Repository: cxf Updated Branches: refs/heads/master 5f49a3e06 -> af577d218
Updated the MTOM code Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/af577d21 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/af577d21 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/af577d21 Branch: refs/heads/master Commit: af577d218398d35a3f52a34bb489789e97f1e8a1 Parents: 5f49a3e Author: Colm O hEigeartaigh <[email protected]> Authored: Tue Apr 1 16:25:16 2014 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Tue Apr 1 16:25:30 2014 +0100 ---------------------------------------------------------------------- .../ws/security/wss4j/WSS4JOutInterceptor.java | 35 ++++++++++-------- .../security/wss4j/WSS4JStaxOutInterceptor.java | 29 ++++++++++----- .../cxf/systest/ws/mtom/MTOMSecurityTest.java | 32 +++++++++++++++-- .../cxf/systest/ws/mtom/DoubleItMtom.wsdl | 7 ++-- .../org/apache/cxf/systest/ws/mtom/client.xml | 35 +++++++++++++++++- .../org/apache/cxf/systest/ws/mtom/server.xml | 37 ++++++++++++++++++-- 6 files changed, 146 insertions(+), 29 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/af577d21/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptor.java index 6137701..66434c3 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptor.java @@ -81,15 +81,31 @@ public class WSS4JOutInterceptor extends AbstractWSS4JInterceptor { public boolean isAllowMTOM() { return mtomEnabled; } + /** - * Enable or disable mtom with WS-Security. By default MTOM is disabled as - * attachments would not get encrypted or be part of the signature. + * Enable or disable mtom with WS-Security. MTOM is disabled if we are signing or + * encrypting the message Body, as otherwise attachments would not get encrypted + * or be part of the signature. * @param mtomEnabled */ public void setAllowMTOM(boolean allowMTOM) { this.mtomEnabled = allowMTOM; } + protected void handleSecureMTOM(SoapMessage mc, List<HandlerAction> actions) { + if (mtomEnabled) { + return; + } + + //must turn off mtom when using WS-Sec so binary is inlined so it can + //be properly signed/encrypted/etc... + String mtomKey = org.apache.cxf.message.Message.MTOM_ENABLED; + if (mc.get(mtomKey) == Boolean.TRUE) { + LOG.warning("MTOM will be disabled as the WSS4JOutInterceptor.mtomEnabled property" + + " is set to false"); + } + mc.put(mtomKey, Boolean.FALSE); + } @Override public Object getProperty(Object msgContext, String key) { @@ -106,17 +122,6 @@ public class WSS4JOutInterceptor extends AbstractWSS4JInterceptor { } public void handleMessage(SoapMessage mc) throws Fault { - //must turn off mtom when using WS-Sec so binary is inlined so it can - //be properly signed/encrypted/etc... - if (!mtomEnabled) { - String mtomKey = org.apache.cxf.message.Message.MTOM_ENABLED; - if (mc.get(mtomKey) == Boolean.TRUE) { - LOG.warning("MTOM will be disabled as the WSS4JOutInterceptor.mtomEnabled property" - + " is set to false"); - } - mc.put(mtomKey, Boolean.FALSE); - } - if (mc.getContent(SOAPMessage.class) == null) { saajOut.handleMessage(mc); } @@ -190,6 +195,8 @@ public class WSS4JOutInterceptor extends AbstractWSS4JInterceptor { if (actions.isEmpty()) { return; } + + handleSecureMTOM(mc, actions); /* * For every action we need a username, so get this now. The @@ -238,7 +245,7 @@ public class WSS4JOutInterceptor extends AbstractWSS4JInterceptor { * into FORM_STRING. This string is converted into a document. * During the FORM_STRING serialization CXF performs multi-ref of * complex data types (if requested), generates and inserts - * references for attachements and so on. The resulting Document + * references for attachments and so on. The resulting Document * MUST be the complete and final SOAP request as CXF would send it * over the wire. Therefore this must shall be the last (or only) * handler in a chain. Now we can perform our security operations on http://git-wip-us.apache.org/repos/asf/cxf/blob/af577d21/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxOutInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxOutInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxOutInterceptor.java index 574e18a..f7d90cf 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxOutInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxOutInterceptor.java @@ -23,11 +23,13 @@ import java.util.HashMap; import java.util.LinkedList; import java.util.List; import java.util.Map; +import java.util.logging.Logger; import javax.xml.stream.XMLStreamException; import javax.xml.stream.XMLStreamWriter; import org.apache.cxf.binding.soap.SoapMessage; +import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor; import org.apache.cxf.interceptor.AttachmentOutInterceptor; import org.apache.cxf.interceptor.Fault; @@ -59,6 +61,7 @@ public class WSS4JStaxOutInterceptor extends AbstractWSS4JStaxInterceptor { public static final String OUTPUT_STREAM_HOLDER = WSS4JStaxOutInterceptor.class.getName() + ".outputstream"; + private static final Logger LOG = LogUtils.getL7dLogger(WSS4JStaxOutInterceptor.class); private WSS4JStaxOutInterceptorInternal ending; private boolean mtomEnabled; @@ -92,27 +95,36 @@ public class WSS4JStaxOutInterceptor extends AbstractWSS4JStaxInterceptor { } /** - * Enable or disable mtom with WS-Security. By default MTOM is disabled as - * attachments would not get encrypted or be part of the signature. + * Enable or disable mtom with WS-Security. MTOM is disabled if we are signing or + * encrypting the message Body, as otherwise attachments would not get encrypted + * or be part of the signature. * @param mtomEnabled */ public void setAllowMTOM(boolean allowMTOM) { this.mtomEnabled = allowMTOM; } - @Override public Object getProperty(Object msgContext, String key) { return super.getProperty(msgContext, key); } - - public void handleMessage(SoapMessage mc) throws Fault { + + protected void handleSecureMTOM(SoapMessage mc, WSSSecurityProperties secProps) { + if (mtomEnabled) { + return; + } + //must turn off mtom when using WS-Sec so binary is inlined so it can //be properly signed/encrypted/etc... - if (!mtomEnabled) { - mc.put(org.apache.cxf.message.Message.MTOM_ENABLED, false); + String mtomKey = org.apache.cxf.message.Message.MTOM_ENABLED; + if (mc.get(mtomKey) == Boolean.TRUE) { + LOG.warning("MTOM will be disabled as the WSS4JOutInterceptor.mtomEnabled property" + + " is set to false"); } - + mc.put(mtomKey, Boolean.FALSE); + } + + public void handleMessage(SoapMessage mc) throws Fault { OutputStream os = mc.getContent(OutputStream.class); String encoding = getEncoding(mc); @@ -134,6 +146,7 @@ public class WSS4JStaxOutInterceptor extends AbstractWSS4JStaxInterceptor { // If no actions configured (with SecurityPolicy) then return return; } + handleSecureMTOM(mc, secProps); if (secProps.getAttachmentCallbackHandler() == null) { secProps.setAttachmentCallbackHandler(new AttachmentCallbackHandler(mc)); http://git-wip-us.apache.org/repos/asf/cxf/blob/af577d21/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/mtom/MTOMSecurityTest.java ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/mtom/MTOMSecurityTest.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/mtom/MTOMSecurityTest.java index a23800f..3bcf42a 100644 --- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/mtom/MTOMSecurityTest.java +++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/mtom/MTOMSecurityTest.java @@ -61,8 +61,9 @@ public class MTOMSecurityTest extends AbstractBusClientServerTestBase { stopAllServers(); } + // The attachment is inlined + the SOAP Body signed @org.junit.Test - public void testSignedMTOM() throws Exception { + public void testSignedMTOMInline() throws Exception { SpringBusFactory bf = new SpringBusFactory(); URL busFile = MTOMSecurityTest.class.getResource("client.xml"); @@ -73,7 +74,34 @@ public class MTOMSecurityTest extends AbstractBusClientServerTestBase { URL wsdl = MTOMSecurityTest.class.getResource("DoubleItMtom.wsdl"); Service service = Service.create(wsdl, SERVICE_QNAME); - QName portQName = new QName(NAMESPACE, "DoubleItSignedMTOMPort"); + QName portQName = new QName(NAMESPACE, "DoubleItSignedMTOMInlinePort"); + DoubleItMtomPortType port = + service.getPort(portQName, DoubleItMtomPortType.class); + updateAddressPort(port, PORT); + + DataSource source = new FileDataSource(new File("src/test/resources/java.jpg")); + DoubleIt4 doubleIt = new DoubleIt4(); + doubleIt.setNumberToDouble(25); + port.doubleIt4(25, new DataHandler(source)); + + ((java.io.Closeable)port).close(); + bus.shutdown(true); + } + + // Here we are not-inlining, but the attachments are signed (as is the SOAP Body) + @org.junit.Test + public void testSignedMTOMSwA() throws Exception { + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = MTOMSecurityTest.class.getResource("client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = MTOMSecurityTest.class.getResource("DoubleItMtom.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItSignedMTOMSwAPort"); DoubleItMtomPortType port = service.getPort(portQName, DoubleItMtomPortType.class); updateAddressPort(port, PORT); http://git-wip-us.apache.org/repos/asf/cxf/blob/af577d21/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/DoubleItMtom.wsdl ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/DoubleItMtom.wsdl b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/DoubleItMtom.wsdl index 7bd82c2..cea1163 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/DoubleItMtom.wsdl +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/DoubleItMtom.wsdl @@ -36,8 +36,11 @@ </wsdl:binding> <wsdl:service name="DoubleItService"> - <wsdl:port name="DoubleItSignedMTOMPort" binding="tns:DoubleItNoSecurityBinding"> - <soap:address location="http://localhost:9001/DoubleItSignedMTOM"/> + <wsdl:port name="DoubleItSignedMTOMInlinePort" binding="tns:DoubleItNoSecurityBinding"> + <soap:address location="http://localhost:9001/DoubleItSignedMTOMInline"/> + </wsdl:port> + <wsdl:port name="DoubleItSignedMTOMSwAPort" binding="tns:DoubleItNoSecurityBinding"> + <soap:address location="http://localhost:9001/DoubleItSignedMTOMSwA"/> </wsdl:port> </wsdl:service> http://git-wip-us.apache.org/repos/asf/cxf/blob/af577d21/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/client.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/client.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/client.xml index e3a0aa1..ca69bfe 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/client.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/client.xml @@ -24,7 +24,38 @@ <cxf:logging/> </cxf:features> </cxf:bus> - <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSignedMTOMPort"; createdFromAPI="true"> + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSignedMTOMInlinePort"; createdFromAPI="true"> + <jaxws:outInterceptors> + <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"> + <constructor-arg> + <map> + <entry key="action" value="Signature Timestamp"/> + <entry key="signatureUser" value="alice"/> + <entry key="signaturePropFile" value="alice.properties"/> + <entry key="signatureKeyIdentifier" value="DirectReference"/> + <entry key="signatureParts" + value="{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{}{http://schemas.xmlsoap.org/soap/envelope/}Body;"/> + <entry key="passwordCallbackClass" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + </map> + </constructor-arg> + </bean> + </jaxws:outInterceptors> + <jaxws:inInterceptors> + <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> + <constructor-arg> + <map> + <entry key="action" value="Signature"/> + <entry key="signatureVerificationPropFile" value="alice.properties"/> + </map> + </constructor-arg> + </bean> + </jaxws:inInterceptors> + <jaxws:properties> + <entry key="mtom-enabled" value="true"/> + </jaxws:properties> + </jaxws:client> + + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSignedMTOMSwAPort"; createdFromAPI="true"> <jaxws:outInterceptors> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"> <constructor-arg> @@ -38,6 +69,7 @@ <entry key="passwordCallbackClass" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> </map> </constructor-arg> + <property name="allowMTOM" value="true"/> </bean> </jaxws:outInterceptors> <jaxws:inInterceptors> @@ -55,4 +87,5 @@ </jaxws:properties> </jaxws:client> + </beans> http://git-wip-us.apache.org/repos/asf/cxf/blob/af577d21/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/server.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/server.xml index fcb0805..b4ea76e 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/server.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/server.xml @@ -27,8 +27,41 @@ </cxf:bus> <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt"; id="SignedMTOM" - address="http://localhost:${testutil.ports.Server}/DoubleItSignedMTOM"; - serviceName="s:DoubleItService" endpointName="s:DoubleItSignedMTOMPort" + address="http://localhost:${testutil.ports.Server}/DoubleItSignedMTOMInline"; + serviceName="s:DoubleItService" endpointName="s:DoubleItSignedMTOMInlinePort" + implementor="org.apache.cxf.systest.ws.mtom.DoubleIt4Impl" + wsdlLocation="org/apache/cxf/systest/ws/mtom/DoubleItMtom.wsdl"> + <jaxws:outInterceptors> + <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"> + <constructor-arg> + <map> + <entry key="action" value="Signature"/> + <entry key="signatureUser" value="bob"/> + <entry key="signaturePropFile" value="bob.properties"/> + <entry key="signatureKeyIdentifier" value="DirectReference"/> + <entry key="passwordCallbackClass" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + </map> + </constructor-arg> + </bean> + </jaxws:outInterceptors> + <jaxws:inInterceptors> + <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> + <constructor-arg> + <map> + <entry key="action" value="Signature Timestamp"/> + <entry key="signatureVerificationPropFile" value="bob.properties"/> + </map> + </constructor-arg> + </bean> + </jaxws:inInterceptors> + <jaxws:properties> + <entry key="mtom-enabled" value="true"/> + </jaxws:properties> + </jaxws:endpoint> + + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt"; id="SignedMTOMSwA" + address="http://localhost:${testutil.ports.Server}/DoubleItSignedMTOMSwA"; + serviceName="s:DoubleItService" endpointName="s:DoubleItSignedMTOMSwAPort" implementor="org.apache.cxf.systest.ws.mtom.DoubleIt4Impl" wsdlLocation="org/apache/cxf/systest/ws/mtom/DoubleItMtom.wsdl"> <jaxws:outInterceptors>
