ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1654847 - in /webservices/wss4j/trunk: ws-security-common/src/main/java/org/apache/wss4j/common/ext/ ws-security-stax/src/main/java/org/apache/wss4j/stax/ ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/ ws-security-stax/src/main/...
Date Mon, 26 Jan 2015 17:14:35 GMT
Author: coheigea
Date: Mon Jan 26 17:14:34 2015
New Revision: 1654847

URL: http://svn.apache.org/r1654847
Log:
[WSS-525] - Provide a means of unifying all error messages

Modified:
    webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ext/WSSecurityException.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/WSSec.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/InboundWSSec.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/WSSecurityStreamReader.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/AbstractTestBase.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/PasswordTypeTest.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/ReplayTest.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureCertConstaintsTest.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureConfirmationTest.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureTest.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/TimestampTest.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/UsernameTokenTest.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/VulnerabliltyVectorsTest.java

Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ext/WSSecurityException.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ext/WSSecurityException.java?rev=1654847&r1=1654846&r2=1654847&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ext/WSSecurityException.java
(original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ext/WSSecurityException.java
Mon Jan 26 17:14:34 2015
@@ -77,6 +77,12 @@ public class WSSecurityException extends
      */
     public static final QName MESSAGE_EXPIRED = new QName(NS_WSSE10, "MessageExpired");
     
+    /**
+     * Generic Security error
+     */
+    public static final QName SECURITY_ERROR = 
+        new QName("http://ws.apache.org/wss4j", "SecurityError");
+    
     // FAULT error messages
     public static final String UNSUPPORTED_TOKEN_ERR = "An unsupported token was provided";
     public static final String UNSUPPORTED_ALGORITHM_ERR = 
@@ -91,6 +97,8 @@ public class WSSecurityException extends
     public static final String SECURITY_TOKEN_UNAVAILABLE_ERR = 
         "Referenced security token could not be retrieved";
     public static final String MESSAGE_EXPIRED_ERR = "The message has expired";
+    public static final String UNIFIED_SECURITY_ERR = 
+        "A security error was encountered when verifying the message";
 
     public enum ErrorCode {
         FAILURE(null), //Non standard error message
@@ -104,6 +112,7 @@ public class WSSecurityException extends
         MESSAGE_EXPIRED(WSSecurityException.MESSAGE_EXPIRED),
         FAILED_ENCRYPTION(null), //Non standard error message
         FAILED_SIGNATURE(null), //Non standard error message
+        SECURITY_ERROR(WSSecurityException.SECURITY_ERROR)
         ;
 
         private QName qName;
@@ -196,39 +205,19 @@ public class WSSecurityException extends
     }
     
     /**
-     * Map a WSSecurityException FaultCode to a standard error String, so as not to leak
-     * internal configuration to an attacker.
+     * Get a "safe" / unified error message, so as not to leak internal configuration
+     * to an attacker.
      */
     public String getSafeExceptionMessage() {
-        // Allow a Replay Attack message to be returned, otherwise it could be confusing
-        // for clients who don't understand the default caching functionality of WSS4J/CXF
-        if (getMessage() != null && getMessage().contains("replay attack")) {
-            return getMessage();
-        }
-        
-        String errorMessage = null;
-        QName faultCode = getFaultCode();
-        if (UNSUPPORTED_SECURITY_TOKEN.equals(faultCode)) {
-            errorMessage = UNSUPPORTED_TOKEN_ERR;
-        } else if (UNSUPPORTED_ALGORITHM.equals(faultCode)) {
-            errorMessage = UNSUPPORTED_ALGORITHM_ERR;
-        } else if (INVALID_SECURITY.equals(faultCode)) {
-            errorMessage = INVALID_SECURITY_ERR;
-        } else if (INVALID_SECURITY_TOKEN.equals(faultCode)) {
-            errorMessage = INVALID_SECURITY_TOKEN_ERR;
-        } else if (FAILED_AUTHENTICATION.equals(faultCode)) {
-            errorMessage = FAILED_AUTHENTICATION_ERR;
-        } else if (FAILED_CHECK.equals(faultCode)) {
-            errorMessage = FAILED_CHECK_ERR;
-        } else if (SECURITY_TOKEN_UNAVAILABLE.equals(faultCode)) {
-            errorMessage = SECURITY_TOKEN_UNAVAILABLE_ERR;
-        } else if (MESSAGE_EXPIRED.equals(faultCode)) {
-            errorMessage = MESSAGE_EXPIRED_ERR;
-        } else {
-            // Default
-            errorMessage = INVALID_SECURITY_ERR;
-        }
-        return errorMessage;
+        return UNIFIED_SECURITY_ERR;
         
     }
+    
+    /**
+     * Get the "safe" / unified fault code QName associated with this exception, so as
+     * not to leak internal configuration to an attacker
+     */
+    public QName getSafeFaultCode() {
+        return SECURITY_ERROR;
+    }
 }
\ No newline at end of file

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/WSSec.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/WSSec.java?rev=1654847&r1=1654846&r2=1654847&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/WSSec.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/WSSec.java
Mon Jan 26 17:14:34 2015
@@ -135,12 +135,30 @@ public class WSSec {
      */
     public static InboundWSSec getInboundWSSec(WSSSecurityProperties securityProperties,
             boolean initiator) throws WSSecurityException {
+        return getInboundWSSec(securityProperties, false, false);
+    }
+    
+    /**
+     * Creates and configures an inbound streaming security engine
+     *
+     * @param securityProperties The user-defined security configuration
+     * @param initiator Whether we are the message initiator or not
+     * @param returnSecurityError Whether to return the underlying security error or not
+     * @return A new InboundWSSec
+     * @throws WSSecurityException
+     *          if the initialisation failed
+     * @throws org.apache.wss4j.stax.ext.WSSConfigurationException
+     *          if the configuration is invalid
+     */
+    public static InboundWSSec getInboundWSSec(WSSSecurityProperties securityProperties,
+                                               boolean initiator,
+                                               boolean returnSecurityError) throws WSSecurityException
{
         if (securityProperties == null) {
             throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE,
"missingSecurityProperties");
         }
 
         securityProperties = validateAndApplyDefaultsToInboundSecurityProperties(securityProperties);
-        return new InboundWSSec(securityProperties, initiator);
+        return new InboundWSSec(securityProperties, initiator, returnSecurityError);
     }
     
     /**

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/InboundWSSec.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/InboundWSSec.java?rev=1654847&r1=1654846&r2=1654847&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/InboundWSSec.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/InboundWSSec.java
Mon Jan 26 17:14:34 2015
@@ -71,14 +71,17 @@ public class InboundWSSec {
 
     private final WSSSecurityProperties securityProperties;
     private final boolean initiator;
+    private final boolean returnSecurityError;
 
     public InboundWSSec(WSSSecurityProperties securityProperties) {
-        this(securityProperties, false);
+        this(securityProperties, false, false);
     }
     
-    public InboundWSSec(WSSSecurityProperties securityProperties, boolean initiator) {
+    public InboundWSSec(WSSSecurityProperties securityProperties, boolean initiator,
+                        boolean returnSecurityError) {
         this.securityProperties = securityProperties;
         this.initiator = initiator;
+        this.returnSecurityError = returnSecurityError;
     }
 
     /**
@@ -259,6 +262,6 @@ public class InboundWSSec {
             }
         }
 
-        return new WSSecurityStreamReader(inputProcessorChain, securityProperties, initiator);
+        return new WSSecurityStreamReader(inputProcessorChain, securityProperties, initiator,
returnSecurityError);
     }
 }

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/WSSecurityStreamReader.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/WSSecurityStreamReader.java?rev=1654847&r1=1654846&r2=1654847&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/WSSecurityStreamReader.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/WSSecurityStreamReader.java
Mon Jan 26 17:14:34 2015
@@ -20,7 +20,6 @@ package org.apache.wss4j.stax.impl;
 
 import org.apache.wss4j.common.WSSPolicyException;
 import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.xml.security.exceptions.XMLSecurityException;
 import org.apache.xml.security.stax.ext.InputProcessorChain;
 import org.apache.xml.security.stax.ext.XMLSecurityProperties;
 import org.apache.xml.security.stax.impl.XMLSecurityStreamReader;
@@ -30,11 +29,14 @@ import javax.xml.stream.XMLStreamExcepti
 public class WSSecurityStreamReader extends XMLSecurityStreamReader {
     
     private final boolean initiator;
+    private final boolean returnSecurityError;
     
     public WSSecurityStreamReader(InputProcessorChain inputProcessorChain, 
-            XMLSecurityProperties securityProperties, boolean initiator) {
+            XMLSecurityProperties securityProperties, boolean initiator,
+            boolean returnSecurityError) {
         super(inputProcessorChain, securityProperties);
         this.initiator = initiator;
+        this.returnSecurityError = returnSecurityError;
     }
 
     @Override
@@ -43,23 +45,18 @@ public class WSSecurityStreamReader exte
             return super.next();
         } catch (XMLStreamException e) {
             Throwable cause = e.getCause();
-            if (cause instanceof WSSecurityException) {
-                // Allow a WSSPolicyException
-                if (initiator || cause.getCause() instanceof WSSPolicyException) {
-                    throw e;
-                }
-                // Map to a "safe" error message if we are not the initiator
-                String error = ((WSSecurityException)cause).getSafeExceptionMessage();
-                throw new XMLStreamException(
-                    new WSSecurityException(((WSSecurityException)cause).getErrorCode(),
-                                            new Exception(error)));
+            
+            // Allow a WSSPolicyException
+            if (returnSecurityError || initiator || 
+                cause != null && cause.getCause() instanceof WSSPolicyException)
{
+                throw e;
             }
-            if (cause instanceof XMLSecurityException) {
-                throw new XMLStreamException(
-                        new WSSecurityException(
-                                WSSecurityException.ErrorCode.FAILED_CHECK, (XMLSecurityException)cause));
-            }
-            throw e;
+            
+            // Mask the real error
+            String safeErrorMessage = WSSecurityException.UNIFIED_SECURITY_ERR;
+            throw new XMLStreamException(
+                new WSSecurityException(WSSecurityException.ErrorCode.SECURITY_ERROR,
+                                        new Exception(safeErrorMessage)));
         }
     }
     

Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/AbstractTestBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/AbstractTestBase.java?rev=1654847&r1=1654846&r2=1654847&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/AbstractTestBase.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/AbstractTestBase.java
Mon Jan 26 17:14:34 2015
@@ -145,7 +145,7 @@ public abstract class AbstractTestBase e
     public Document doInboundSecurity(WSSSecurityProperties securityProperties, XMLStreamReader
xmlStreamReader,
                                       List<SecurityEvent> securityEventList, SecurityEventListener
securityEventListener)
             throws XMLStreamException, ParserConfigurationException, XMLSecurityException
{
-        InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+        InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
         XMLStreamReader outXmlStreamReader = wsSecIn.processInMessage(xmlStreamReader, securityEventList,
securityEventListener);
         return StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), outXmlStreamReader);
     }

Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/PasswordTypeTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/PasswordTypeTest.java?rev=1654847&r1=1654846&r2=1654847&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/PasswordTypeTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/PasswordTypeTest.java
Mon Jan 26 17:14:34 2015
@@ -98,7 +98,7 @@ public class PasswordTypeTest extends Ab
             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
             securityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT);
-            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
 
             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())), null);
 
@@ -165,7 +165,7 @@ public class PasswordTypeTest extends Ab
             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
             securityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST);
-            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
 
             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())), null);
 

Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/ReplayTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/ReplayTest.java?rev=1654847&r1=1654846&r2=1654847&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/ReplayTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/ReplayTest.java
Mon Jan 26 17:14:34 2015
@@ -89,7 +89,7 @@ public class ReplayTest extends Abstract
             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
             securityProperties.setTimestampReplayCache(replayCache);
             securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
-            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
 
             try {

Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureCertConstaintsTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureCertConstaintsTest.java?rev=1654847&r1=1654846&r2=1654847&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureCertConstaintsTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureCertConstaintsTest.java
Mon Jan 26 17:14:34 2015
@@ -94,7 +94,7 @@ public class SignatureCertConstaintsTest
             Pattern subjectDNPattern = Pattern.compile(certConstraint.trim());
             securityProperties.setSubjectCertConstraints(Collections.singletonList(subjectDNPattern));
             
-            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
 
             try {
@@ -152,7 +152,7 @@ public class SignatureCertConstaintsTest
             Pattern subjectDNPattern = Pattern.compile(certConstraint.trim());
             securityProperties.setSubjectCertConstraints(Collections.singletonList(subjectDNPattern));
             
-            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
 
             try {

Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureConfirmationTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureConfirmationTest.java?rev=1654847&r1=1654846&r2=1654847&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureConfirmationTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureConfirmationTest.java
Mon Jan 26 17:14:34 2015
@@ -401,7 +401,7 @@ public class SignatureConfirmationTest e
             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
             securityProperties.setEnableSignatureConfirmationVerification(true);
             securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"),
"default".toCharArray());
-            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
 
             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())), securityEventList);
 

Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureTest.java?rev=1654847&r1=1654846&r2=1654847&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureTest.java
Mon Jan 26 17:14:34 2015
@@ -1521,7 +1521,7 @@ public class SignatureTest extends Abstr
         {
             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
             securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
-            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
 
             try {

Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/TimestampTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/TimestampTest.java?rev=1654847&r1=1654846&r2=1654847&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/TimestampTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/TimestampTest.java
Mon Jan 26 17:14:34 2015
@@ -195,7 +195,7 @@ public class TimestampTest extends Abstr
         //done timestamp; now test timestamp-verification:
         {
             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
-            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
 
             try {
@@ -236,7 +236,7 @@ public class TimestampTest extends Abstr
             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
             securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
-            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
 
             try {
@@ -332,7 +332,7 @@ public class TimestampTest extends Abstr
         //done timestamp; now test timestamp-verification:
         {
             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
-            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
 
             try {
@@ -414,7 +414,7 @@ public class TimestampTest extends Abstr
         {
             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
             securityProperties.setTimestampTTL(1);
-            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
 
             try {
@@ -456,7 +456,7 @@ public class TimestampTest extends Abstr
             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
             securityProperties.addIgnoreBSPRule(BSPRule.R3203);
             securityProperties.addIgnoreBSPRule(BSPRule.R3221);
-            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
 
             try {
@@ -543,7 +543,7 @@ public class TimestampTest extends Abstr
         {
             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
             securityProperties.addIgnoreBSPRule(BSPRule.R3203);
-            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
 
             try {
@@ -583,7 +583,7 @@ public class TimestampTest extends Abstr
         //done timestamp; now test timestamp-verification:
         {
             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
-            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
 
             try {

Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/UsernameTokenTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/UsernameTokenTest.java?rev=1654847&r1=1654846&r2=1654847&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/UsernameTokenTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/UsernameTokenTest.java
Mon Jan 26 17:14:34 2015
@@ -128,7 +128,7 @@ public class UsernameTokenTest extends A
             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
             securityProperties.setCallbackHandler(new CallbackHandlerImpl("wrongUsername"));
             //securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
-            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
 
             try {
@@ -171,7 +171,7 @@ public class UsernameTokenTest extends A
             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
             securityProperties.setCallbackHandler(new CallbackHandlerImpl("username"));
             //securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
-            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
 
             SecurityEventListener securityEventListener = new SecurityEventListener() {
                 @Override
@@ -262,7 +262,7 @@ public class UsernameTokenTest extends A
 
         WSSSecurityProperties securityProperties = new WSSSecurityProperties();
         securityProperties.setCallbackHandler(new CallbackHandlerImpl());
-        InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+        InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
         XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(req.getBytes())));
         StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
 
@@ -311,7 +311,7 @@ public class UsernameTokenTest extends A
 
         WSSSecurityProperties securityProperties = new WSSSecurityProperties();
         securityProperties.setCallbackHandler(new CallbackHandlerImpl());
-        InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+        InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
 
         try {
             XMLStreamReader xmlStreamReader = 
@@ -398,7 +398,7 @@ public class UsernameTokenTest extends A
 
         WSSSecurityProperties securityProperties = new WSSSecurityProperties();
         securityProperties.setCallbackHandler(new CallbackHandlerImpl());
-        InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+        InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
 
         try {
             XMLStreamReader xmlStreamReader = 
@@ -641,7 +641,7 @@ public class UsernameTokenTest extends A
         try {
             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
-            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
             
             xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));

Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/VulnerabliltyVectorsTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/VulnerabliltyVectorsTest.java?rev=1654847&r1=1654846&r2=1654847&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/VulnerabliltyVectorsTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/VulnerabliltyVectorsTest.java
Mon Jan 26 17:14:34 2015
@@ -109,12 +109,10 @@ public class VulnerabliltyVectorsTest ex
         } catch (XMLStreamException e) {
             Throwable throwable = e.getCause();
             Assert.assertNotNull(throwable);
-            Assert.assertTrue(throwable instanceof WSSecurityException);
             //we expect a "No SecurityToken found" since WSS says that a token must be declared
before use.
             //the declare before use is in the nature of streaming xml-security and therefore
expected
             //Assert.assertEquals(throwable.getMessage(), "An invalid security token was
provided");
             Assert.assertEquals(throwable.getMessage(), "Recursive key reference detected.");
-            Assert.assertEquals(((WSSecurityException) throwable).getFaultCode(), WSSecurityException.FAILED_CHECK);
         }
     }
 
@@ -196,9 +194,7 @@ public class VulnerabliltyVectorsTest ex
         } catch (XMLStreamException e) {
             Throwable throwable = e.getCause();
             Assert.assertNotNull(throwable);
-            Assert.assertTrue(throwable instanceof WSSecurityException);
             Assert.assertTrue(throwable.getMessage().contains("Invalid digest of reference
"));
-            Assert.assertEquals(((WSSecurityException) throwable).getFaultCode(), WSSecurityException.FAILED_CHECK);
         }
     }
 
@@ -294,7 +290,7 @@ public class VulnerabliltyVectorsTest ex
         {
             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
             securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
-            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
 
             StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);



Mime
View raw message