ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1532813 - in /webservices/wss4j/trunk: ws-security-common/src/main/java/org/apache/wss4j/common/ext/ ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/ ws-security-stax/src/main/java/org/apache/wss4j/stax/i...
Date Wed, 16 Oct 2013 16:40:39 GMT
Author: coheigea
Date: Wed Oct 16 16:40:39 2013
New Revision: 1532813

URL: http://svn.apache.org/r1532813
Log:
Security Token Refactor

Modified:
    webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ext/WSPasswordCallback.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/InboundWSSecurityContextImpl.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SamlSecurityTokenImpl.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SecurityTokenReferenceImpl.java

Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ext/WSPasswordCallback.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ext/WSPasswordCallback.java?rev=1532813&r1=1532812&r2=1532813&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ext/WSPasswordCallback.java
(original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ext/WSPasswordCallback.java
Wed Oct 16 16:40:39 2013
@@ -19,6 +19,8 @@
 
 package org.apache.wss4j.common.ext;
 
+import java.security.Key;
+
 import org.w3c.dom.Element;
 
 import javax.security.auth.callback.Callback;
@@ -72,7 +74,8 @@ public class WSPasswordCallback implemen
 
     private String identifier;
     private String password;
-    private byte[] key;
+    private byte[] secret;
+    private Key key;
     private Usage usage;
     private String type;
     private Element customToken;
@@ -144,7 +147,11 @@ public class WSPasswordCallback implemen
      *
      * @param key is the key associated to the identifier
      */
-    public void setKey(byte[] key) {
+    public void setKey(byte[] secret) {
+        this.secret = secret;
+    }
+    
+    public void setKey(Key key) {
         this.key = key;
     }
 
@@ -155,7 +162,11 @@ public class WSPasswordCallback implemen
      * @return The key
      */
     public byte[] getKey() {
-        return this.key;
+        return this.secret;
+    }
+    
+    public Key getKeyObject() {
+        return key;
     }
 
     /**

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java?rev=1532813&r1=1532812&r2=1532813&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java
(original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java
Wed Oct 16 16:40:39 2013
@@ -27,6 +27,7 @@ import org.apache.wss4j.stax.securityTok
 import org.apache.xml.security.exceptions.XMLSecurityException;
 import org.apache.xml.security.stax.securityEvent.SecurityEvent;
 import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
+import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
 import org.apache.xml.security.stax.securityToken.SecurityToken;
 
 import java.util.Iterator;
@@ -154,7 +155,8 @@ public abstract class TokenAssertionStat
         //WSP1.3, 5.1 Token Inclusion
         //todo do we need a global token cache to fullfill ".../IncludeToken/Once" ?
         SPConstants.IncludeTokenType includeTokenType = abstractToken.getIncludeTokenType();
-        boolean isIncludedInMessage = tokenSecurityEvent.getSecurityToken().isIncludedInMessage();
+        boolean isIncludedInMessage = 
+            ((InboundSecurityToken)tokenSecurityEvent.getSecurityToken()).isIncludedInMessage();
         switch (includeTokenType) {
             case INCLUDE_TOKEN_NEVER:
                 if (isIncludedInMessage) {

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java?rev=1532813&r1=1532812&r2=1532813&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java
(original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java
Wed Oct 16 16:40:39 2013
@@ -32,9 +32,11 @@ import org.apache.xml.security.stax.secu
 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
 import org.apache.xml.security.stax.securityEvent.SignedElementSecurityEvent;
 import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
+import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
 import org.apache.xml.security.stax.securityToken.SecurityToken;
 
 import javax.xml.namespace.QName;
+
 import java.util.ArrayList;
 import java.util.LinkedList;
 import java.util.List;
@@ -94,16 +96,16 @@ public class TokenProtectionAssertionSta
                 SecurityToken securityToken = getEffectiveSignatureToken(tokenSecurityEvent.getSecurityToken());
 
                 //a token can only be signed if it is included in the message:
-                if (securityToken.isIncludedInMessage() && isSignatureToken(securityToken))
{
+                if (((InboundSecurityToken)securityToken).isIncludedInMessage() &&
isSignatureToken(securityToken)) {
                     //[WSP1.3_8.9]
                     boolean signsItsSignatureToken = signsItsSignatureToken(securityToken);
                     if (protectTokens && !signsItsSignatureToken) {
                         setAsserted(false);
-                        setErrorMessage("Token " + WSSUtils.pathAsString(securityToken.getElementPath())
+ " must be signed by its signature.");
+                        setErrorMessage("Token " + WSSUtils.pathAsString(((InboundSecurityToken)securityToken).getElementPath())
+ " must be signed by its signature.");
                         return false;
                     } else if (!protectTokens && signsItsSignatureToken) {
                         setAsserted(false);
-                        setErrorMessage("Token " + WSSUtils.pathAsString(securityToken.getElementPath())
+ " must not be signed by its signature.");
+                        setErrorMessage("Token " + WSSUtils.pathAsString(((InboundSecurityToken)securityToken).getElementPath())
+ " must not be signed by its signature.");
                         return false;
                     }
                 }
@@ -111,7 +113,7 @@ public class TokenProtectionAssertionSta
                 if (isEndorsingToken(securityToken) && !signsMainSignature(securityToken))
{
                     //[WSP1.3_8.9b]
                     setAsserted(false);
-                    setErrorMessage("Token " + WSSUtils.pathAsString(securityToken.getElementPath())
+ " must sign the main signature.");
+                    setErrorMessage("Token " + WSSUtils.pathAsString(((InboundSecurityToken)securityToken).getElementPath())
+ " must sign the main signature.");
                     return false;
                 }
 
@@ -191,7 +193,7 @@ public class TokenProtectionAssertionSta
     private boolean signsItsSignatureToken(SecurityToken securityToken) throws XMLSecurityException
{
         for (int i = 0; i < signedElementEvents.size(); i++) {
             SignedElementSecurityEvent signedElementSecurityEvent = signedElementEvents.get(i);
-            if (WSSUtils.pathMatches(signedElementSecurityEvent.getElementPath(), securityToken.getElementPath(),
false, false)) {
+            if (WSSUtils.pathMatches(signedElementSecurityEvent.getElementPath(), ((InboundSecurityToken)securityToken).getElementPath(),
false, false)) {
 
                 SecurityToken signingSecurityToken = signedElementSecurityEvent.getSecurityToken();
                 signingSecurityToken = getEffectiveSignatureToken(signingSecurityToken);
@@ -203,7 +205,7 @@ public class TokenProtectionAssertionSta
                         TokenSecurityEvent<? extends SecurityToken> tokenSecurityEvent
= tokenSecurityEvents.get(j);
                         SecurityToken st = getEffectiveSignatureToken(tokenSecurityEvent.getSecurityToken());
 
-                        if (signedElementSecurityEvent.getXmlSecEvent() == st.getXMLSecEvent())
{
+                        if (signedElementSecurityEvent.getXmlSecEvent() == ((InboundSecurityToken)st).getXMLSecEvent())
{
                             //...and we got the covered token
                             //next we have to see if the token is the same:
                             if (st.getId().equals(securityToken.getId())) { //NOPMD
@@ -230,7 +232,7 @@ public class TokenProtectionAssertionSta
                     continue;
                 }
                 signedSupportingTokens.add(supportingToken);
-                List<QName> elementPath = supportingToken.getElementPath();
+                List<QName> elementPath = ((InboundSecurityToken)supportingToken).getElementPath();
 
                 boolean found = false;
                 for (int j = 0; j < signedElementEvents.size(); j++) {

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/InboundWSSecurityContextImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/InboundWSSecurityContextImpl.java?rev=1532813&r1=1532812&r2=1532813&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/InboundWSSecurityContextImpl.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/InboundWSSecurityContextImpl.java
Wed Oct 16 16:40:39 2013
@@ -438,7 +438,7 @@ public class InboundWSSecurityContextImp
                 if (signedElementSecurityEvent.isSigned()
                         && WSSUtils.pathMatches(
                         signedElementSecurityEvent.getElementPath(),
-                        tokenSecurityEvent.getSecurityToken().getElementPath(), true, false)
+                        ((InboundSecurityToken)tokenSecurityEvent.getSecurityToken()).getElementPath(),
true, false)
                         ) {
                     signingSecurityTokens.add((InboundSecurityToken)signedElementSecurityEvent.getSecurityToken());
                 }
@@ -476,7 +476,8 @@ public class InboundWSSecurityContextImp
                 if (signedElementSecurityEvent.isSigned()
                         && tokenSecurityEvent.getSecurityToken() != null
                         && signedElementSecurityEvent.getXmlSecEvent() != null
-                        && signedElementSecurityEvent.getXmlSecEvent() == tokenSecurityEvent.getSecurityToken().getXMLSecEvent()
+                        && signedElementSecurityEvent.getXmlSecEvent() == 
+                            ((InboundSecurityToken)tokenSecurityEvent.getSecurityToken()).getXMLSecEvent()
                         && !securityTokenList.contains((InboundSecurityToken)signedElementSecurityEvent.getSecurityToken()))
{
                     securityTokenList.add((InboundSecurityToken)signedElementSecurityEvent.getSecurityToken());
                 }
@@ -501,7 +502,8 @@ public class InboundWSSecurityContextImp
                 if (encryptedElementSecurityEvent.isEncrypted()
                         && tokenSecurityEvent.getSecurityToken() != null
                         && encryptedElementSecurityEvent.getXmlSecEvent() != null
-                        && encryptedElementSecurityEvent.getXmlSecEvent() == tokenSecurityEvent.getSecurityToken().getXMLSecEvent()
+                        && encryptedElementSecurityEvent.getXmlSecEvent() == 
+                            ((InboundSecurityToken)tokenSecurityEvent.getSecurityToken()).getXMLSecEvent()
                         && !securityTokenList.contains((InboundSecurityToken)encryptedElementSecurityEvent.getSecurityToken()))
{
                     securityTokenList.add((InboundSecurityToken)encryptedElementSecurityEvent.getSecurityToken());
                 }
@@ -541,7 +543,8 @@ public class InboundWSSecurityContextImp
                 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent
= (ContentEncryptedElementSecurityEvent) securityEvent;
                 if (contentEncryptedElementSecurityEvent.isEncrypted()
                         && contentEncryptedElementSecurityEvent.getSecurityToken().getId().equals(tokenSecurityEvent.getSecurityToken().getId())
-                        && contentEncryptedElementSecurityEvent.getXmlSecEvent()
== tokenSecurityEvent.getSecurityToken().getXMLSecEvent()
+                        && contentEncryptedElementSecurityEvent.getXmlSecEvent()
==
+                            ((InboundSecurityToken)tokenSecurityEvent.getSecurityToken()).getXMLSecEvent()
                         && WSSUtils.pathMatches(elementPath, contentEncryptedElementSecurityEvent.getElementPath(),
true, false)) {
                     return true;
                 }

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor.java?rev=1532813&r1=1532812&r2=1532813&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor.java
Wed Oct 16 16:40:39 2013
@@ -43,6 +43,7 @@ import org.apache.wss4j.common.saml.bean
 import org.apache.wss4j.stax.ext.WSSConstants;
 import org.apache.wss4j.stax.ext.WSSSecurityProperties;
 import org.apache.wss4j.stax.ext.WSSUtils;
+import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
 import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
 import org.apache.xml.security.exceptions.XMLSecurityException;
 import org.apache.xml.security.stax.config.JCEAlgorithmMapper;
@@ -55,6 +56,7 @@ import org.apache.xml.security.stax.ext.
 import org.apache.xml.security.stax.ext.stax.XMLSecNamespace;
 import org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken;
 import org.apache.xml.security.stax.impl.util.IDGenerator;
+import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
 import org.apache.xml.security.stax.securityToken.OutboundSecurityToken;
 import org.apache.xml.security.stax.securityToken.SecurityTokenProvider;
 import org.opensaml.common.SAMLVersion;
@@ -66,6 +68,9 @@ import org.w3c.dom.NodeList;
 import org.w3c.dom.Text;
 
 public class SAMLTokenOutputProcessor extends AbstractOutputProcessor {
+    
+    private static final transient org.slf4j.Logger logger = 
+        org.slf4j.LoggerFactory.getLogger(SAMLTokenOutputProcessor.class);
 
     public SAMLTokenOutputProcessor() throws XMLSecurityException {
         super();
@@ -221,7 +226,7 @@ public class SAMLTokenOutputProcessor ex
                 finalSAMLTokenOutputProcessor = new FinalSAMLTokenOutputProcessor(null, samlAssertionWrapper,
                         securityTokenReferenceId, senderVouches, includeSTR);
 
-                SecurityTokenProvider<OutboundSecurityToken> securityTokenProvider
=
+                final SecurityTokenProvider<OutboundSecurityToken> securityTokenProvider
=
                         new SecurityTokenProvider<OutboundSecurityToken>() {
 
                     private GenericOutboundSecurityToken samlSecurityToken;
@@ -278,6 +283,21 @@ public class SAMLTokenOutputProcessor ex
                         return tokenId;
                     }
                 };
+                
+                //fire a tokenSecurityEvent
+                TokenSecurityEvent<OutboundSecurityToken> tokenSecurityEvent = 
+                    new TokenSecurityEvent<OutboundSecurityToken>(WSSecurityEventConstants.SamlToken)
{
+                    
+                    public OutboundSecurityToken getSecurityToken() {
+                        try {
+                            return securityTokenProvider.getSecurityToken();
+                        } catch (XMLSecurityException e) {
+                            logger.debug(e.getMessage(), e);
+                        }
+                        return null;
+                    }
+                };
+                outputProcessorChain.getSecurityContext().registerSecurityEvent(tokenSecurityEvent);
 
                 outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(tokenId,
securityTokenProvider);
                 outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE,
tokenId);

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SamlSecurityTokenImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SamlSecurityTokenImpl.java?rev=1532813&r1=1532812&r2=1532813&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SamlSecurityTokenImpl.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SamlSecurityTokenImpl.java
Wed Oct 16 16:40:39 2013
@@ -21,6 +21,7 @@ package org.apache.wss4j.stax.impl.secur
 import java.io.IOException;
 import java.security.Key;
 import java.security.Principal;
+import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.cert.CertificateExpiredException;
 import java.security.cert.CertificateNotYetValidException;
@@ -61,6 +62,7 @@ public class SamlSecurityTokenImpl exten
     private Principal principal;
     private SAMLKeyInfo subjectKeyInfo;
     private byte[] secret;
+    private Key key;
     
     public SamlSecurityTokenImpl(WSInboundSecurityContext wsInboundSecurityContext, String
id,
                                  WSSecurityTokenConstants.KeyIdentifier keyIdentifier,
@@ -79,13 +81,7 @@ public class SamlSecurityTokenImpl exten
                 throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noPassword",
e);
             }
             Element assertionElem = pwcb.getCustomToken();
-            if (assertionElem == null) {
-                throw new WSSecurityException(
-                    WSSecurityException.ErrorCode.SECURITY_TOKEN_UNAVAILABLE, "noToken",
id
-                );
-            }
-            
-            if ("Assertion".equals(assertionElem.getLocalName())
+            if (assertionElem != null && "Assertion".equals(assertionElem.getLocalName())
                 && (WSSConstants.NS_SAML.equals(assertionElem.getNamespaceURI())
                 || WSSConstants.NS_SAML2.equals(assertionElem))) {
                 this.samlAssertionWrapper = new SamlAssertionWrapper(assertionElem);
@@ -98,6 +94,10 @@ public class SamlSecurityTokenImpl exten
                 // Possibly an Encrypted Assertion...just get the key
                 this.samlAssertionWrapper = null;
                 secret = pwcb.getKey();
+                key = pwcb.getKeyObject();
+                if (this.key instanceof PrivateKey) {
+                    super.setAsymmetric(true);
+                }
             }
         } else {
             throw new WSSecurityException(
@@ -128,7 +128,9 @@ public class SamlSecurityTokenImpl exten
     @Override
     protected Key getKey(String algorithmURI, XMLSecurityConstants.AlgorithmUsage algorithmUsage,
String correlationID) throws XMLSecurityException {
         Key key = null;
-        if (secret != null) {
+        if (this.key != null) {
+            key = this.key;
+        } else if (secret != null) {
             key = KeyUtils.prepareSecretKey(algorithmURI, secret);
         } else if (this.subjectSecurityToken != null) {
             key = subjectSecurityToken.getSecretKey(algorithmURI, algorithmUsage, correlationID);

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SecurityTokenReferenceImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SecurityTokenReferenceImpl.java?rev=1532813&r1=1532812&r2=1532813&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SecurityTokenReferenceImpl.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SecurityTokenReferenceImpl.java
Wed Oct 16 16:40:39 2013
@@ -89,7 +89,7 @@ public class SecurityTokenReferenceImpl 
 
     @Override
     public InboundSecurityToken getKeyWrappingToken() throws XMLSecurityException {
-        return inboundSecurityToken.getKeyWrappingToken();
+        return (InboundSecurityToken)inboundSecurityToken.getKeyWrappingToken();
     }
 
     @Override



Mime
View raw message