Using a new CXFCallbackLookup
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/77372254 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/77372254 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/77372254 Branch: refs/heads/master Commit: 7737225402d3a7b2e669ee8ecf54de10af686f20 Parents: 80d7128 Author: Colm O hEigeartaigh <[email protected]> Authored: Tue Feb 24 16:02:16 2015 +0000 Committer: Colm O hEigeartaigh <[email protected]> Committed: Tue Feb 24 16:02:16 2015 +0000 ---------------------------------------------------------------------- .../ws/security/wss4j/CXFCallbackLookup.java | 50 ++++++++++++++++++++ .../wss4j/PolicyBasedWSS4JOutInterceptor.java | 27 ++++++----- .../ws/security/wss4j/WSS4JInInterceptor.java | 5 ++ .../policyhandlers/AbstractBindingBuilder.java | 23 +++++++-- .../AsymmetricBindingHandler.java | 5 +- .../policyhandlers/SymmetricBindingHandler.java | 11 +++-- .../policyhandlers/TransportBindingHandler.java | 5 +- 7 files changed, 107 insertions(+), 19 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/77372254/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CXFCallbackLookup.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CXFCallbackLookup.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CXFCallbackLookup.java new file mode 100644 index 0000000..be8dbe0 --- /dev/null +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CXFCallbackLookup.java @@ -0,0 +1,50 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.ws.security.wss4j; + +import org.w3c.dom.Document; +import org.w3c.dom.Element; + +import org.apache.wss4j.dom.message.DOMCallbackLookup; +import org.apache.wss4j.dom.util.WSSecurityUtil; + +/** + * This class uses a DOM-based approach to locate Elements that are referenced via an Id. + */ +public class CXFCallbackLookup extends DOMCallbackLookup { + + private Document doc; + private Element soapBody; + + public CXFCallbackLookup(Document doc, Element soapBody) { + super(doc); + this.soapBody = soapBody; + } + + /** + * Get the SOAP Body + */ + @Override + public Element getSOAPBody() { + if (soapBody != null) { + return soapBody; + } + return WSSecurityUtil.findBodyElement(doc); + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/77372254/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java index 98a6330..54faf7e 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java @@ -120,7 +120,6 @@ public class PolicyBasedWSS4JOutInterceptor extends AbstractPhaseInterceptor<Soa } private void handleMessageInternal(SoapMessage message) throws Fault { - Collection<AssertionInfo> ais; SOAPMessage saaj = message.getContent(SOAPMessage.class); boolean mustUnderstand = @@ -133,7 +132,7 @@ public class PolicyBasedWSS4JOutInterceptor extends AbstractPhaseInterceptor<Soa // extract Assertion information if (aim != null) { AbstractBinding transport = null; - ais = getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING); + Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING); if (!ais.isEmpty()) { for (AssertionInfo ai : ais) { transport = (AbstractBinding)ai.getAssertion(); @@ -191,15 +190,21 @@ public class PolicyBasedWSS4JOutInterceptor extends AbstractPhaseInterceptor<Soa transport.getAlgorithmSuite().setAsymmetricSignature(asymSignatureAlgorithm); } - if (transport instanceof TransportBinding) { - new TransportBindingHandler(config, (TransportBinding)transport, saaj, - secHeader, aim, message).handleBinding(); - } else if (transport instanceof SymmetricBinding) { - new SymmetricBindingHandler(config, (SymmetricBinding)transport, saaj, - secHeader, aim, message).handleBinding(); - } else { - new AsymmetricBindingHandler(config, (AsymmetricBinding)transport, saaj, - secHeader, aim, message).handleBinding(); + try { + if (transport instanceof TransportBinding) { + new TransportBindingHandler(config, (TransportBinding)transport, saaj, + secHeader, aim, message).handleBinding(); + } else if (transport instanceof SymmetricBinding) { + new SymmetricBindingHandler(config, (SymmetricBinding)transport, saaj, + secHeader, aim, message).handleBinding(); + } else { + new AsymmetricBindingHandler(config, (AsymmetricBinding)transport, saaj, + secHeader, aim, message).handleBinding(); + } + } catch (SOAPException e) { + throw new SoapFault( + new Message("SECURITY_FAILED", LOG), e, message.getVersion().getSender() + ); } if (el.getFirstChild() == null) { http://git-wip-us.apache.org/repos/asf/cxf/blob/77372254/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java index b8c71a7..4e20831 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java @@ -273,6 +273,11 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor { || MessageUtils.isTrue(msg.getContextualProperty(SecurityConstants.ENABLE_REVOCATION)); reqData.setEnableRevocation(enableRevocation); + Element soapBody = SAAJUtils.getBody(doc); + if (soapBody != null) { + engine.setCallbackLookup(new CXFCallbackLookup(soapBody.getOwnerDocument(), soapBody)); + } + Element elem = WSSecurityUtil.getSecurityHeader(doc.getSOAPHeader(), actor, version.getVersion() != 1.1); http://git-wip-us.apache.org/repos/asf/cxf/blob/77372254/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java index a6cd14a..6e62d0a 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java @@ -71,6 +71,7 @@ import org.apache.cxf.ws.security.SecurityConstants; import org.apache.cxf.ws.security.tokenstore.SecurityToken; import org.apache.cxf.ws.security.tokenstore.TokenStore; import org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler; +import org.apache.cxf.ws.security.wss4j.CXFCallbackLookup; import org.apache.cxf.ws.security.wss4j.WSS4JUtils; import org.apache.cxf.wsdl.WSDLConstants; import org.apache.neethi.Assertion; @@ -95,6 +96,7 @@ import org.apache.wss4j.dom.WSSecurityEngineResult; import org.apache.wss4j.dom.bsp.BSPEnforcer; import org.apache.wss4j.dom.handler.WSHandlerConstants; import org.apache.wss4j.dom.handler.WSHandlerResult; +import org.apache.wss4j.dom.message.CallbackLookup; import org.apache.wss4j.dom.message.WSSecBase; import org.apache.wss4j.dom.message.WSSecDKSign; import org.apache.wss4j.dom.message.WSSecEncryptedKey; @@ -169,6 +171,8 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle protected Element bstElement; protected Element lastEncryptedKeyElement; + protected final CallbackLookup callbackLookup; + private Element lastSupportingTokenElement; private Element lastDerivedKeyElement; @@ -182,7 +186,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle SOAPMessage saaj, WSSecHeader secHeader, AssertionInfoMap aim, - SoapMessage message) { + SoapMessage message) throws SOAPException { super(message); this.wssConfig = config; this.binding = binding; @@ -190,6 +194,13 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle this.secHeader = secHeader; this.saaj = saaj; message.getExchange().put(WSHandlerConstants.SEND_SIGV, signatures); + + Element soapBody = SAAJUtils.getBody(saaj); + if (soapBody != null) { + callbackLookup = new CXFCallbackLookup(soapBody.getOwnerDocument(), soapBody); + } else { + callbackLookup = null; + } } protected void insertAfter(Element child, Element sib) { @@ -450,7 +461,8 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle getSignedParts(suppTokens)) ); } else { - WSSecSignature sig = new WSSecSignature(wssConfig); + WSSecSignature sig = new WSSecSignature(wssConfig); + sig.setCallbackLookup(callbackLookup); sig.setX509Certificate(secToken.getX509Certificate()); sig.setCustomTokenId(id); sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); @@ -1375,6 +1387,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle protected WSSecEncryptedKey getEncryptedKeyBuilder(AbstractTokenWrapper wrapper, AbstractToken token) throws WSSecurityException { WSSecEncryptedKey encrKey = new WSSecEncryptedKey(wssConfig); + encrKey.setCallbackLookup(callbackLookup); Crypto crypto = getEncryptionCrypto(wrapper); message.getExchange().put(SecurityConstants.ENCRYPT_CRYPTO, crypto); setKeyIdentifierType(encrKey, wrapper, token); @@ -1668,6 +1681,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle AbstractTokenWrapper wrapper, AbstractToken token, boolean attached, boolean endorse ) throws WSSecurityException { WSSecSignature sig = new WSSecSignature(wssConfig); + sig.setCallbackLookup(callbackLookup); sig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message)); checkForX509PkiPath(sig, token); if (token instanceof IssuedToken || token instanceof SamlToken) { @@ -1881,7 +1895,8 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle throws WSSecurityException { Document doc = saaj.getSOAPPart(); - WSSecDKSign dkSign = new WSSecDKSign(wssConfig); + WSSecDKSign dkSign = new WSSecDKSign(wssConfig); + dkSign.setCallbackLookup(callbackLookup); //Check whether it is security policy 1.2 and use the secure conversation accordingly if (policyToken.getVersion() == SPConstants.SPVersion.SP11) { @@ -1964,6 +1979,8 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle Document doc = saaj.getSOAPPart(); WSSecSignature sig = new WSSecSignature(wssConfig); + sig.setCallbackLookup(callbackLookup); + // If a EncryptedKeyToken is used, set the correct value type to // be used in the wsse:Reference in ds:KeyInfo if (policyToken instanceof X509Token) { http://git-wip-us.apache.org/repos/asf/cxf/blob/77372254/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java index ddacef4..fc3aa8b 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java @@ -90,7 +90,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { SOAPMessage saaj, WSSecHeader secHeader, AssertionInfoMap aim, - SoapMessage message) { + SoapMessage message) throws SOAPException { super(config, binding, saaj, secHeader, aim, message); this.abinding = binding; protectionOrder = binding.getProtectionOrder(); @@ -452,6 +452,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { try { WSSecDKEncrypt dkEncr = new WSSecDKEncrypt(wssConfig); + dkEncr.setCallbackLookup(callbackLookup); if (recToken.getToken().getVersion() == SPConstants.SPVersion.SP11) { dkEncr.setWscVersion(ConversationConstants.VERSION_05_02); } @@ -480,6 +481,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { } else { try { WSSecEncrypt encr = new WSSecEncrypt(wssConfig); + encr.setCallbackLookup(callbackLookup); encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message)); encr.setDocument(saaj.getSOAPPart()); @@ -615,6 +617,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { setupEncryptedKey(wrapper, sigToken); WSSecDKSign dkSign = new WSSecDKSign(wssConfig); + dkSign.setCallbackLookup(callbackLookup); if (wrapper.getToken().getVersion() == SPConstants.SPVersion.SP11) { dkSign.setWscVersion(ConversationConstants.VERSION_05_02); } http://git-wip-us.apache.org/repos/asf/cxf/blob/77372254/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java index 8fa9972..c04597c 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java @@ -27,6 +27,7 @@ import java.util.logging.Level; import javax.xml.crypto.dsig.Reference; import javax.xml.namespace.QName; +import javax.xml.soap.SOAPException; import javax.xml.soap.SOAPMessage; import org.w3c.dom.Document; @@ -81,15 +82,15 @@ import org.apache.wss4j.policy.model.X509Token; * */ public class SymmetricBindingHandler extends AbstractBindingBuilder { - SymmetricBinding sbinding; - TokenStore tokenStore; + private final SymmetricBinding sbinding; + private final TokenStore tokenStore; public SymmetricBindingHandler(WSSConfig config, SymmetricBinding binding, SOAPMessage saaj, WSSecHeader secHeader, AssertionInfoMap aim, - SoapMessage message) { + SoapMessage message) throws SOAPException { super(config, binding, saaj, secHeader, aim, message); this.sbinding = binding; tokenStore = getTokenStore(); @@ -398,6 +399,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { boolean atEnd) { try { WSSecDKEncrypt dkEncr = new WSSecDKEncrypt(wssConfig); + dkEncr.setCallbackLookup(callbackLookup); if (recToken.getToken().getVersion() == SPConstants.SPVersion.SP11) { dkEncr.setWscVersion(ConversationConstants.VERSION_05_02); } @@ -511,6 +513,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { } else { try { WSSecEncrypt encr = new WSSecEncrypt(wssConfig); + encr.setCallbackLookup(callbackLookup); encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message)); String encrTokId = encrTok.getId(); if (attached) { @@ -622,6 +625,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { boolean included) throws WSSecurityException { Document doc = saaj.getSOAPPart(); WSSecDKSign dkSign = new WSSecDKSign(wssConfig); + dkSign.setCallbackLookup(callbackLookup); if (policyAbstractTokenWrapper.getToken().getVersion() == SPConstants.SPVersion.SP11) { dkSign.setWscVersion(ConversationConstants.VERSION_05_02); } @@ -747,6 +751,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { return doSignatureDK(sigs, policyAbstractTokenWrapper, policyToken, tok, included); } else { WSSecSignature sig = new WSSecSignature(wssConfig); + sig.setCallbackLookup(callbackLookup); sig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message)); // If a EncryptedKeyToken is used, set the correct value type to // be used in the wsse:Reference in ds:KeyInfo http://git-wip-us.apache.org/repos/asf/cxf/blob/77372254/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java index 5ec749e..1f8a21c 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java @@ -87,7 +87,7 @@ public class TransportBindingHandler extends AbstractBindingBuilder { SOAPMessage saaj, WSSecHeader secHeader, AssertionInfoMap aim, - SoapMessage message) { + SoapMessage message) throws SOAPException { super(config, binding, saaj, secHeader, aim, message); this.tbinding = binding; } @@ -364,6 +364,7 @@ public class TransportBindingHandler extends AbstractBindingBuilder { encrKey.appendToHeader(secHeader); WSSecDKSign dkSig = new WSSecDKSign(wssConfig); + dkSig.setCallbackLookup(callbackLookup); if (wrapper.getToken().getVersion() == SPConstants.SPVersion.SP11) { dkSig.setWscVersion(ConversationConstants.VERSION_05_02); } @@ -452,6 +453,7 @@ public class TransportBindingHandler extends AbstractBindingBuilder { ) throws Exception { //Do Signature with derived keys WSSecDKSign dkSign = new WSSecDKSign(wssConfig); + dkSign.setCallbackLookup(callbackLookup); AlgorithmSuite algorithmSuite = tbinding.getAlgorithmSuite(); //Setting the AttachedReference or the UnattachedReference according to the flag @@ -501,6 +503,7 @@ public class TransportBindingHandler extends AbstractBindingBuilder { List<WSEncryptionPart> sigParts ) throws Exception { WSSecSignature sig = new WSSecSignature(wssConfig); + sig.setCallbackLookup(callbackLookup); //Setting the AttachedReference or the UnattachedReference according to the flag Element ref;
