Author: coheigea
Date: Tue Sep 27 15:52:05 2011
New Revision: 1176443
URL: http://svn.apache.org/viewvc?rev=1176443&view=rev
Log:
[CXF-3827] - Cancelling a SCT with STS is missing verification of proof of
possession key
Modified:
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/TokenCanceller.java
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/cache/HazelCastTokenStoreTest.java
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/CancelSCTUnitTest.java
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/canceller/SCTCancellerTest.java
Modified:
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java?rev=1176443&r1=1176442&r2=1176443&view=diff
==============================================================================
---
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
(original)
+++
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
Tue Sep 27 15:52:05 2011
@@ -19,17 +19,27 @@
package org.apache.cxf.sts.token.canceller;
+import java.util.Arrays;
+import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
+import javax.xml.ws.handler.MessageContext;
+
import org.w3c.dom.Element;
import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.sts.request.ReceivedToken;
import org.apache.cxf.sts.request.TokenRequirements;
+import org.apache.cxf.ws.security.sts.provider.STSException;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.trust.STSUtils;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.handler.WSHandlerConstants;
+import org.apache.ws.security.handler.WSHandlerResult;
import org.apache.ws.security.message.token.SecurityContextToken;
/**
@@ -39,6 +49,9 @@ public class SCTCanceller implements Tok
private static final Logger LOG =
LogUtils.getL7dLogger(SCTCanceller.class);
+ // boolean to enable/disable the check of proof of possession
+ private boolean verifyProofOfPossession = true;
+
/**
* Return true if this TokenValidator implementation is capable of
validating the
* ReceivedToken argument.
@@ -84,6 +97,13 @@ public class SCTCanceller implements Tok
LOG.fine("Identifier: " + identifier + " is not found in
the cache");
return response;
}
+ if (verifyProofOfPossession && !matchKey(tokenParameters,
token.getSecret())) {
+ throw new STSException(
+ "Failed to verify the proof of possession of the key
associated with the "
+ + "security context. No matching key found in the
request.",
+ STSException.INVALID_REQUEST
+ );
+ }
tokenParameters.getTokenStore().remove(token);
response.setTokenCancelled(true);
} catch (WSSecurityException ex) {
@@ -92,5 +112,37 @@ public class SCTCanceller implements Tok
}
return response;
}
+
+ private boolean matchKey(TokenCancellerParameters tokenParameters, byte[]
secretKey) {
+ boolean result = false;
+ MessageContext messageContext =
tokenParameters.getWebServiceContext().getMessageContext();
+ final List<WSHandlerResult> handlerResults =
+ CastUtils.cast((List<?>)
messageContext.get(WSHandlerConstants.RECV_RESULTS));
+
+ if (handlerResults != null && handlerResults.size() > 0) {
+ WSHandlerResult handlerResult = handlerResults.get(0);
+ List<WSSecurityEngineResult> engineResults =
handlerResult.getResults();
+
+ for (WSSecurityEngineResult engineResult : engineResults) {
+ Integer action =
(Integer)engineResult.get(WSSecurityEngineResult.TAG_ACTION);
+ if (action.equals(WSConstants.SIGN)) {
+ byte[] receivedKey =
(byte[])engineResult.get(WSSecurityEngineResult.TAG_SECRET);
+ if (Arrays.equals(secretKey, receivedKey)) {
+ LOG.log(
+ Level.FINE,
+ "Verification of the proof of possession of the
key associated with "
+ + "the security context successful."
+ );
+ return true;
+ }
+ }
+ }
+ }
+
+ return result;
+ }
+ public void setVerifyProofOfPossession(boolean verifyProofOfPossession) {
+ this.verifyProofOfPossession = verifyProofOfPossession;
+ }
}
Modified:
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/TokenCanceller.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/TokenCanceller.java?rev=1176443&r1=1176442&r2=1176443&view=diff
==============================================================================
---
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/TokenCanceller.java
(original)
+++
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/TokenCanceller.java
Tue Sep 27 15:52:05 2011
@@ -29,6 +29,11 @@ import org.apache.cxf.sts.request.Receiv
public interface TokenCanceller {
/**
+ * boolean for enabling/disabling verification of proof of possession.
+ */
+ void setVerifyProofOfPossession(boolean verifyProofOfPossession);
+
+ /**
* Return true if this TokenCanceller implementation is able to cancel a
token
* that corresponds to the given token.
*/
Modified:
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/cache/HazelCastTokenStoreTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/cache/HazelCastTokenStoreTest.java?rev=1176443&r1=1176442&r2=1176443&view=diff
==============================================================================
---
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/cache/HazelCastTokenStoreTest.java
(original)
+++
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/cache/HazelCastTokenStoreTest.java
Tue Sep 27 15:52:05 2011
@@ -32,12 +32,12 @@ public class HazelCastTokenStoreTest ext
// tests STSCache apis for storing in the cache.
@org.junit.Test
- @org.junit.Ignore
public void testCacheStore() throws Exception {
String key = "key";
SecurityToken token = new SecurityToken(key);
store.add(token);
- assertEquals(token, store.getToken(key));
+ SecurityToken cachedToken = store.getToken(key);
+ assertEquals(token.getId(), cachedToken.getId());
store.remove(token);
assertNull(store.getToken(key));
store.add(token, new Integer(1));
@@ -48,7 +48,6 @@ public class HazelCastTokenStoreTest ext
// tests STSCache apis for removing from the cache.
@org.junit.Test
- @org.junit.Ignore
public void testCacheRemove() {
SecurityToken token1 = new SecurityToken("token1");
SecurityToken token2 = new SecurityToken("token2");
Modified:
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/CancelSCTUnitTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/CancelSCTUnitTest.java?rev=1176443&r1=1176442&r2=1176443&view=diff
==============================================================================
---
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/CancelSCTUnitTest.java
(original)
+++
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/CancelSCTUnitTest.java
Tue Sep 27 15:52:05 2011
@@ -80,7 +80,9 @@ public class CancelSCTUnitTest extends o
// Add Token Canceller
List<TokenCanceller> cancellerList = new ArrayList<TokenCanceller>();
- cancellerList.add(new SCTCanceller());
+ TokenCanceller sctCanceller = new SCTCanceller();
+ sctCanceller.setVerifyProofOfPossession(false);
+ cancellerList.add(sctCanceller);
cancelOperation.setTokenCancellers(cancellerList);
// Add STSProperties object
Modified:
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/canceller/SCTCancellerTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/canceller/SCTCancellerTest.java?rev=1176443&r1=1176442&r2=1176443&view=diff
==============================================================================
---
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/canceller/SCTCancellerTest.java
(original)
+++
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/canceller/SCTCancellerTest.java
Tue Sep 27 15:52:05 2011
@@ -59,6 +59,7 @@ public class SCTCancellerTest extends or
@org.junit.Test
public void testCancelToken() throws Exception {
TokenCanceller sctCanceller = new SCTCanceller();
+ sctCanceller.setVerifyProofOfPossession(false);
TokenCancellerParameters cancellerParameters =
createCancellerParameters();
TokenRequirements tokenRequirements =
cancellerParameters.getTokenRequirements();
@@ -85,6 +86,7 @@ public class SCTCancellerTest extends or
@org.junit.Test
public void testCancelInvalidToken() throws Exception {
TokenCanceller sctCanceller = new SCTCanceller();
+ sctCanceller.setVerifyProofOfPossession(false);
TokenCancellerParameters cancellerParameters =
createCancellerParameters();
TokenRequirements tokenRequirements =
cancellerParameters.getTokenRequirements();