ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1861502 - in /webservices/wss4j/trunk: ws-security-common/src/main/java/org/apache/wss4j/common/util/ ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/ ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ ws-securi...
Date Mon, 17 Jun 2019 11:37:44 GMT
Author: coheigea
Date: Mon Jun 17 11:37:44 2019
New Revision: 1861502

URL: http://svn.apache.org/viewvc?rev=1861502&view=rev
Log:
Remove storing raw password in UsernameToken

Modified:
    webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/UsernameTokenUtil.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/UsernameToken.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/UsernameTokenProcessor.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java

Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/UsernameTokenUtil.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/UsernameTokenUtil.java?rev=1861502&r1=1861501&r2=1861502&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/UsernameTokenUtil.java
(original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/UsernameTokenUtil.java
Mon Jun 17 11:37:44 2019
@@ -19,10 +19,16 @@
 
 package org.apache.wss4j.common.util;
 
+import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import org.apache.wss4j.common.ext.WSPasswordCallback;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.xml.security.stax.ext.XMLSecurityConstants;
 
@@ -170,4 +176,28 @@ public final class UsernameTokenUtil {
         return passwdDigest;
     }
 
+    /**
+     * Get the raw (plain text) password used to compute secret key.
+     */
+    public static String getRawPassword(CallbackHandler callbackHandler, String username,
+                                        String password, String passwordType) throws WSSecurityException
{
+        if (callbackHandler == null) {
+            LOG.debug("CallbackHandler is null");
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+        }
+
+        WSPasswordCallback pwCb =
+            new WSPasswordCallback(
+                username, password, passwordType, WSPasswordCallback.USERNAME_TOKEN
+            );
+        try {
+            callbackHandler.handle(new Callback[]{pwCb});
+        } catch (IOException | UnsupportedCallbackException e) {
+            LOG.debug(e.getMessage(), e);
+            throw new WSSecurityException(
+                WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e
+            );
+        }
+        return pwCb.getPassword();
+    }
 }

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/UsernameToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/UsernameToken.java?rev=1861502&r1=1861501&r2=1861502&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/UsernameToken.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/UsernameToken.java
Mon Jun 17 11:37:44 2019
@@ -19,7 +19,6 @@
 
 package org.apache.wss4j.dom.message.token;
 
-import java.io.IOException;
 import java.security.Principal;
 import java.time.Instant;
 import java.time.ZoneOffset;
@@ -29,14 +28,10 @@ import java.time.format.DateTimeParseExc
 import java.util.Arrays;
 import java.util.List;
 
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.UnsupportedCallbackException;
 import javax.xml.namespace.QName;
 
 import org.apache.wss4j.common.bsp.BSPEnforcer;
 import org.apache.wss4j.common.bsp.BSPRule;
-import org.apache.wss4j.common.ext.WSPasswordCallback;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.principal.WSUsernameTokenPrincipalImpl;
 import org.apache.wss4j.common.util.DOM2Writer;
@@ -77,7 +72,6 @@ public class UsernameToken {
     private Element elementIteration;
     private String passwordType;
     private boolean hashed = true;
-    private String rawPassword;        // enhancement by Alberto Coletti
     private boolean passwordsAreEncoded;
     private Instant created;
 
@@ -494,7 +488,6 @@ public class UsernameToken {
             }
         }
 
-        rawPassword = pwd;             // enhancement by Alberto coletti
         Text node = getFirstNode(elementPassword);
         try {
             if (hashed) {
@@ -517,31 +510,6 @@ public class UsernameToken {
     }
 
     /**
-     * Set the raw (plain text) password used to compute secret key.
-     */
-    public void setRawPassword(CallbackHandler callbackHandler) throws WSSecurityException
{
-        if (callbackHandler == null) {
-            LOG.debug("CallbackHandler is null");
-            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
-        }
-
-        WSPasswordCallback pwCb =
-            new WSPasswordCallback(
-                getName(), getPassword(), getPasswordType(),
-                WSPasswordCallback.USERNAME_TOKEN
-            );
-        try {
-            callbackHandler.handle(new Callback[]{pwCb});
-        } catch (IOException | UnsupportedCallbackException e) {
-            LOG.debug(e.getMessage(), e);
-            throw new WSSecurityException(
-                WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e
-            );
-        }
-        rawPassword = pwCb.getPassword();
-    }
-
-    /**
      * @param passwordsAreEncoded whether passwords are encoded
      */
     public void setPasswordsAreEncoded(boolean passwordsAreEncoded) {
@@ -609,10 +577,11 @@ public class UsernameToken {
     /**
      * This method gets a derived key as defined in WSS Username Token Profile.
      *
+     * @param rawPassword The raw password to use to derive the key
      * @return Returns the derived key as a byte array
      * @throws WSSecurityException
      */
-    public byte[] getDerivedKey(BSPEnforcer bspEnforcer) throws WSSecurityException {
+    public byte[] getDerivedKey(BSPEnforcer bspEnforcer, String rawPassword) throws WSSecurityException
{
         if (rawPassword == null) {
             LOG.debug("The raw password was null");
             throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/UsernameTokenProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/UsernameTokenProcessor.java?rev=1861502&r1=1861501&r2=1861502&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/UsernameTokenProcessor.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/UsernameTokenProcessor.java
Mon Jun 17 11:37:44 2019
@@ -24,6 +24,7 @@ import java.util.List;
 
 import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl;
 import org.apache.wss4j.common.principal.WSUsernameTokenPrincipalImpl;
+import org.apache.wss4j.common.util.UsernameTokenUtil;
 import org.w3c.dom.Element;
 import org.apache.wss4j.common.cache.ReplayCache;
 import org.apache.wss4j.common.ext.WSSecurityException;
@@ -67,8 +68,10 @@ public class UsernameTokenProcessor impl
         if (token.getPassword() == null) {
             action = WSConstants.UT_NOPASSWORD;
             if (token.isDerivedKey()) {
-                token.setRawPassword(data.getCallbackHandler());
-                secretKey = token.getDerivedKey(data.getBSPEnforcer());
+                String rawPassword =
+                    UsernameTokenUtil.getRawPassword(data.getCallbackHandler(), token.getName(),
+                                                     token.getPassword(), token.getPasswordType());
+                secretKey = token.getDerivedKey(data.getBSPEnforcer(), rawPassword);
             }
         }
         WSSecurityEngineResult result = new WSSecurityEngineResult(action, token);

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java?rev=1861502&r1=1861501&r2=1861502&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java
Mon Jun 17 11:37:44 2019
@@ -33,6 +33,7 @@ import org.apache.wss4j.common.token.Bin
 import org.apache.wss4j.common.token.Reference;
 import org.apache.wss4j.common.token.SecurityTokenReference;
 import org.apache.wss4j.common.util.KeyUtils;
+import org.apache.wss4j.common.util.UsernameTokenUtil;
 import org.apache.wss4j.common.util.XMLUtils;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSDocInfo;
@@ -149,8 +150,10 @@ public class SecurityTokenRefSTRParser i
             UsernameToken usernameToken =
                 (UsernameToken)result.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
 
-            usernameToken.setRawPassword(data.getCallbackHandler());
-            byte[] secretKey = usernameToken.getDerivedKey(data.getBSPEnforcer());
+            String rawPassword =
+                UsernameTokenUtil.getRawPassword(data.getCallbackHandler(), usernameToken.getName(),
+                                                 usernameToken.getPassword(), usernameToken.getPasswordType());
+            byte[] secretKey = usernameToken.getDerivedKey(data.getBSPEnforcer(), rawPassword);
             parserResult.setSecretKey(secretKey);
         }
 

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java?rev=1861502&r1=1861501&r2=1861502&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
Mon Jun 17 11:37:44 2019
@@ -253,7 +253,6 @@ public class SignatureSTRParser implemen
             UsernameToken usernameToken =
                 (UsernameToken)result.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
 
-            usernameToken.setRawPassword(data.getCallbackHandler());
             parserResult.setSecretKey((byte[])result.get(WSSecurityEngineResult.TAG_SECRET));
 
             parserResult.setPrincipal(usernameToken.createPrincipal());



Mime
View raw message