ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1662669 - in /webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom: ./ message/ processor/ saml/ util/
Date Fri, 27 Feb 2015 12:07:44 GMT
Author: coheigea
Date: Fri Feb 27 12:07:43 2015
New Revision: 1662669

URL: http://svn.apache.org/r1662669
Log:
Some WSDocInfo efficiency improvements

Modified:
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/WSDocInfo.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecDKSign.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSecSignatureSAML.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/util/WSSecurityUtil.java

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/WSDocInfo.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/WSDocInfo.java?rev=1662669&r1=1662668&r2=1662669&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/WSDocInfo.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/WSDocInfo.java
Fri Feb 27 12:07:43 2015
@@ -32,21 +32,28 @@ package org.apache.wss4j.dom;
 
 import java.util.ArrayList;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 
 import javax.xml.crypto.dom.DOMCryptoContext;
 
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.dom.message.CallbackLookup;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 
 public class WSDocInfo {
     private Document doc;
     private Crypto crypto;
-    private final List<Element> tokenList = new ArrayList<>();
+    
+    // Here we map the token "Id" to the token itself. The token "Id" is the key as it must
be unique to guard
+    // against various wrapping attacks. The "Id" name/namespace is stored as part of the
entry (along with the
+    // element), so that we know what namespace to use when setting the token on the crypto
context for signature
+    // creation or validation
+    private final Map<String, TokenValue> tokenList = new HashMap<>();
+
     private final List<WSSecurityEngineResult> resultsList = new ArrayList<>();
     private CallbackLookup callbackLookup;
     private Element securityHeader;
@@ -92,47 +99,60 @@ public class WSDocInfo {
      * @param checkMultipleElements check for a previously stored element with the same Id.
      */
     public void addTokenElement(Element element, boolean checkMultipleElements) throws WSSecurityException
{
-        if (element != null) {
-            if (checkMultipleElements) {
-                for (Element elem : tokenList) {
-                    if (compareElementsById(element, elem)) {
-                        throw new WSSecurityException(
-                            WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "duplicateError"
-                        );
-                    }
-                }
-            }
-            tokenList.add(element);
+        if (element == null) {
+            return;
         }
-    }
-    
-    private boolean compareElementsById(Element firstElement, Element secondElement) {
-        if (firstElement.hasAttributeNS(WSConstants.WSU_NS, "Id")
-            && secondElement.hasAttributeNS(WSConstants.WSU_NS, "Id")) {
-            String id = firstElement.getAttributeNS(WSConstants.WSU_NS, "Id");
-            String id2 = secondElement.getAttributeNS(WSConstants.WSU_NS, "Id");
-            if (id.equals(id2)) {
-                return true;
+        
+        if (element.hasAttributeNS(WSConstants.WSU_NS, "Id")) {
+            String id = element.getAttributeNS(WSConstants.WSU_NS, "Id");
+            TokenValue tokenValue = new TokenValue("Id", WSConstants.WSU_NS, element);
+            TokenValue previousValue = tokenList.put(id, tokenValue);
+            if (checkMultipleElements && previousValue != null) {
+                throw new WSSecurityException(
+                    WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "duplicateError"
+                );
             }
         }
-        if (firstElement.hasAttributeNS(null, "AssertionID")
-            && secondElement.hasAttributeNS(null, "AssertionID")) {
-            String id = firstElement.getAttributeNS(null, "AssertionID");
-            String id2 = secondElement.getAttributeNS(null, "AssertionID");
-            if (id.equals(id2)) {
-                return true;
+
+        if (element.hasAttributeNS(null, "Id")) {
+            String id = element.getAttributeNS(null, "Id");
+            TokenValue tokenValue = new TokenValue("Id", null, element);
+            TokenValue previousValue = tokenList.put(id, tokenValue);
+            if (checkMultipleElements && previousValue != null) {
+                throw new WSSecurityException(
+                    WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "duplicateError"
+                );
             }
         }
-        if (firstElement.hasAttributeNS(null, "ID") && secondElement.hasAttributeNS(null,
"ID")) {
-            String id = firstElement.getAttributeNS(null, "ID");
-            String id2 = secondElement.getAttributeNS(null, "ID");
-            if (id.equals(id2)) {
-                return true;
+
+        // SAML Assertions
+        if ("Assertion".equals(element.getLocalName())) {
+            if (WSConstants.SAML_NS.equals(element.getNamespaceURI())
+                && element.hasAttributeNS(null, "AssertionID")) {
+                String id = element.getAttributeNS(null, "AssertionID");
+                TokenValue tokenValue = new TokenValue("AssertionID", null, element);
+                TokenValue previousValue = tokenList.put(id, tokenValue);
+                if (checkMultipleElements && previousValue != null) {
+                    throw new WSSecurityException(
+                        WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "duplicateError"
+                    );
+                }
+            } else if (WSConstants.SAML2_NS.equals(element.getNamespaceURI())
+                && element.hasAttributeNS(null, "ID")) {
+                String id = element.getAttributeNS(null, "ID");
+                TokenValue tokenValue = new TokenValue("ID", null, element);
+                TokenValue previousValue = tokenList.put(id, tokenValue);
+                if (checkMultipleElements && previousValue != null) {
+                    throw new WSSecurityException(
+                        WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "duplicateError"
+                    );
+                }
             }
         }
-        return false;
+
     }
     
+    
     /**
      * Get a token Element for the given Id. The Id can be either a wsu:Id or a 
      * SAML AssertionID/ID. 
@@ -146,18 +166,12 @@ public class WSDocInfo {
         } else if (id.charAt(0) == '#') {
             id = id.substring(1);
         }
-        if (!tokenList.isEmpty()) {
-            for (Element elem : tokenList) {
-                String cId = elem.getAttributeNS(WSConstants.WSU_NS, "Id");
-                String samlId = elem.getAttributeNS(null, "AssertionID");
-                String samlId2 = elem.getAttributeNS(null, "ID");
-                if (elem.hasAttributeNS(WSConstants.WSU_NS, "Id") && id.equals(cId)
-                    || elem.hasAttributeNS(null, "AssertionID") && id.equals(samlId)
-                    || elem.hasAttributeNS(null, "ID") && id.equals(samlId2)) {
-                    return elem;
-                }
-            }
+        
+        TokenValue token = tokenList.get(id);
+        if (token != null) {
+            return token.getToken();
         }
+
         return null;
     }
 
@@ -166,21 +180,37 @@ public class WSDocInfo {
      * @param context
      */
     public void setTokensOnContext(DOMCryptoContext context) {
-        if (tokenList != null) {
-            for (Element elem : tokenList) {
-                WSSecurityUtil.storeElementInContext(context, elem);
+        if (!tokenList.isEmpty() && context != null) {
+            for (Map.Entry<String, TokenValue> entry : tokenList.entrySet()) {
+                TokenValue tokenValue = entry.getValue();
+                context.setIdAttributeNS(tokenValue.getToken(), tokenValue.getIdNamespace(),
+                                         tokenValue.getIdName());
             }
         }
     }
     
+    public void setTokenOnContext(String uri, DOMCryptoContext context) {
+        String id = uri;
+        if (id == null || context == null) {
+            return;
+        } else if (id.charAt(0) == '#') {
+            id = id.substring(1);
+        }
+
+        TokenValue tokenValue = tokenList.get(id);
+        if (tokenValue != null) {
+            context.setIdAttributeNS(tokenValue.getToken(), tokenValue.getIdNamespace(),
+                                     tokenValue.getIdName());
+        }
+    }
+
+    
     /**
      * Store a WSSecurityEngineResult for later retrieval. 
      * @param result is the WSSecurityEngineResult to store
      */
     public void addResult(WSSecurityEngineResult result) {
-        if (result != null) {
-            resultsList.add(result);
-        }
+        resultsList.add(result);
     }
     
     /**
@@ -235,11 +265,13 @@ public class WSDocInfo {
             id = id.substring(1);
         }
         
-        for (WSSecurityEngineResult result : resultsList) {
-            Integer resultTag = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
-            String cId = (String)result.get(WSSecurityEngineResult.TAG_ID);
-            if (tag.intValue() == resultTag.intValue() && id.equals(cId)) {
-                return result;
+        if (!resultsList.isEmpty()) {
+            for (WSSecurityEngineResult result : resultsList) {
+                Integer resultTag = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
+                String cId = (String)result.get(WSSecurityEngineResult.TAG_ID);
+                if (tag.intValue() == resultTag.intValue() && id.equals(cId)) {
+                    return result;
+                }
             }
         }
         return null;
@@ -297,4 +329,28 @@ public class WSDocInfo {
     public void setSecurityHeader(Element securityHeader) {
         this.securityHeader = securityHeader;
     }
+    
+    private static class TokenValue {
+        final String idName;
+        final String idNamespace;
+        final Element token;
+
+        public TokenValue(String idName, String idNamespace, Element token) {
+            this.idName = idName;
+            this.idNamespace = idNamespace;
+            this.token = token;
+        }
+
+        public String getIdName() {
+            return idName;
+        }
+
+        public String getIdNamespace() {
+            return idNamespace;
+        }
+        public Element getToken() {
+            return token;
+        }
+    }
+
 }

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecDKSign.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecDKSign.java?rev=1662669&r1=1662668&r2=1662669&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecDKSign.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecDKSign.java
Fri Feb 27 12:07:43 2015
@@ -283,9 +283,6 @@ public class WSSecDKSign extends WSSecDe
             
             // Add the elements to sign to the Signature Context
             wsDocInfo.setTokensOnContext((DOMSignContext)signContext);
-            if (secRef != null && secRef.getElement() != null) {
-                WSSecurityUtil.storeElementInContext((DOMSignContext)signContext, secRef.getElement());
-            }
             
             sig.sign(signContext);
             

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java?rev=1662669&r1=1662668&r2=1662669&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
Fri Feb 27 12:07:43 2015
@@ -569,9 +569,6 @@ public class WSSecSignature extends WSSe
             
             // Add the elements to sign to the Signature Context
             wsDocInfo.setTokensOnContext((DOMSignContext)signContext);
-            if (secRef != null && secRef.getElement() != null) {
-                WSSecurityUtil.storeElementInContext((DOMSignContext)signContext, secRef.getElement());
-            }
             sig.sign(signContext);
             
             signatureValue = sig.getSignatureValue().getValue();

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java?rev=1662669&r1=1662668&r2=1662669&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
Fri Feb 27 12:07:43 2015
@@ -466,10 +466,7 @@ public class SignatureProcessor implemen
             String uri = reference.getURI();
             Element element = callbackLookup.getAndRegisterElement(uri, null, true, context);
             if (element == null) {
-                element = wsDocInfo.getTokenElement(uri);
-                if (element != null) {
-                    WSSecurityUtil.storeElementInContext(context, element);
-                }
+                wsDocInfo.setTokenOnContext(uri, context);
             }
         }
     }

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSecSignatureSAML.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSecSignatureSAML.java?rev=1662669&r1=1662668&r2=1662669&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSecSignatureSAML.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/WSSecSignatureSAML.java
Fri Feb 27 12:07:43 2015
@@ -544,14 +544,6 @@ public class WSSecSignatureSAML extends
             // Add the elements to sign to the Signature Context
             wsDocInfo.setTokensOnContext((DOMSignContext)signContext);
 
-            if (secRefSaml != null && secRefSaml.getElement() != null) {
-                WSSecurityUtil.storeElementInContext((DOMSignContext)signContext, secRefSaml.getElement());
-            }
-            if (getSecurityTokenReference() != null 
-                && getSecurityTokenReference().getElement() != null) {
-                WSSecurityUtil.storeElementInContext((DOMSignContext)signContext, 
-                                                     getSecurityTokenReference().getElement());
-            }
             sig.sign(signContext);
             
             signatureValue = sig.getSignatureValue().getValue();

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/util/WSSecurityUtil.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/util/WSSecurityUtil.java?rev=1662669&r1=1662668&r2=1662669&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/util/WSSecurityUtil.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/util/WSSecurityUtil.java
Fri Feb 27 12:07:43 2015
@@ -44,7 +44,6 @@ import org.w3c.dom.Text;
 
 import javax.crypto.Cipher;
 import javax.crypto.NoSuchPaddingException;
-import javax.xml.crypto.dom.DOMCryptoContext;
 
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
@@ -976,28 +975,6 @@ public final class WSSecurityUtil {
         }
     }
     
-    /**
-     * Store the element argument in the DOM Crypto Context if it has one of the standard
-     * "Id" attributes.
-     */
-    public static void storeElementInContext(
-        DOMCryptoContext context, 
-        Element element
-    ) {
-        if (element.hasAttributeNS(WSConstants.WSU_NS, "Id")) {
-            context.setIdAttributeNS(element, WSConstants.WSU_NS, "Id");
-        }
-        if (element.hasAttributeNS(null, "Id")) {
-            context.setIdAttributeNS(element, null, "Id");
-        }
-        if (element.hasAttributeNS(null, "ID")) {
-            context.setIdAttributeNS(element, null, "ID");
-        }
-        if (element.hasAttributeNS(null, "AssertionID")) {
-            context.setIdAttributeNS(element, null, "AssertionID");
-        }
-    }
-    
     public static void verifySignedElement(Element elem, WSDocInfo wsDocInfo)
         throws WSSecurityException {
         verifySignedElement(elem, wsDocInfo.getResultsByTag(WSConstants.SIGN));



Mime
View raw message