ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1464926 - in /webservices/wss4j/trunk: cxf-integration/ parent/ ws-security-dom/ ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/ ws-security-stax/ ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/ ws-security-st...
Date Fri, 05 Apr 2013 11:18:30 GMT
Author: coheigea
Date: Fri Apr  5 11:18:29 2013
New Revision: 1464926

URL: http://svn.apache.org/r1464926
Log:
[WSS-348] - Switched StaX layer to use common ReplayCache functionaltiy

Modified:
    webservices/wss4j/trunk/cxf-integration/pom.xml
    webservices/wss4j/trunk/parent/pom.xml
    webservices/wss4j/trunk/ws-security-dom/pom.xml
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyUtils.java
    webservices/wss4j/trunk/ws-security-stax/pom.xml
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/UsernameTokenInputHandler.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java

Modified: webservices/wss4j/trunk/cxf-integration/pom.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/cxf-integration/pom.xml?rev=1464926&r1=1464925&r2=1464926&view=diff
==============================================================================
--- webservices/wss4j/trunk/cxf-integration/pom.xml (original)
+++ webservices/wss4j/trunk/cxf-integration/pom.xml Fri Apr  5 11:18:29 2013
@@ -51,6 +51,12 @@
             <version>${cxf.version}</version>
             <scope>compile</scope>
         </dependency>
+        <dependency>
+            <groupId>commons-lang</groupId>
+            <artifactId>commons-lang</artifactId>
+            <version>2.6</version>
+            <scope>compile</scope>
+        </dependency>
 
         <dependency>
             <groupId>org.apache.santuario</groupId>

Modified: webservices/wss4j/trunk/parent/pom.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/parent/pom.xml?rev=1464926&r1=1464925&r2=1464926&view=diff
==============================================================================
--- webservices/wss4j/trunk/parent/pom.xml (original)
+++ webservices/wss4j/trunk/parent/pom.xml Fri Apr  5 11:18:29 2013
@@ -45,7 +45,6 @@
         <xerces.version>2.9.1</xerces.version>
         <xmlsec.version>2.0.0-SNAPSHOT</xmlsec.version>
         <opensaml.version>2.5.3</opensaml.version>
-        <jcs.version>1.3</jcs.version>
         <testng.version>6.5.2</testng.version>
         <junit.version>4.8.2</junit.version>
         <xml.apis.version>1.3.04</xml.apis.version>
@@ -76,11 +75,6 @@
                 <version>${woodstox.core.asl.version}</version>
             </dependency>
             <dependency>
-                <groupId>jcs</groupId>
-                <artifactId>jcs</artifactId>
-                <version>${jcs.version}</version>
-            </dependency>
-            <dependency>
                 <groupId>org.opensaml</groupId>
                 <artifactId>opensaml</artifactId>
                 <version>${opensaml.version}</version>

Modified: webservices/wss4j/trunk/ws-security-dom/pom.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/pom.xml?rev=1464926&r1=1464925&r2=1464926&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/pom.xml (original)
+++ webservices/wss4j/trunk/ws-security-dom/pom.xml Fri Apr  5 11:18:29 2013
@@ -209,7 +209,7 @@
                 </exclusion>
             </exclusions>
         </dependency>
-         <dependency>
+        <dependency>
             <groupId>net.sf.ehcache</groupId>
             <artifactId>ehcache-core</artifactId>
             <scope>runtime</scope>

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyUtils.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyUtils.java?rev=1464926&r1=1464925&r2=1464926&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyUtils.java
(original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyUtils.java
Fri Apr  5 11:18:29 2013
@@ -18,7 +18,6 @@
  */
 package org.apache.wss4j.policy.stax;
 
-import org.apache.commons.lang.StringUtils;
 import org.apache.wss4j.policy.model.XPath;
 
 import javax.xml.namespace.QName;
@@ -32,7 +31,7 @@ public class PolicyUtils {
         String[] xPathElements = xPath.getXPath().split("/");
         for (int j = 0; j < xPathElements.length; j++) {
             String xPathElement = xPathElements[j];
-            if (StringUtils.isEmpty(xPathElement)) {
+            if (xPathElement == null || "".equals(xPathElement)) {
                 continue;
             }
             String[] elementParts = xPathElement.split(":");

Modified: webservices/wss4j/trunk/ws-security-stax/pom.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/pom.xml?rev=1464926&r1=1464925&r2=1464926&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/pom.xml (original)
+++ webservices/wss4j/trunk/ws-security-stax/pom.xml Fri Apr  5 11:18:29 2013
@@ -64,73 +64,6 @@
             <scope>compile</scope>
         </dependency>
         <dependency>
-            <groupId>jcs</groupId>
-            <artifactId>jcs</artifactId>
-            <scope>compile</scope>
-            <exclusions>
-                <exclusion>
-                    <groupId>javax.sql</groupId>
-                    <artifactId>jdbc-stdext</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>commons-dbcp</groupId>
-                    <artifactId>commons-dbcp</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>commons-logging</groupId>
-                    <artifactId>commons-logging-api</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>commons-pool</groupId>
-                    <artifactId>commons-pool</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>mysql</groupId>
-                    <artifactId>mysql-connector-java</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>hsqldb</groupId>
-                    <artifactId>hsqldb</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>log4j</groupId>
-                    <artifactId>log4j</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>servletapi</groupId>
-                    <artifactId>servletapi</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>tomcat</groupId>
-                    <artifactId>tomcat-util</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>velocity</groupId>
-                    <artifactId>velocity</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>junit</groupId>
-                    <artifactId>junit</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>xmlrpc</groupId>
-                    <artifactId>xmlrpc</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>xerces</groupId>
-                    <artifactId>xerces</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>xml-apis</groupId>
-                    <artifactId>xml-apis</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>berkeleydb</groupId>
-                    <artifactId>berkeleydb</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-        <dependency>
             <groupId>org.apache.santuario</groupId>
             <artifactId>xmlsec</artifactId>
             <scope>compile</scope>
@@ -207,6 +140,11 @@
             </exclusions>
         </dependency>
         <dependency>
+            <groupId>net.sf.ehcache</groupId>
+            <artifactId>ehcache-core</artifactId>
+            <scope>runtime</scope>
+        </dependency>
+        <dependency>
             <groupId>org.apache.wss4j</groupId>
             <artifactId>wss4j-ws-security-dom</artifactId>
             <version>${project.version}</version>

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java?rev=1464926&r1=1464925&r2=1464926&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java
Fri Apr  5 11:18:29 2013
@@ -35,11 +35,15 @@ import javax.security.auth.callback.Call
 import javax.xml.namespace.QName;
 
 import org.apache.wss4j.common.bsp.BSPRule;
+import org.apache.wss4j.common.cache.ReplayCache;
+import org.apache.wss4j.common.cache.ReplayCacheFactory;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.crypto.Merlin;
+import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
 import org.apache.wss4j.stax.validate.Validator;
 import org.apache.xml.security.stax.ext.XMLSecurityProperties;
+import org.apache.xml.security.utils.Base64;
 
 /**
  * Main configuration class to supply keys etc.
@@ -86,6 +90,8 @@ public class WSSSecurityProperties exten
     private boolean useReqSigCertForEncryption = false;
     private String encryptionCompressionAlgorithm;
     private boolean enableRevocation = false;
+    private ReplayCache timestampReplayCache;
+    private ReplayCache nonceReplayCache;
 
     public WSSSecurityProperties() {
         super();
@@ -122,6 +128,8 @@ public class WSSSecurityProperties exten
         this.useReqSigCertForEncryption = wssSecurityProperties.useReqSigCertForEncryption;
         this.encryptionCompressionAlgorithm = wssSecurityProperties.encryptionCompressionAlgorithm;
         this.enableRevocation = wssSecurityProperties.enableRevocation;
+        this.timestampReplayCache = wssSecurityProperties.timestampReplayCache;
+        this.nonceReplayCache = wssSecurityProperties.nonceReplayCache;
     }
 
     /**
@@ -627,4 +635,51 @@ public class WSSSecurityProperties exten
     public void setUtFutureTTL(Integer utFutureTTL) {
         this.utFutureTTL = utFutureTTL;
     }
+    
+    /**
+     * Set the replay cache for Timestamps
+     */
+    public void setTimestampReplayCache(ReplayCache newCache) {
+        timestampReplayCache = newCache;
+    }
+
+    /**
+     * Get the replay cache for Timestamps
+     * @throws WSSecurityException 
+     */
+    public ReplayCache getTimestampReplayCache() throws WSSecurityException {
+        if (timestampReplayCache == null) {
+            timestampReplayCache = createCache("wss4j-timestamp-cache-");
+        }
+        
+        return timestampReplayCache;
+    }
+    
+    private synchronized ReplayCache createCache(String key) throws WSSecurityException {
+        ReplayCacheFactory replayCacheFactory = ReplayCacheFactory.newInstance();
+        byte[] nonceValue = new byte[10];
+        WSSConstants.secureRandom.nextBytes(nonceValue);
+        String cacheKey = key + Base64.encode(nonceValue);
+        return replayCacheFactory.newReplayCache(cacheKey, null);
+    }
+    
+    /**
+     * Set the replay cache for Nonces
+     */
+    public void setNonceReplayCache(ReplayCache newCache) {
+        nonceReplayCache = newCache;
+    }
+
+    /**
+     * Get the replay cache for Nonces
+     * @throws WSSecurityException 
+     */
+    public ReplayCache getNonceReplayCache() throws WSSecurityException {
+        if (nonceReplayCache == null) {
+            nonceReplayCache = createCache("wss4j-nonce-cache-");
+        }
+        
+        return nonceReplayCache;
+    }
+    
 }

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/UsernameTokenInputHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/UsernameTokenInputHandler.java?rev=1464926&r1=1464925&r2=1464926&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/UsernameTokenInputHandler.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/UsernameTokenInputHandler.java
Fri Apr  5 11:18:29 2013
@@ -18,14 +18,12 @@
  */
 package org.apache.wss4j.stax.impl.processor.input;
 
-import org.apache.jcs.JCS;
-import org.apache.jcs.access.exception.CacheException;
-import org.apache.jcs.engine.ElementAttributes;
 import org.apache.wss4j.binding.wss10.EncodedString;
 import org.apache.wss4j.binding.wss10.PasswordString;
 import org.apache.wss4j.binding.wss10.UsernameTokenType;
 import org.apache.wss4j.binding.wsu10.AttributedDateTime;
 import org.apache.wss4j.common.bsp.BSPRule;
+import org.apache.wss4j.common.cache.ReplayCache;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.util.DateUtil;
 import org.apache.wss4j.stax.ext.WSInboundSecurityContext;
@@ -58,17 +56,6 @@ import java.util.List;
  */
 public class UsernameTokenInputHandler extends AbstractInputSecurityHeaderHandler {
 
-    private static final String cacheRegionName = "usernameToken";
-    private static final JCS cache;
-
-    static {
-        try {
-            cache = JCS.getInstance(cacheRegionName);
-        } catch (CacheException e) {
-            throw new RuntimeException(e);
-        }
-    }
-
     @Override
     public void handle(final InputProcessorChain inputProcessorChain, final XMLSecurityProperties
securityProperties,
                        Deque<XMLSecEvent> eventQueue, Integer index) throws XMLSecurityException
{
@@ -84,35 +71,35 @@ public class UsernameTokenInputHandler e
         if (usernameTokenType.getId() == null) {
             usernameTokenType.setId(IDGenerator.generateID(null));
         }
+        
+        // Verify Created
+        final WSSSecurityProperties wssSecurityProperties = (WSSSecurityProperties) securityProperties;
+        Date createdDate = verifyCreated(wssSecurityProperties, usernameTokenType);
 
+        ReplayCache replayCache = wssSecurityProperties.getNonceReplayCache();
         final EncodedString encodedNonce =
                 XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_wsse_Nonce);
-        if (encodedNonce != null) {
+        if (encodedNonce != null && replayCache != null) {
+            // Check for replay attacks
             String nonce = encodedNonce.getValue();
-            /*
-                It is RECOMMENDED that used nonces be cached for a period at least as long
as
-                the timestamp freshness limitation period, above, and that UsernameToken
with
-                nonces that have already been used (and are thus in the cache) be rejected
-            */
-            if (cache.get(nonce) != null) {
+            if (replayCache.contains(nonce)) {
                 throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
             }
-            ElementAttributes elementAttributes = new ElementAttributes();
-            elementAttributes.setMaxLifeSeconds(300);
-            try {
-                cache.put(nonce, nonce, elementAttributes);
-            } catch (CacheException e) {
-                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY,
e);
+            
+            // If no Created, then just cache for the default time
+            // Otherwise, cache for the configured TTL of the UsernameToken Created time,
as any
+            // older token will just get rejected anyway
+            int utTTL = wssSecurityProperties.getUtTTL();
+            if (createdDate == null || utTTL <= 0) {
+                replayCache.add(nonce);
+            } else {
+                replayCache.add(nonce, utTTL + 1L);
             }
         }
 
         final WSInboundSecurityContext wsInboundSecurityContext = (WSInboundSecurityContext)
inputProcessorChain.getSecurityContext();
-        final WSSSecurityProperties wssSecurityProperties = (WSSSecurityProperties) securityProperties;
         final List<QName> elementPath = getElementPath(eventQueue);
         
-        // Verify Created
-        verifyCreated(wssSecurityProperties, usernameTokenType);
-        
         final TokenContext tokenContext = new TokenContext(wssSecurityProperties, wsInboundSecurityContext,
xmlSecEvents, elementPath);
 
         UsernameTokenValidator usernameTokenValidator =
@@ -206,7 +193,7 @@ public class UsernameTokenInputHandler e
 
     }
     
-    private void verifyCreated(
+    private Date verifyCreated(
         WSSSecurityProperties wssSecurityProperties,
         UsernameTokenType usernameTokenType
     ) throws WSSecurityException {
@@ -231,6 +218,8 @@ public class UsernameTokenInputHandler e
             if (!DateUtil.verifyCreated(createdDate, ttl, futureTTL)) {
                 throw new WSSecurityException(WSSecurityException.ErrorCode.MESSAGE_EXPIRED);
             }
+            return createdDate;
         }
+        return null;
     }
 }

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java?rev=1464926&r1=1464925&r2=1464926&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java
Fri Apr  5 11:18:29 2013
@@ -18,11 +18,9 @@
  */
 package org.apache.wss4j.stax.impl.processor.input;
 
-import org.apache.jcs.JCS;
-import org.apache.jcs.access.exception.CacheException;
-import org.apache.jcs.engine.ElementAttributes;
 import org.apache.wss4j.binding.wss10.TransformationParametersType;
 import org.apache.wss4j.common.bsp.BSPRule;
+import org.apache.wss4j.common.cache.ReplayCache;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.stax.securityToken.SecurityTokenReference;
 import org.apache.xml.security.binding.excc14n.InclusiveNamespaces;
@@ -48,22 +46,13 @@ import javax.xml.namespace.QName;
 import javax.xml.stream.XMLStreamException;
 import java.io.OutputStream;
 import java.util.Arrays;
+import java.util.Calendar;
+import java.util.Date;
 import java.util.Iterator;
 import java.util.List;
 
 public class WSSSignatureReferenceVerifyInputProcessor extends AbstractSignatureReferenceVerifyInputProcessor
{
 
-    private static final String cacheRegionName = "timestamp";
-    private static final JCS cache;
-
-    static {
-        try {
-            cache = JCS.getInstance(cacheRegionName);
-        } catch (CacheException e) {
-            throw new RuntimeException(e);
-        }
-    }
-
     private boolean replayChecked = false;
 
     public WSSSignatureReferenceVerifyInputProcessor(InputProcessorChain inputProcessorChain,
@@ -179,24 +168,25 @@ public class WSSSignatureReferenceVerify
     private void detectReplayAttack(InputProcessorChain inputProcessorChain) throws WSSecurityException
{
         TimestampSecurityEvent timestampSecurityEvent =
                 inputProcessorChain.getSecurityContext().get(WSSConstants.PROP_TIMESTAMP_SECURITYEVENT);
-        if (timestampSecurityEvent != null) {
+        ReplayCache replayCache = 
+            ((WSSSecurityProperties)getSecurityProperties()).getTimestampReplayCache();
+        if (timestampSecurityEvent != null && replayCache != null) {
             final String cacheKey = String.valueOf(
                     timestampSecurityEvent.getCreated().getTimeInMillis()) +
                     "" + Arrays.hashCode(getSignatureType().getSignatureValue().getValue());
-            if (cache.get(cacheKey) != null) {
+            if (replayCache.contains(cacheKey)) {
                 throw new WSSecurityException(WSSecurityException.ErrorCode.MESSAGE_EXPIRED);
             }
-            ElementAttributes elementAttributes = new ElementAttributes();
-            if (timestampSecurityEvent.getExpires() != null) {
-                long lifeTime = timestampSecurityEvent.getExpires().getTimeInMillis() - System.currentTimeMillis();
-                elementAttributes.setMaxLifeSeconds(lifeTime / 1000);
+            
+            // Store the Timestamp/SignatureValue combination in the cache
+            Calendar expiresCal = timestampSecurityEvent.getExpires();
+            if (expiresCal != null) {
+                Date rightNow = new Date();
+                long currentTime = rightNow.getTime();
+                long expiresTime = expiresCal.getTimeInMillis();
+                replayCache.add(cacheKey, ((expiresTime - currentTime) / 1000L));
             } else {
-                elementAttributes.setMaxLifeSeconds(300);
-            }
-            try {
-                cache.put(cacheKey, timestampSecurityEvent.getCreated(), elementAttributes);
-            } catch (CacheException e) {
-                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY,
e);
+                replayCache.add(cacheKey);
             }
         }
     }



Mime
View raw message