ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1757547 - in /webservices/wss4j/trunk: ws-security-common/src/main/java/org/apache/wss4j/common/saml/ ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/ ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/secu...
Date Wed, 24 Aug 2016 16:35:00 GMT
Author: coheigea
Date: Wed Aug 24 16:35:00 2016
New Revision: 1757547

URL: http://svn.apache.org/viewvc?rev=1757547&view=rev
Log:
WSS-586 - Don't query a CallbackHandler for a secret key when parsing a SAML Subject for credentials

Modified:
    webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SAMLUtil.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SAMLTokenInputHandler.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SamlSecurityTokenImpl.java

Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SAMLUtil.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SAMLUtil.java?rev=1757547&r1=1757546&r2=1757547&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SAMLUtil.java
(original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SAMLUtil.java
Wed Aug 24 16:35:00 2016
@@ -25,7 +25,6 @@ import java.security.PublicKey;
 import java.security.cert.X509Certificate;
 import java.util.List;
 
-import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.callback.UnsupportedCallbackException;
 import javax.xml.crypto.XMLStructure;
@@ -37,7 +36,6 @@ import javax.xml.crypto.dsig.keyinfo.X50
 
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.crypto.CryptoType;
-import org.apache.wss4j.common.ext.WSPasswordCallback;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.util.XMLUtils;
 import org.opensaml.saml.saml2.core.SubjectConfirmationData;
@@ -48,9 +46,6 @@ import org.w3c.dom.Element;
  */
 public final class SAMLUtil {
 
-    private static final org.slf4j.Logger LOG =
-        org.slf4j.LoggerFactory.getLogger(SAMLUtil.class);
-
     private static final String SIG_NS = "http://www.w3.org/2000/09/xmldsig#";
 
     private SAMLUtil() {
@@ -87,29 +82,6 @@ public final class SAMLUtil {
     }
 
     /**
-     * Try to get the secret key from a CallbackHandler implementation
-     * @param cb a CallbackHandler implementation
-     * @return An array of bytes corresponding to the secret key (can be null)
-     */
-    public static byte[] getSecretKeyFromCallbackHandler(
-        String id,
-        CallbackHandler cb
-    ) {
-        if (cb != null) {
-            WSPasswordCallback pwcb =
-                new WSPasswordCallback(id, WSPasswordCallback.SECRET_KEY);
-            try {
-                cb.handle(new Callback[]{pwcb});
-            } catch (Exception e1) {
-                LOG.debug("Error in retrieving secret key from CallbackHandler: " + e1.getMessage());
-                return null;
-            }
-            return pwcb.getKey();
-        }
-        return null;
-    }
-
-    /**
      * Get the SAMLKeyInfo object corresponding to the credential stored in the Subject of
a
      * SAML 1.1 assertion
      * @param assertion The SAML 1.1 assertion
@@ -125,12 +97,6 @@ public final class SAMLUtil {
         Crypto sigCrypto,
         CallbackHandler callbackHandler
     ) throws WSSecurityException {
-        // First try to get the credential from a CallbackHandler
-        byte[] key = getSecretKeyFromCallbackHandler(assertion.getID(), callbackHandler);
-        if (key != null && key.length > 0) {
-            return new SAMLKeyInfo(key);
-        }
-
         for (org.opensaml.saml.saml1.core.Statement stmt : assertion.getStatements()) {
             org.opensaml.saml.saml1.core.Subject samlSubject = null;
             if (stmt instanceof org.opensaml.saml.saml1.core.AttributeStatement) {
@@ -178,12 +144,6 @@ public final class SAMLUtil {
         Crypto sigCrypto,
         CallbackHandler callbackHandler
     ) throws WSSecurityException {
-        // First try to get the credential from a CallbackHandler
-        byte[] key = getSecretKeyFromCallbackHandler(assertion.getID(), callbackHandler);
-        if (key != null && key.length > 0) {
-            return new SAMLKeyInfo(key);
-        }
-
         org.opensaml.saml.saml2.core.Subject samlSubject = assertion.getSubject();
         if (samlSubject != null) {
             List<org.opensaml.saml.saml2.core.SubjectConfirmation> subjectConfList
=

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SAMLTokenInputHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SAMLTokenInputHandler.java?rev=1757547&r1=1757546&r2=1757547&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SAMLTokenInputHandler.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SAMLTokenInputHandler.java
Wed Aug 24 16:35:00 2016
@@ -45,7 +45,6 @@ import org.apache.wss4j.binding.wss10.Ob
 import org.apache.wss4j.binding.wss10.SecurityTokenReferenceType;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.saml.OpenSAMLUtil;
-import org.apache.wss4j.common.saml.SAMLUtil;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.stax.ext.WSInboundSecurityContext;
 import org.apache.wss4j.stax.ext.WSSConstants;
@@ -182,49 +181,14 @@ public class SAMLTokenInputHandler exten
         }
 
         if (holderOfKey) {
+            int subjectKeyInfoIndex = getSubjectKeyInfoIndex(eventQueue);
+            if (subjectKeyInfoIndex < 0) {
+                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN,
"noKeyInSAMLToken");
+            }
 
-            // First try to get the credential from a CallbackHandler
-            final byte[] subjectSecretKey = SAMLUtil.getSecretKeyFromCallbackHandler(
-                    samlAssertionWrapper.getId(), wssSecurityProperties.getCallbackHandler());
-
-            if (subjectSecretKey != null && subjectSecretKey.length > 0) {
-
-                subjectSecurityToken = new AbstractInboundSecurityToken(
-                        wsInboundSecurityContext, IDGenerator.generateID(null),
-                        WSSecurityTokenConstants.KeyIdentifier_NoKeyInfo, true) {
-                    @Override
-                    public WSSecurityTokenConstants.TokenType getTokenType() {
-                        return WSSecurityTokenConstants.DefaultToken;
-                    }
-
-                    @Override
-                    public boolean isAsymmetric() throws XMLSecurityException {
-                        return false;
-                    }
-
-                    @Override
-                    protected Key getKey(String algorithmURI, XMLSecurityConstants.AlgorithmUsage
-                            algorithmUsage, String correlationID) throws XMLSecurityException
{
-
-                        Key key = super.getKey(algorithmURI, algorithmUsage, correlationID);
-                        if (key == null) {
-                            String algoFamily = JCEAlgorithmMapper.getJCEKeyAlgorithmFromURI(algorithmURI);
-                            key = new SecretKeySpec(subjectSecretKey, algoFamily);
-                            setSecretKey(algorithmURI, key);
-                        }
-                        return key;
-                    }
-                };
-            } else {
-                int subjectKeyInfoIndex = getSubjectKeyInfoIndex(eventQueue);
-                if (subjectKeyInfoIndex < 0) {
-                    throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN,
"noKeyInSAMLToken");
-                }
-
-                subjectSecurityToken = parseKeyInfo(inputProcessorChain, securityProperties,
eventQueue, subjectKeyInfoIndex);
-                if (subjectSecurityToken == null) {
-                    throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN,
"noKeyInSAMLToken");
-                }
+            subjectSecurityToken = parseKeyInfo(inputProcessorChain, securityProperties,
eventQueue, subjectKeyInfoIndex);
+            if (subjectSecurityToken == null) {
+                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN,
"noKeyInSAMLToken");
             }
         } else {
             subjectSecurityToken = null;

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SamlSecurityTokenImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SamlSecurityTokenImpl.java?rev=1757547&r1=1757546&r2=1757547&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SamlSecurityTokenImpl.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SamlSecurityTokenImpl.java
Wed Aug 24 16:35:00 2016
@@ -79,6 +79,12 @@ public class SamlSecurityTokenImpl exten
             } catch (IOException | UnsupportedCallbackException e) {
                 throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "noPassword");
             }
+            
+            secret = pwcb.getKey();
+            key = pwcb.getKeyObject();
+            if (this.key instanceof PrivateKey) {
+                super.setAsymmetric(true);
+            }
 
             Element assertionElem = pwcb.getCustomToken();
             if (assertionElem != null && "Assertion".equals(assertionElem.getLocalName())
@@ -91,13 +97,8 @@ public class SamlSecurityTokenImpl exten
                                                       securityProperties.getSignatureVerificationCrypto(),
                                                       securityProperties.getCallbackHandler());
             } else {
-                // Possibly an Encrypted Assertion...just get the key
+                // Possibly an Encrypted Assertion...we just need the key here
                 this.samlAssertionWrapper = null;
-                secret = pwcb.getKey();
-                key = pwcb.getKeyObject();
-                if (this.key instanceof PrivateKey) {
-                    super.setAsymmetric(true);
-                }
             }
 
             if (this.samlAssertionWrapper == null && secret == null && key
== null) {



Mime
View raw message