Refactor how we extract "IDs" from delegation tokens when used for caching
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/66c2c5b9 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/66c2c5b9 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/66c2c5b9 Branch: refs/heads/master Commit: 66c2c5b99e01a2165a2c5ed9ae34b4b9a512cb39 Parents: 631ac6b Author: Colm O hEigeartaigh <[email protected]> Authored: Wed Apr 5 11:01:21 2017 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Wed Apr 5 11:01:21 2017 +0100 ---------------------------------------------------------------------- .../security/trust/DefaultSTSTokenCacher.java | 40 +++++++++++++++++--- 1 file changed, 35 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/66c2c5b9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java index 6fc26f0..c2699fc 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java @@ -19,6 +19,9 @@ package org.apache.cxf.ws.security.trust; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.util.Base64; import java.util.HashMap; import java.util.Map; @@ -33,6 +36,7 @@ import org.apache.cxf.ws.security.tokenstore.TokenStore; import org.apache.cxf.ws.security.tokenstore.TokenStoreUtils; import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.saml.SamlAssertionWrapper; +import org.apache.wss4j.common.util.XMLUtils; import org.apache.wss4j.dom.WSConstants; public class DefaultSTSTokenCacher implements STSTokenCacher { @@ -163,16 +167,42 @@ public class DefaultSTSTokenCacher implements STSTokenCacher { return false; } + // Get an id from the token that is unique to that token private static String getIdFromToken(Element token) { if (token != null) { - // Try to find the "Id" on the token. - if (token.hasAttributeNS(WSConstants.WSU_NS, "Id")) { - return token.getAttributeNS(WSConstants.WSU_NS, "Id"); - } else if (token.hasAttributeNS(null, "ID")) { + // For SAML tokens get the ID/AssertionID + if ("Assertion".equals(token.getLocalName()) + && WSConstants.SAML2_NS.equals(token.getNamespaceURI())) { return token.getAttributeNS(null, "ID"); - } else if (token.hasAttributeNS(null, "AssertionID")) { + } else if ("Assertion".equals(token.getLocalName()) + && WSConstants.SAML_NS.equals(token.getNamespaceURI())) { return token.getAttributeNS(null, "AssertionID"); } + + // For UsernameTokens get the username + if (WSConstants.USERNAME_TOKEN_LN.equals(token.getLocalName()) + && WSConstants.WSSE_NS.equals(token.getNamespaceURI())) { + Element usernameElement = + XMLUtils.getDirectChildElement(token, WSConstants.USERNAME_LN, WSConstants.WSSE_NS); + if (usernameElement != null) { + return XMLUtils.getElementText(usernameElement); + } + } + + // For BinarySecurityTokens take the hash of the value + if (WSConstants.BINARY_TOKEN_LN.equals(token.getLocalName()) + && WSConstants.WSSE_NS.equals(token.getNamespaceURI())) { + String text = XMLUtils.getElementText(token); + if (text != null && !"".equals(text)) { + try { + MessageDigest digest = MessageDigest.getInstance("SHA-256"); + byte[] bytes = digest.digest(text.getBytes()); + return Base64.getMimeEncoder().encodeToString(bytes); + } catch (NoSuchAlgorithmException e) { + // SHA-256 must be supported so not going to happen... + } + } + } } return ""; }
