ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1689904 - in /webservices/wss4j/trunk: ws-security-common/src/main/java/org/apache/wss4j/common/token/ ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/ ws-security-dom/src/test/java/org/apache/wss4j/dom/message/
Date Wed, 08 Jul 2015 15:44:25 GMT
Author: coheigea
Date: Wed Jul  8 15:44:25 2015
New Revision: 1689904

URL: http://svn.apache.org/r1689904
Log:
[WSS-544] - Disable new storeBytesInAttachment for encryption before signing

Modified:
    webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/token/BinarySecurity.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java
    webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/XOPAttachmentTest.java

Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/token/BinarySecurity.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/token/BinarySecurity.java?rev=1689904&r1=1689903&r2=1689904&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/token/BinarySecurity.java
(original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/token/BinarySecurity.java
Wed Jul  8 15:44:25 2015
@@ -19,12 +19,16 @@
 
 package org.apache.wss4j.common.token;
 
+import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.util.Arrays;
+import java.util.UUID;
 
 import org.apache.wss4j.common.WSS4JConstants;
 import org.apache.wss4j.common.bsp.BSPEnforcer;
 import org.apache.wss4j.common.bsp.BSPRule;
+import org.apache.wss4j.common.ext.Attachment;
+import org.apache.wss4j.common.ext.AttachmentResultCallback;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.util.DOM2Writer;
 import org.apache.wss4j.common.util.XMLUtils;
@@ -34,6 +38,7 @@ import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.w3c.dom.Text;
 
+import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.callback.UnsupportedCallbackException;
 import javax.xml.namespace.QName;
@@ -49,6 +54,16 @@ public class BinarySecurity {
     
     private Element element;
     private byte[] data;
+    private boolean storeBytesInAttachment;
+    private CallbackHandler attachmentCallbackHandler;
+
+    public CallbackHandler getAttachmentCallbackHandler() {
+        return attachmentCallbackHandler;
+    }
+
+    public void setAttachmentCallbackHandler(CallbackHandler attachmentCallbackHandler) {
+        this.attachmentCallbackHandler = attachmentCallbackHandler;
+    }
 
     /**
      * Constructor.
@@ -87,7 +102,6 @@ public class BinarySecurity {
     public BinarySecurity(Document doc) {
         element = doc.createElementNS(WSS4JConstants.WSSE_NS, "wsse:BinarySecurityToken");
         setEncodingType(WSS4JConstants.BASE64_ENCODING);
-        element.appendChild(doc.createTextNode(""));
     }
     
     /**
@@ -201,13 +215,38 @@ public class BinarySecurity {
      * 
      * @param data 
      */
-    public void setToken(byte[] data) {
+    public void setToken(byte[] data) throws WSSecurityException {
         if (data == null) {
             throw new IllegalArgumentException("data == null");
         }
-        Text node = getFirstNode();
-        node.setData(Base64.encode(data));
-        setRawToken(data);
+        if (storeBytesInAttachment && attachmentCallbackHandler != null) {
+            Document document = element.getOwnerDocument();
+            final String attachmentId = "_" + UUID.randomUUID().toString();
+            
+            element.setAttributeNS(XMLUtils.XMLNS_NS, "xmlns:xop", WSS4JConstants.XOP_NS);
+            Element xopInclude =
+                document.createElementNS(WSS4JConstants.XOP_NS, "xop:Include");
+            xopInclude.setAttributeNS(null, "href", "cid:" + attachmentId);
+            element.appendChild(xopInclude);
+            
+            Attachment resultAttachment = new Attachment();
+            resultAttachment.setId(attachmentId);
+            resultAttachment.setMimeType("application/ciphervalue");
+            resultAttachment.setSourceStream(new ByteArrayInputStream(data));
+            
+            AttachmentResultCallback attachmentResultCallback = new AttachmentResultCallback();
+            attachmentResultCallback.setAttachmentId(attachmentId);
+            attachmentResultCallback.setAttachment(resultAttachment);
+            try {
+                attachmentCallbackHandler.handle(new Callback[]{attachmentResultCallback});
+            } catch (Exception e) {
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+            }
+        } else {
+            Text node = getFirstNode();
+            node.setData(Base64.encode(data));
+            setRawToken(data);
+        }
     }
     
     /**
@@ -324,4 +363,12 @@ public class BinarySecurity {
         }
         return true;
     }
+
+    public boolean isStoreBytesInAttachment() {
+        return storeBytesInAttachment;
+    }
+
+    public void setStoreBytesInAttachment(boolean storeBytesInAttachment) {
+        this.storeBytesInAttachment = storeBytesInAttachment;
+    }
 }

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java?rev=1689904&r1=1689903&r2=1689904&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java
Wed Jul  8 15:44:25 2015
@@ -125,6 +125,7 @@ public abstract class WSHandler {
         reqData.setStoreBytesInAttachment(storeBytesInAttachment);
         
         // Perform configuration
+        boolean encryptionFound = false;
         for (HandlerAction actionToDo : actions) {
             if (actionToDo.getAction() == WSConstants.SC) {
                 reqData.setEnableSignatureConfirmation(true);
@@ -147,12 +148,18 @@ public abstract class WSHandler {
                     actionToken.setCrypto(loadSignatureCrypto(reqData));
                 }
                 decodeSignatureParameter(reqData);
+                if (encryptionFound && storeBytesInAttachment) {
+                    LOG.warn("Turning off storeBytesInAttachment as we have encryption before
signature."
+                             + " The danger here is that the actual encryption bytes will
not be signed");
+                    reqData.setStoreBytesInAttachment(false);
+                }
             } else if (actionToDo.getAction() == WSConstants.ST_SIGNED 
                 && actionToDo.getActionToken() == null) {
                 decodeSignatureParameter(reqData);
             } else if ((actionToDo.getAction() == WSConstants.ENCR
                 || actionToDo.getAction() == WSConstants.DKT_ENCR)
                 && actionToDo.getActionToken() == null) {
+                encryptionFound = true;
                 EncryptionActionToken actionToken = reqData.getEncryptionToken();
                 if (actionToken == null) {
                     actionToken = new EncryptionActionToken();

Modified: webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/XOPAttachmentTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/XOPAttachmentTest.java?rev=1689904&r1=1689903&r2=1689904&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/XOPAttachmentTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/XOPAttachmentTest.java
Wed Jul  8 15:44:25 2015
@@ -22,6 +22,7 @@ import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 import java.util.UUID;
@@ -37,9 +38,12 @@ import org.apache.wss4j.common.util.XMLU
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSConfig;
 import org.apache.wss4j.dom.WSSecurityEngine;
+import org.apache.wss4j.dom.common.CustomHandler;
 import org.apache.wss4j.dom.common.KeystoreCallbackHandler;
 import org.apache.wss4j.dom.common.SOAPUtil;
+import org.apache.wss4j.dom.handler.HandlerAction;
 import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.handler.WSHandlerConstants;
 import org.apache.wss4j.dom.handler.WSHandlerResult;
 import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.w3c.dom.Document;
@@ -502,50 +506,103 @@ public class XOPAttachmentTest extends o
         assertTrue(processedDoc.contains(SOAP_BODY));
     }
     
-    // TODO
     @org.junit.Test
-    @org.junit.Ignore
-    public void testEncryptedSignedSOAPBody() throws Exception {
-        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
-        WSSecHeader secHeader = new WSSecHeader(doc);
-        secHeader.insertSecurityHeader();
+    public void testSignedEncryptedSOAPBodyViaHandler() throws Exception {
+        final WSSConfig cfg = WSSConfig.getNewInstance();
+        final RequestData reqData = new RequestData();
+        reqData.setWssConfig(cfg);
+        reqData.setUsername("16c73ab6-b892-458f-abf5-2f875f74882e");
         
         AttachmentCallbackHandler outboundAttachmentCallback = new AttachmentCallbackHandler();
+        reqData.setAttachmentCallbackHandler(outboundAttachmentCallback);
         
-        WSSecEncrypt encrypt = new WSSecEncrypt();
-        encrypt.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
-        encrypt.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
-
-        encrypt.setAttachmentCallbackHandler(outboundAttachmentCallback);
-        encrypt.setStoreBytesInAttachment(true);
-        encrypt.getParts().add(new WSEncryptionPart("Body", "http://schemas.xmlsoap.org/soap/envelope/",
"Content"));
-
-        encrypt.build(doc, crypto, secHeader);
         
-        WSSecSignature builder = new WSSecSignature();
-        builder.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
-        builder.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
+        java.util.Map<String, Object> config = new java.util.TreeMap<String, Object>();
+        config.put(WSHandlerConstants.SIG_PROP_FILE, "crypto.properties");
+        config.put(WSHandlerConstants.ENC_PROP_FILE, "crypto.properties");
+        config.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference"); 
+        config.put("password", "security");
+        config.put(WSHandlerConstants.STORE_BYTES_IN_ATTACHMENT, "true");
+        reqData.setMsgContext(config);
+        
+        final Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+        CustomHandler handler = new CustomHandler();
+        List<HandlerAction> actions = new ArrayList<>();
+        actions.add(new HandlerAction(WSConstants.SIGN));
+        actions.add(new HandlerAction(WSConstants.ENCR));
+        
+        handler.send(
+            doc, 
+            reqData, 
+            actions,
+            true
+        );
+        String outputString = 
+            XMLUtils.PrettyDocumentToString(doc);
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("Signed message:");
+            LOG.debug(outputString);
+        }
         
-        builder.setAttachmentCallbackHandler(outboundAttachmentCallback);
-        builder.setStoreBytesInAttachment(true);
-        builder.getParts().add(new WSEncryptionPart("Body", "http://schemas.xmlsoap.org/soap/envelope/",
"Content"));
-        Document signedDoc = builder.build(doc, crypto, secHeader);
+        List<Attachment> encryptedAttachments = outboundAttachmentCallback.getResponseAttachments();
+        assertNotNull(encryptedAttachments);
+        assertTrue(encryptedAttachments.size() == 3);
+        
+        AttachmentCallbackHandler inboundAttachmentCallback = 
+            new AttachmentCallbackHandler(encryptedAttachments);
+        verify(doc, inboundAttachmentCallback);
+        
+        String processedDoc = XMLUtils.PrettyDocumentToString(doc);
+        assertTrue(processedDoc.contains(SOAP_BODY));
+    }
+    
+    @org.junit.Test
+    public void testEncryptedSignedSOAPBodyViaHandler() throws Exception {
+        final WSSConfig cfg = WSSConfig.getNewInstance();
+        final RequestData reqData = new RequestData();
+        reqData.setWssConfig(cfg);
+        reqData.setUsername("16c73ab6-b892-458f-abf5-2f875f74882e");
+        
+        AttachmentCallbackHandler outboundAttachmentCallback = new AttachmentCallbackHandler();
+        reqData.setAttachmentCallbackHandler(outboundAttachmentCallback);
         
-        List<Attachment> signedAttachments = outboundAttachmentCallback.getResponseAttachments();
-        assertNotNull(signedAttachments);
-        assertTrue(signedAttachments.size() == 3);
         
+        java.util.Map<String, Object> config = new java.util.TreeMap<String, Object>();
+        config.put(WSHandlerConstants.SIG_PROP_FILE, "crypto.properties");
+        config.put(WSHandlerConstants.ENC_PROP_FILE, "crypto.properties");
+        config.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference"); 
+        config.put("password", "security");
+        config.put(WSHandlerConstants.STORE_BYTES_IN_ATTACHMENT, "true");
+        reqData.setMsgContext(config);
+        
+        final Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+        CustomHandler handler = new CustomHandler();
+        List<HandlerAction> actions = new ArrayList<>();
+        actions.add(new HandlerAction(WSConstants.ENCR));
+        actions.add(new HandlerAction(WSConstants.SIGN));
+        
+        handler.send(
+            doc, 
+            reqData, 
+            actions,
+            true
+        );
+        String outputString = 
+            XMLUtils.PrettyDocumentToString(doc);
         if (LOG.isDebugEnabled()) {
-            String outputString = XMLUtils.PrettyDocumentToString(signedDoc);
+            LOG.debug("Signed message:");
             LOG.debug(outputString);
-            // System.out.println(outputString);
         }
-
+        
+        List<Attachment> encryptedAttachments = outboundAttachmentCallback.getResponseAttachments();
+        assertNotNull(encryptedAttachments);
+        assertTrue(encryptedAttachments.size() == 0);
+        
         AttachmentCallbackHandler inboundAttachmentCallback = 
-            new AttachmentCallbackHandler(signedAttachments);
-        verify(signedDoc, inboundAttachmentCallback);
+            new AttachmentCallbackHandler(encryptedAttachments);
+        verify(doc, inboundAttachmentCallback);
         
-        String processedDoc = XMLUtils.PrettyDocumentToString(signedDoc);
+        String processedDoc = XMLUtils.PrettyDocumentToString(doc);
         assertTrue(processedDoc.contains(SOAP_BODY));
     }
     



Mime
View raw message