[cxf] 11/11: Picking up more changes in WSS4J

Mon, 19 Aug 2019 04:50:57 -0700 

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch wss4j_2.3.0
in repository https://gitbox.apache.org/repos/asf/cxf.git

commit 407e31e81fc1b5d2f6e1bd9139066be40fd96881
Author: Colm O hEigeartaigh <cohei...@apache.org>
AuthorDate: Mon Jun 17 13:44:27 2019 +0100

    Picking up more changes in WSS4J
---
 parent/pom.xml                                             |  1 +
 .../cxf/ws/security/trust/STSStaxTokenValidator.java       |  3 ++-
 .../ws/wssec10/server/CustomUsernameTokenInterceptor.java  | 14 ++++++++++----
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/parent/pom.xml b/parent/pom.xml
index 69c269c..7f93d18 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -218,6 +218,7 @@
         <cxf.woodstox.stax2-api.version>3.1.4</cxf.woodstox.stax2-api.version>
         <cxf.wsdl4j.version>1.6.3</cxf.wsdl4j.version>
         <cxf.wss4j.version>2.3.0-SNAPSHOT</cxf.wss4j.version>
+        <cxf.xalan.version>2.7.2</cxf.xalan.version>
         <cxf.xbean.version>4.14</cxf.xbean.version>
         <cxf.xerces.version>2.12.0</cxf.xerces.version>
         <cxf.xmlschema.version>2.2.4</cxf.xmlschema.version>
diff --git 
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
 
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
index ffb99e4..57429e2 100644
--- 
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
+++ 
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
@@ -42,6 +42,7 @@ import org.apache.wss4j.common.token.BinarySecurity;
 import org.apache.wss4j.common.token.PKIPathSecurity;
 import org.apache.wss4j.common.token.X509Security;
 import org.apache.wss4j.common.util.AttachmentUtils;
+import org.apache.wss4j.common.util.UsernameTokenUtil;
 import org.apache.wss4j.dom.message.token.KerberosSecurity;
 import org.apache.wss4j.dom.message.token.UsernameToken;
 import org.apache.wss4j.stax.ext.WSSConstants;
@@ -329,7 +330,7 @@ public class STSStaxTokenValidator
             throw new 
WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
         }
 
-        String passDigest = WSSUtils.doPasswordDigest(nonceVal, created, 
pwCb.getPassword());
+        String passDigest = UsernameTokenUtil.doPasswordDigest(nonceVal, 
created, pwCb.getPassword());
         if (!passwordType.getValue().equals(passDigest)) {
             throw new 
WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
         }
diff --git 
a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java
 
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java
index e04d7b5..50ea95b 100644
--- 
a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java
+++ 
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java
@@ -26,7 +26,8 @@ import org.apache.cxf.common.security.SimplePrincipal;
 import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor;
-import org.apache.wss4j.dom.message.token.UsernameToken;
+import org.apache.wss4j.common.util.UsernameTokenUtil;
+import org.apache.xml.security.utils.XMLUtils;
 
 public class CustomUsernameTokenInterceptor extends UsernameTokenInterceptor {
 
@@ -44,11 +45,16 @@ public class CustomUsernameTokenInterceptor extends 
UsernameTokenInterceptor {
 
         // add roles this user is in
         String roleName = "Alice".equals(name) ? "developers" : "pms";
-        String expectedPassword = "Alice".equals(name) ? "ecilA"
-            : UsernameToken.doPasswordDigest(nonce, created, 
"invalid-password");
-        if (!password.equals(expectedPassword)) {
+        try {
+            String expectedPassword = "Alice".equals(name) ? "ecilA"
+                : UsernameTokenUtil.doPasswordDigest(XMLUtils.decode(nonce), 
created, "invalid-password");
+            if (!password.equals(expectedPassword)) {
+                throw new SecurityException("Wrong Password");
+            }
+        } catch (org.apache.wss4j.common.ext.WSSecurityException ex) {
             throw new SecurityException("Wrong Password");
         }
+
         subject.getPrincipals().add(new SimpleGroup(roleName, name));
         subject.setReadOnly();
         return subject;

Reply via email to