Author: coheigea
Date: Tue May 15 10:24:03 2012
New Revision: 1338625
URL: http://svn.apache.org/viewvc?rev=1338625&view=rev
Log:
Merged revisions 1338623 via git cherry-pick from
https://svn.apache.org/repos/asf/cxf/branches/2.5.x-fixes
........
r1338623 | coheigea | 2012-05-15 11:21:55 +0100 (Tue, 15 May 2012) | 7 lines
[CXF-4316] - Support SupportingToken SignedElements with the Transport binding
Conflicts:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
........
Modified:
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
Modified:
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL:
http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1338625&r1=1338624&r2=1338625&view=diff
==============================================================================
---
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
(original)
+++
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
Tue May 15 10:24:03 2012
@@ -531,6 +531,7 @@ public abstract class AbstractBindingBui
try {
uname =
crypto.getX509Identifier(secToken.getX509Certificate());
} catch (WSSecurityException e1) {
+ LOG.log(Level.FINE, e1.getMessage(), e1);
throw new Fault(e1);
}
@@ -539,6 +540,7 @@ public abstract class AbstractBindingBui
try {
sig.prepare(saaj.getSOAPPart(), secToken.getCrypto(),
secHeader);
} catch (WSSecurityException e) {
+ LOG.log(Level.FINE, e.getMessage(), e);
throw new Fault(e);
}
@@ -1217,7 +1219,8 @@ public abstract class AbstractBindingBui
// Handle sign/enc elements
try {
result.addAll(this.getElements("Element", xpaths, namespaces,
found));
- } catch (XPathExpressionException e) {
+ } catch (XPathExpressionException e) {
+ LOG.log(Level.FINE, e.getMessage(), e);
// REVISIT
}
@@ -1225,6 +1228,7 @@ public abstract class AbstractBindingBui
try {
result.addAll(this.getElements("Content", contentXpaths,
cnamespaces, found));
} catch (XPathExpressionException e) {
+ LOG.log(Level.FINE, e.getMessage(), e);
// REVISIT
}
@@ -1254,7 +1258,7 @@ public abstract class AbstractBindingBui
* if there is an error extracting SOAP content from the SAAJ
* model
*/
- private List<WSEncryptionPart> getParts(boolean sign,
+ protected List<WSEncryptionPart> getParts(boolean sign,
boolean includeBody, List<WSEncryptionPart> parts,
List<Element> found) throws SOAPException {
@@ -1333,7 +1337,7 @@ public abstract class AbstractBindingBui
* if there is an error extracting SOAP content from the SAAJ
* model
*/
- private List<WSEncryptionPart> getElements(String encryptionModifier,
+ protected List<WSEncryptionPart> getElements(String encryptionModifier,
List<String> xpaths, Map<String, String> namespaces,
List<Element> found) throws XPathExpressionException,
SOAPException {
@@ -1761,6 +1765,7 @@ public abstract class AbstractBindingBui
try {
user = crypto.getDefaultX509Identifier();
} catch (WSSecurityException e1) {
+ LOG.log(Level.FINE, e1.getMessage(), e1);
throw new Fault(e1);
}
}
@@ -1778,6 +1783,7 @@ public abstract class AbstractBindingBui
try {
sig.prepare(saaj.getSOAPPart(), crypto, secHeader);
} catch (WSSecurityException e) {
+ LOG.log(Level.FINE, e.getMessage(), e);
policyNotAsserted(token, e);
}
@@ -1849,8 +1855,7 @@ public abstract class AbstractBindingBui
doSymmSignature(ent.getKey(), token, sigParts,
isTokenProtection);
}
} catch (Exception e) {
- // TODO Auto-generated catch block
- e.printStackTrace();
+ LOG.log(Level.FINE, e.getMessage(), e);
}
} else if (tempTok instanceof WSSecUsernameToken) {
WSSecUsernameToken utBuilder = (WSSecUsernameToken)tempTok;
@@ -1876,8 +1881,7 @@ public abstract class AbstractBindingBui
doSymmSignature(ent.getKey(), secToken, sigParts,
isTokenProtection);
}
} catch (Exception e) {
- // TODO Auto-generated catch block
- e.printStackTrace();
+ LOG.log(Level.FINE, e.getMessage(), e);
}
}
Modified:
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
URL:
http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java?rev=1338625&r1=1338624&r2=1338625&view=diff
==============================================================================
---
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
(original)
+++
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
Tue May 15 10:24:03 2012
@@ -23,9 +23,12 @@ import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.List;
+import java.util.logging.Level;
import javax.xml.crypto.dsig.Reference;
+import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPMessage;
+import javax.xml.xpath.XPathExpressionException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
@@ -45,6 +48,7 @@ import org.apache.cxf.ws.security.policy
import org.apache.cxf.ws.security.policy.model.SamlToken;
import org.apache.cxf.ws.security.policy.model.SecureConversationToken;
import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
+import org.apache.cxf.ws.security.policy.model.SignedEncryptedElements;
import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
import org.apache.cxf.ws.security.policy.model.SupportingToken;
import org.apache.cxf.ws.security.policy.model.Token;
@@ -148,6 +152,7 @@ public class TransportBindingHandler ext
addSignatureConfirmation(null);
}
} catch (Exception e) {
+ LOG.log(Level.FINE, e.getMessage(), e);
throw new Fault(e);
}
}
@@ -272,7 +277,6 @@ public class TransportBindingHandler ext
private void handleEndorsingToken(
Token token, SupportingToken wrapper, List<byte[]> signatureValues
) throws Exception {
- SignedEncryptedParts signdParts = wrapper.getSignedParts();
if (token instanceof IssuedToken
|| token instanceof SecureConversationToken
|| token instanceof SecurityContextToken
@@ -280,13 +284,13 @@ public class TransportBindingHandler ext
|| token instanceof KerberosToken) {
addSig(
signatureValues,
- doIssuedTokenSignature(token, signdParts, wrapper)
+ doIssuedTokenSignature(token, wrapper)
);
} else if (token instanceof X509Token
|| token instanceof KeyValueToken) {
addSig(
signatureValues,
- doX509TokenSignature(token, signdParts, wrapper)
+ doX509TokenSignature(token, wrapper)
);
} else if (token instanceof SamlToken) {
AssertionWrapper assertionWrapper = addSamlToken((SamlToken)token);
@@ -294,7 +298,7 @@ public class TransportBindingHandler ext
storeAssertionAsSecurityToken(assertionWrapper);
addSig(
signatureValues,
- doIssuedTokenSignature(token, signdParts, wrapper)
+ doIssuedTokenSignature(token, wrapper)
);
} else if (token instanceof UsernameToken) {
// Create a UsernameToken object for derived keys and store the
security token
@@ -313,37 +317,20 @@ public class TransportBindingHandler ext
addSig(
signatureValues,
- doIssuedTokenSignature(token, signdParts, wrapper)
+ doIssuedTokenSignature(token, wrapper)
);
}
}
- private byte[] doX509TokenSignature(Token token, SignedEncryptedParts
signedParts,
- TokenWrapper wrapper)
+ private byte[] doX509TokenSignature(Token token, SupportingToken wrapper)
throws Exception {
Document doc = saaj.getSOAPPart();
- List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
+ List<WSEncryptionPart> sigParts =
+ signPartsAndElements(wrapper.getSignedParts(),
wrapper.getSignedElements());
- if (timestampEl != null) {
- WSEncryptionPart timestampPart =
convertToEncryptionPart(timestampEl.getElement());
- sigParts.add(timestampPart);
- }
-
- if (signedParts != null) {
- if (signedParts.isBody()) {
- WSEncryptionPart bodyPart =
convertToEncryptionPart(saaj.getSOAPBody());
- sigParts.add(bodyPart);
- }
- for (Header header : signedParts.getHeaders()) {
- WSEncryptionPart wep = new WSEncryptionPart(header.getName(),
- header.getNamespace(),
- "Content");
- sigParts.add(wep);
- }
- }
if (token.isDerivedKeys()) {
WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(wrapper, token);
@@ -394,12 +381,11 @@ public class TransportBindingHandler ext
}
private byte[] doIssuedTokenSignature(
- Token token, SignedEncryptedParts signdParts, TokenWrapper wrapper
+ Token token, SupportingToken wrapper
) throws Exception {
boolean tokenIncluded = false;
// Get the issued token
SecurityToken secTok = getSecurityToken();
- List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
if (includeToken(token.getInclusion())) {
//Add the token
@@ -414,29 +400,8 @@ public class TransportBindingHandler ext
tokenIncluded = true;
}
- if (timestampEl != null) {
- WSEncryptionPart timestampPart =
convertToEncryptionPart(timestampEl.getElement());
- sigParts.add(timestampPart);
- }
-
- if (signdParts != null) {
- if (signdParts.isBody()) {
- WSEncryptionPart bodyPart =
convertToEncryptionPart(saaj.getSOAPBody());
- sigParts.add(bodyPart);
- }
- if (secTok.getX509Certificate() != null) {
- //the "getX509Certificate" this is to workaround an issue in
WCF
- //In WCF, for TransportBinding, in most cases, it doesn't want
any of
- //the headers signed even if the policy says so. HOWEVER,
for KeyValue
- //IssuedTokens, it DOES want them signed
- for (Header header : signdParts.getHeaders()) {
- WSEncryptionPart wep = new
WSEncryptionPart(header.getName(),
- header.getNamespace(),
- "Content");
- sigParts.add(wep);
- }
- }
- }
+ List<WSEncryptionPart> sigParts =
+ signPartsAndElements(wrapper.getSignedParts(),
wrapper.getSignedElements());
if (token.isDerivedKeys()) {
return doDerivedKeySignature(tokenIncluded, secTok, token,
sigParts);
@@ -590,6 +555,61 @@ public class TransportBindingHandler ext
return sig.getSignatureValue();
}
+ /**
+ * Identifies the portions of the message to be signed/encrypted.
+ */
+ private List<WSEncryptionPart> signPartsAndElements(
+ SignedEncryptedParts signedParts,
+ SignedEncryptedElements signedElements
+ ) throws SOAPException {
+
+ List<WSEncryptionPart> result = new ArrayList<WSEncryptionPart>();
+ List<Element> found = new ArrayList<Element>();
+
+ // Add timestamp
+ if (timestampEl != null) {
+ WSEncryptionPart timestampPart =
+ new WSEncryptionPart("Timestamp", WSConstants.WSU_NS,
"Element");
+ String id = addWsuIdToElement(timestampEl.getElement());
+ timestampPart.setId(id);
+ timestampPart.setElement(timestampEl.getElement());
+
+ found.add(timestampPart.getElement());
+ result.add(timestampPart);
+ }
+
+ // Add SignedParts
+ if (signedParts != null) {
+ List<WSEncryptionPart> parts = new ArrayList<WSEncryptionPart>();
+ boolean isSignBody = signedParts.isBody();
+
+ for (Header head : signedParts.getHeaders()) {
+ WSEncryptionPart wep =
+ new WSEncryptionPart(head.getName(), head.getNamespace(),
"Element");
+ parts.add(wep);
+ }
+
+ // Handle sign/enc parts
+ result.addAll(this.getParts(true, isSignBody, parts, found));
+ }
+
+ if (signedElements != null) {
+ // Handle SignedElements
+ try {
+ result.addAll(
+ this.getElements(
+ "Element", signedElements.getXPathExpressions(),
+ signedElements.getDeclaredNamespaces(), found
+ )
+ );
+ } catch (XPathExpressionException e) {
+ LOG.log(Level.FINE, e.getMessage(), e);
+ // REVISIT
+ }
+ }
+
+ return result;
+ }
}
Modified:
cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
URL:
http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl?rev=1338625&r1=1338624&r2=1338625&view=diff
==============================================================================
---
cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
(original)
+++
cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
Tue May 15 10:24:03 2012
@@ -837,11 +837,9 @@
<sp:Body/>
<sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
- <!--
<sp:SignedElements>
- <sp:XPath>//ReplyTo</sp:XPath>
+ <sp:XPath>//*[local-name()='ReplyTo']</sp:XPath>
</sp:SignedElements>
- -->
</wsp:Policy>
</sp:EndorsingSupportingTokens>
</wsp:All>
