ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1672600 - in /webservices/wss4j/trunk: ws-security-common/src/main/java/org/apache/wss4j/common/ ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/ ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/ ws-security-dom/src/t...
Date Fri, 10 Apr 2015 09:46:12 GMT
Author: coheigea
Date: Fri Apr 10 09:46:11 2015
New Revision: 1672600

URL: http://svn.apache.org/r1672600
Log:
[WSS-530] - Add a property to enforce that a received Timestamp has an "Expires" Element

Modified:
    webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ConfigurationConstants.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/TimestampValidator.java
    webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/TimestampTest.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ConfigurationConverter.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/TimestampValidatorImpl.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/TimestampTest.java

Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ConfigurationConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ConfigurationConstants.java?rev=1672600&r1=1672599&r2=1672600&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ConfigurationConstants.java
(original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ConfigurationConstants.java
Fri Apr 10 09:46:11 2015
@@ -454,6 +454,12 @@ public class ConfigurationConstants {
     public static final String TIMESTAMP_STRICT = "timestampStrict";
     
     /**
+     * Set the value of this parameter to true to require that a Timestamp must have
+     * an "Expires" Element. The default is "false".
+     */
+    public static final String REQUIRE_TIMESTAMP_EXPIRES = "requireTimestampExpires";
+    
+    /**
      * Defines whether to encrypt the symmetric encryption key or not. If true
      * (the default), the symmetric key used for encryption is encrypted in turn,
      * and inserted into the security header in an "EncryptedKey" structure. If

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java?rev=1672600&r1=1672599&r2=1672600&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java
Fri Apr 10 09:46:11 2015
@@ -72,7 +72,7 @@ public class RequestData {
     private CallbackHandler callback;
     private CallbackHandler attachmentCallbackHandler;
     private boolean enableRevocation;
-    protected boolean requireSignedEncryptedDataElements;
+    private boolean requireSignedEncryptedDataElements;
     private ReplayCache timestampReplayCache;
     private ReplayCache nonceReplayCache;
     private ReplayCache samlOneTimeUseReplayCache;
@@ -94,6 +94,7 @@ public class RequestData {
     private String derivedKeyTokenReference;
     private boolean use200512Namespace = true;
     private final List<String> audienceRestrictions = new ArrayList<>();
+    private boolean requireTimestampExpires;
 
     public void clear() {
         soapConstants = null;
@@ -129,6 +130,7 @@ public class RequestData {
         derivedKeyTokenReference = null;
         setUse200512Namespace(true);
         audienceRestrictions.clear();
+        requireTimestampExpires = false;
     }
 
     public boolean isEnableTimestampReplayCache() {
@@ -580,5 +582,13 @@ public class RequestData {
     public void setUse200512Namespace(boolean use200512Namespace) {
         this.use200512Namespace = use200512Namespace;
     }
+
+    public boolean isRequireTimestampExpires() {
+        return requireTimestampExpires;
+    }
+
+    public void setRequireTimestampExpires(boolean requireTimestampExpires) {
+        this.requireTimestampExpires = requireTimestampExpires;
+    }
         
 }

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java?rev=1672600&r1=1672599&r2=1672600&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java
Fri Apr 10 09:46:11 2015
@@ -322,6 +322,7 @@ public abstract class WSHandler {
             decodeDecryptionParameter(reqData);
         }
         decodeRequireSignedEncryptedDataElements(reqData);
+        decodeRequireTimestampExpires(reqData);
     }
 
     protected boolean checkReceiverResults(
@@ -896,6 +897,13 @@ public abstract class WSHandler {
             reqData, WSHandlerConstants.REQUIRE_SIGNED_ENCRYPTED_DATA_ELEMENTS, false
         ));
     }
+    
+    protected void decodeRequireTimestampExpires(RequestData reqData) 
+        throws WSSecurityException {
+        reqData.setRequireTimestampExpires(decodeBooleanConfigValue(
+            reqData, WSHandlerConstants.REQUIRE_TIMESTAMP_EXPIRES, false
+        ));
+    }
 
     protected boolean decodeBooleanConfigValue(
         RequestData reqData, String configTag, boolean defaultToTrue

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/TimestampValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/TimestampValidator.java?rev=1672600&r1=1672599&r2=1672600&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/TimestampValidator.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/TimestampValidator.java
Fri Apr 10 09:46:11 2015
@@ -64,6 +64,13 @@ public class TimestampValidator implemen
                 "invalidTimestamp",
                 "The security semantics of the message have expired");
         }
+        
+        if (data.isRequireTimestampExpires() && timeStamp.getExpires() == null) {
+            throw new WSSecurityException(
+                WSSecurityException.ErrorCode.SECURITY_ERROR,
+                "invalidTimestamp",
+                "The received Timestamp does not contain an expires Element");
+        }
         return credential;
     }
     

Modified: webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/TimestampTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/TimestampTest.java?rev=1672600&r1=1672599&r2=1672600&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/TimestampTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/TimestampTest.java
Fri Apr 10 09:46:11 2015
@@ -129,6 +129,49 @@ public class TimestampTest extends org.j
         assertTrue(receivedTimestamp != null);
     }
     
+    @org.junit.Test
+    public void testInvalidTimestampNoExpires() throws Exception {
+
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        
+        WSSecTimestamp timestamp = new WSSecTimestamp();
+        timestamp.setTimeToLive(0);
+        Document createdDoc = timestamp.build(doc, secHeader);
+
+        if (LOG.isDebugEnabled()) {
+            String outputString = 
+                XMLUtils.PrettyDocumentToString(createdDoc);
+            LOG.debug(outputString);
+        }
+        
+        //
+        // Do some processing
+        //
+        WSSecurityEngine secEngine = new WSSecurityEngine();
+        RequestData requestData = new RequestData();
+        requestData.setWssConfig(WSSConfig.getNewInstance());
+        requestData.setRequireTimestampExpires(true);
+        try {
+            secEngine.processSecurityHeader(doc, requestData);
+            fail("Failure expected on no Expires Element");
+        } catch (WSSecurityException ex) {
+            // expected
+        }
+
+        requestData.setWssConfig(WSSConfig.getNewInstance());
+        requestData.setRequireTimestampExpires(false);
+        WSHandlerResult wsResult = secEngine.processSecurityHeader(doc, requestData);
+        WSSecurityEngineResult actionResult = 
+            wsResult.getActionResults().get(WSConstants.TS).get(0);
+        assertTrue(actionResult != null);
+        
+        Timestamp receivedTimestamp = 
+            (Timestamp)actionResult.get(WSSecurityEngineResult.TAG_TIMESTAMP);
+        assertTrue(receivedTimestamp != null);
+    }
+    
     
     /**
      * This is a test for processing an expired Timestamp.

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ConfigurationConverter.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ConfigurationConverter.java?rev=1672600&r1=1672599&r2=1672600&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ConfigurationConverter.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ConfigurationConverter.java
Fri Apr 10 09:46:11 2015
@@ -467,6 +467,10 @@ public final class ConfigurationConverte
         boolean use200512Namespace = 
             decodeBooleanConfigValue(ConfigurationConstants.USE_2005_12_NAMESPACE, true,
config);
         properties.setUse200512Namespace(use200512Namespace);
+        
+        boolean requireTimestampExpires = 
+            decodeBooleanConfigValue(ConfigurationConstants.REQUIRE_TIMESTAMP_EXPIRES, false,
config);
+        properties.setRequireTimestampExpires(requireTimestampExpires);
     }
     
     public static void parseNonBooleanProperties(

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java?rev=1672600&r1=1672599&r2=1672600&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java
Fri Apr 10 09:46:11 2015
@@ -117,6 +117,7 @@ public class WSSSecurityProperties exten
     private boolean validateSamlSubjectConfirmation = true;
     private Collection<Pattern> subjectDNPatterns = new ArrayList<>();
     private List<String> audienceRestrictions = new ArrayList<>();
+    private boolean requireTimestampExpires;
 
     private CallbackHandler attachmentCallbackHandler;
     private Object msgContext;
@@ -180,6 +181,7 @@ public class WSSSecurityProperties exten
         this.attachmentCallbackHandler = wssSecurityProperties.attachmentCallbackHandler;
         this.msgContext = wssSecurityProperties.msgContext;
         this.audienceRestrictions = wssSecurityProperties.audienceRestrictions;
+        this.requireTimestampExpires = wssSecurityProperties.requireTimestampExpires;
     }
 
     /**
@@ -980,4 +982,12 @@ public class WSSSecurityProperties exten
     public void setMsgContext(Object msgContext) {
         this.msgContext = msgContext;
     }
+
+    public boolean isRequireTimestampExpires() {
+        return requireTimestampExpires;
+    }
+
+    public void setRequireTimestampExpires(boolean requireTimestampExpires) {
+        this.requireTimestampExpires = requireTimestampExpires;
+    }
 }

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/TimestampValidatorImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/TimestampValidatorImpl.java?rev=1672600&r1=1672599&r2=1672600&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/TimestampValidatorImpl.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/TimestampValidatorImpl.java
Fri Apr 10 09:46:11 2015
@@ -64,6 +64,9 @@ public class TimestampValidatorImpl impl
                 }
                 log.debug("Timestamp expires: " + expires);
                 expiresDate = expires.toGregorianCalendar().getTime();
+            } else if (tokenContext.getWssSecurityProperties().isRequireTimestampExpires())
{
+                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY,
"invalidTimestamp",
+                    "The received Timestamp does not contain an expires Element");
             }
 
             Date rightNow = new Date();

Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/TimestampTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/TimestampTest.java?rev=1672600&r1=1672599&r2=1672600&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/TimestampTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/TimestampTest.java
Fri Apr 10 09:46:11 2015
@@ -510,6 +510,59 @@ public class TimestampTest extends Abstr
     }
 
     @Test
+    public void testTimestampInvalidNoExpiresDateInbound() throws Exception {
+
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        {
+            InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+            String action = WSHandlerConstants.TIMESTAMP;
+            Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action,
new Properties());
+
+            //some test that we can really sure we get what we want from WSS4J
+            NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_wsu_Timestamp.getNamespaceURI(),
WSSConstants.TAG_wsu_Timestamp.getLocalPart());
+            Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_wsse_Security.getLocalPart());
+            for (int i = 0; i < nodeList.item(0).getChildNodes().getLength(); i++) {
+                Node node = nodeList.item(0).getChildNodes().item(i);
+                if (node.getNodeType() == Node.ELEMENT_NODE && node.getLocalName().equals("Expires"))
{
+                    node.getParentNode().removeChild(node);
+                }
+            }
+
+            javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+            transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+        }
+
+        // Require a Timestamp Expires Element - should fail
+        {
+            WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+            securityProperties.setRequireTimestampExpires(true);
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
+
+            try {
+                StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+                fail("Failure expected on no Expires Element");
+            } catch (XMLStreamException e) {
+                // expected
+            }
+        }
+        
+        // No Timestamp Expires Element required - should pass
+        {
+            WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
+
+            Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(),
xmlStreamReader);
+
+            //header element must still be there
+            NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_wsu_Timestamp.getNamespaceURI(),
WSSConstants.TAG_wsu_Timestamp.getLocalPart());
+            Assert.assertEquals(nodeList.getLength(), 1);
+            Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_wsse_Security.getLocalPart());
+        }
+    }
+    
+    @Test
     public void testTimestampNoChildsInbound() throws Exception {
 
         ByteArrayOutputStream baos = new ByteArrayOutputStream();



Mime
View raw message