ws.security.message.WSSecEncrypt;
 import org.apache.ws.security.message.WSSecHeader;
 import org.apache.ws.security.message.WSSecSignature;
-import org.apache.ws.security.util.Base64;
 import org.apache.ws.security.util.WSSecurityUtil;
 import org.apache.ws.security.validate.KerberosTokenValidator;
 import org.w3c.dom.Document;
@@ -145,16 +144,16 @@ public class KerberosTest extends org.ju
         
         KerberosSecurity bst = new KerberosSecurity(doc);
         bst.retrieveServiceTicket("alice", null, "bob@service.ws.apache.org");
+        bst.setID("Id-" + bst.hashCode());
         WSSecurityUtil.prependChildElement(secHeader.getSecurityHeader(), bst.getElement());
         
         WSSecSignature sign = new WSSecSignature();
         sign.setSignatureAlgorithm(SignatureMethod.HMAC_SHA1);
-        sign.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
-        sign.setCustomTokenValueType(WSConstants.WSS_KRB_KI_VALUE_TYPE);
+        sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
+        sign.setCustomTokenId(bst.getID());
+        sign.setCustomTokenValueType(WSConstants.WSS_GSS_KRB_V5_AP_REQ);
         
         SecretKey secretKey = bst.getSecretKey();
-        byte[] digestBytes = WSSecurityUtil.generateDigest(secretKey.getEncoded());
-        sign.setCustomTokenId(Base64.encode(digestBytes));
         sign.setSecretKey(secretKey.getEncoded());
         
         Document signedDoc = sign.build(doc, null, secHeader);
@@ -165,7 +164,6 @@ public class KerberosTest extends org.ju
             LOG.debug(outputString);
         }
         
-        /*
         // Configure the Validator
         WSSConfig wssConfig = WSSConfig.getNewInstance();
         KerberosTokenValidator validator = new KerberosTokenValidator();
@@ -186,7 +184,6 @@ public class KerberosTest extends org.ju
         Principal principal = (Principal)actionResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
         assertTrue(principal instanceof KerberosPrincipal);
         assertTrue(principal.getName().contains("alice"));
-        */
     }
     
     /**



Mime
View raw message