This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 3.3.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/3.3.x-fixes by this push:
new fe76246 CXF-8137 - Using SecurityConstants.VALIDATE_TOKEN with
WSS4JInInterceptor no longer allows skipping validation of token
fe76246 is described below
commit fe762469b5b3d3c21a79708504ef36c6aee39167
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Fri Oct 25 17:22:30 2019 +0100
CXF-8137 - Using SecurityConstants.VALIDATE_TOKEN with WSS4JInInterceptor
no longer allows skipping validation of token
(cherry picked from commit 1d8bec1274316a30c62a767f3b4f715f3a1f8fad)
---
.../cxf/ws/security/wss4j/WSS4JInInterceptor.java | 10 +++---
.../apache/cxf/systest/ws/action/ActionTest.java | 24 +++++++++++++
.../cxf/systest/ws/ut/UsernameTokenTest.java | 40 ++++++++++++++++++++++
.../cxf/systest/ws/action/DoubleItAction.wsdl | 3 ++
.../org/apache/cxf/systest/ws/action/client.xml | 15 ++++++++
.../org/apache/cxf/systest/ws/action/server.xml | 14 ++++++++
.../org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl | 3 ++
.../org/apache/cxf/systest/ws/ut/client.xml | 6 ++++
.../org/apache/cxf/systest/ws/ut/server.xml | 18 ++++++++++
.../org/apache/cxf/systest/ws/ut/stax-server.xml | 19 ++++++++++
.../cxf/systest/ws/wssec10/server_authorized.xml | 2 --
.../cxf/systest/ws/wssec10/server_authorized_2.xml | 2 --
12 files changed, 146 insertions(+), 10 deletions(-)
diff --git
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
index 127bba2..16a993c 100644
---
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
+++
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
@@ -698,18 +698,16 @@ public class WSS4JInInterceptor extends
AbstractWSS4JInterceptor {
* @return the WSSecurityEngine in use by this interceptor.
*/
protected WSSecurityEngine getSecurityEngine(boolean utWithCallbacks) {
- if (defaultConfig != null) {
- WSSecurityEngine engine = new WSSecurityEngine();
- engine.setWssConfig(defaultConfig);
- return engine;
- }
-
if (!utWithCallbacks) {
WSSConfig config = WSSConfig.getNewInstance();
config.setValidator(WSConstants.USERNAME_TOKEN, new
NoOpValidator());
WSSecurityEngine ret = new WSSecurityEngine();
ret.setWssConfig(config);
return ret;
+ } else if (defaultConfig != null) {
+ WSSecurityEngine engine = new WSSecurityEngine();
+ engine.setWssConfig(defaultConfig);
+ return engine;
}
return null;
diff --git
a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java
index 24b7604..cc33551 100644
---
a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java
+++
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java
@@ -207,6 +207,30 @@ public class ActionTest extends
AbstractBusClientServerTestBase {
}
@org.junit.Test
+ public void testUsernameTokenNoValidation() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = ActionTest.class.getResource("client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ BusFactory.setDefaultBus(bus);
+ BusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = ActionTest.class.getResource("DoubleItAction.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE,
"DoubleItUsernameTokenNoValPort");
+ DoubleItPortType port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(port, PORT);
+
+ // Successful call
+ assertEquals(50, port.doubleIt(25));
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
public void testEncryptedPassword() throws Exception {
if (!unrestrictedPoliciesInstalled) {
diff --git
a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java
index 1028beb..3e4e22c 100644
---
a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java
+++
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java
@@ -676,4 +676,44 @@ public class UsernameTokenTest extends
AbstractBusClientServerTestBase {
bus.shutdown(true);
}
+ @org.junit.Test
+ public void testPlaintextPrincipal2() throws Exception {
+ if (STAX_PORT.equals(test.getPort())) {
+ // SecurityConstants.VALIDATE_TOKEN does not apply to the
streaming layer
+ return;
+ }
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = UsernameTokenTest.class.getResource("client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ BusFactory.setDefaultBus(bus);
+ BusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = UsernameTokenTest.class.getResource("DoubleItUt.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE,
"DoubleItPlaintextPrincipalPort2");
+ DoubleItPortType utPort =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(utPort, test.getPort());
+
+ if (test.isStreaming()) {
+ SecurityTestUtil.enableStreaming(utPort);
+ }
+
+
((BindingProvider)utPort).getRequestContext().put(SecurityConstants.USERNAME,
"Alice");
+ assertEquals(50, utPort.doubleIt(25));
+
+ try {
+
((BindingProvider)utPort).getRequestContext().put(SecurityConstants.USERNAME,
"Frank");
+ utPort.doubleIt(30);
+ fail("Failure expected on a user with the wrong role");
+ } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+ String error = "Unauthorized";
+ assertTrue(ex.getMessage().contains(error));
+ }
+
+ ((java.io.Closeable)utPort).close();
+ bus.shutdown(true);
+ }
}
diff --git
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl
index 9c50b4d..e73051a 100644
---
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl
+++
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl
@@ -48,6 +48,9 @@
<wsdl:port name="DoubleItUsernameTokenPort3"
binding="tns:DoubleItNoSecurityBinding">
<soap:address
location="http://localhost:9001/DoubleItUsernameToken3"/>
</wsdl:port>
+ <wsdl:port name="DoubleItUsernameTokenNoValPort"
binding="tns:DoubleItNoSecurityBinding">
+ <soap:address
location="http://localhost:9001/DoubleItUsernameTokenNoVal"/>
+ </wsdl:port>
<wsdl:port name="DoubleItEncryptedPasswordPort"
binding="tns:DoubleItNoSecurityBinding">
<soap:address
location="http://localhost:9001/DoubleItEncryptedPassword"/>
</wsdl:port>
diff --git
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml
index ddc55f9..2170832 100644
---
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml
+++
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml
@@ -84,6 +84,21 @@
</bean>
</jaxws:outInterceptors>
</jaxws:client>
+ <jaxws:client
name="{http://www.example.org/contract/DoubleIt}DoubleItUsernameTokenNoValPort";
createdFromAPI="true">
+ <jaxws:outInterceptors>
+ <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
+ <constructor-arg>
+ <map>
+ <entry key="action" value="UsernameToken"/>
+ <entry key="addUsernameTokenNonce" value="true"/>
+ <entry key="addUsernameTokenCreated" value="true"/>
+ <entry key="passwordCallbackClass"
value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+ <entry key="user" value="Alice"/>
+ </map>
+ </constructor-arg>
+ </bean>
+ </jaxws:outInterceptors>
+ </jaxws:client>
<jaxws:client
name="{http://www.example.org/contract/DoubleIt}DoubleItEncryptedPasswordPort";
createdFromAPI="true">
<jaxws:outInterceptors>
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
diff --git
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml
index ec4983e..f00b9f2 100644
---
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml
+++
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml
@@ -83,6 +83,20 @@
</bean>
</jaxws:inInterceptors>
</jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="UsernameTokenNoVal"
address="http://localhost:${testutil.ports.action.Server}/DoubleItUsernameTokenNoVal";
serviceName="s:DoubleItService"
endpointName="s:DoubleItUsernameTokenNoValPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
wsdlLocation="org/apache/cxf/systest/ws/action/DoubleItAction.wsdl">
+ <jaxws:inInterceptors>
+ <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
+ <constructor-arg>
+ <map>
+ <entry key="action" value="UsernameToken"/>
+ </map>
+ </constructor-arg>
+ </bean>
+ </jaxws:inInterceptors>
+ <jaxws:properties>
+ <entry key="ws-security.validate.token" value="false"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="EncryptedPassword"
address="http://localhost:${testutil.ports.action.Server}/DoubleItEncryptedPassword";
serviceName="s:DoubleItService" endpointName="s:DoubleItEncryptedPasswordPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
wsdlLocation="org/apache/cxf/systest/ws/action/DoubleItAction.wsdl">
<jaxws:outInterceptors>
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
diff --git
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl
index 4cc8ce2..ef099c9 100644
---
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl
+++
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl
@@ -244,6 +244,9 @@
<wsdl:port name="DoubleItPlaintextPrincipalPort"
binding="tns:DoubleItPlaintextBinding">
<soap:address
location="https://localhost:9009/DoubleItUTPlaintextPrincipal"/>
</wsdl:port>
+ <wsdl:port name="DoubleItPlaintextPrincipalPort2"
binding="tns:DoubleItPlaintextBinding">
+ <soap:address
location="https://localhost:9009/DoubleItUTPlaintextPrincipal2"/>
+ </wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="DoubleItPlaintextPolicy">
<wsp:ExactlyOne>
diff --git
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client.xml
index 788aa8e..e60b8c3 100644
---
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client.xml
+++
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client.xml
@@ -205,4 +205,10 @@
<entry key="security.callback-handler"
value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
</jaxws:properties>
</jaxws:client>
+
+ <jaxws:client
name="{http://www.example.org/contract/DoubleIt}DoubleItPlaintextPrincipalPort2";
createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="security.callback-handler"
value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+ </jaxws:properties>
+ </jaxws:client>
</beans>
\ No newline at end of file
diff --git
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server.xml
index 1e31b05..b0b2896 100644
---
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server.xml
+++
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server.xml
@@ -193,4 +193,22 @@
<ref bean="authzInterceptor"/>
</jaxws:inInterceptors>
</jaxws:endpoint>
+
+ <bean id="simpleUTInterceptor"
class="org.apache.cxf.systest.ws.wssec10.server.SimpleUsernameTokenInterceptor"/>
+ <bean id="authzInterceptor2"
class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor">
+ <property name="methodRolesMap">
+ <map>
+ <entry key="doubleIt" value="developers"/>
+ </map>
+ </property>
+ </bean>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="PlaintextPrincipal2"
address="https://localhost:${testutil.ports.ut.Server}/DoubleItUTPlaintextPrincipal2";
serviceName="s:DoubleItService"
endpointName="s:DoubleItPlaintextPrincipalPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl"
depends-on="tls-settings">
+ <jaxws:properties>
+ <entry key="ws-security.validate.token" value="false"/>
+ </jaxws:properties>
+ <jaxws:inInterceptors>
+ <ref bean="simpleUTInterceptor"/>
+ <ref bean="authzInterceptor2"/>
+ </jaxws:inInterceptors>
+ </jaxws:endpoint>
</beans>
\ No newline at end of file
diff --git
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/stax-server.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/stax-server.xml
index ac2c25a..4f4e7b5 100644
---
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/stax-server.xml
+++
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/stax-server.xml
@@ -205,4 +205,23 @@
<ref bean="authzInterceptor"/>
</jaxws:inInterceptors>
</jaxws:endpoint>
+
+ <bean id="simpleUTInterceptor"
class="org.apache.cxf.systest.ws.wssec10.server.SimpleUsernameTokenInterceptor"/>
+ <bean id="authzInterceptor2"
class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor">
+ <property name="methodRolesMap">
+ <map>
+ <entry key="doubleIt" value="developers"/>
+ </map>
+ </property>
+ </bean>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="PlaintextPrincipal2"
address="https://localhost:${testutil.ports.ut.StaxServer}/DoubleItUTPlaintextPrincipal2";
serviceName="s:DoubleItService"
endpointName="s:DoubleItPlaintextPrincipalPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl"
depends-on="tls-settings">
+ <jaxws:properties>
+ <entry key="ws-security.validate.token" value="false"/>
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+ <jaxws:inInterceptors>
+ <ref bean="simpleUTInterceptor"/>
+ <ref bean="authzInterceptor2"/>
+ </jaxws:inInterceptors>
+ </jaxws:endpoint>
</beans>
\ No newline at end of file
diff --git
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server_authorized.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server_authorized.xml
index d902fe2..eb62243 100644
---
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server_authorized.xml
+++
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server_authorized.xml
@@ -80,8 +80,6 @@
<!-- -->
<jaxws:endpoint id="UserNameOverTransport"
address="https://localhost:${testutil.ports.wssec10.server.AuthorizedServer.1}/UserNameOverTransport";
serviceName="interop:PingService"
endpointName="interop:UserNameOverTransport_IPingService"
implementor="org.apache.cxf.systest.ws.wssec10.server.UserNameOverTransportRestricted"
depends-on="tls-settings">
<jaxws:properties>
- <entry key="security.username" value="Alice"/>
- <entry key="security.callback-handler"
value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
<!-- new property -->
<entry key="ws-security.validate.token" value="false"/>
</jaxws:properties>
diff --git
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server_authorized_2.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server_authorized_2.xml
index bf9b86c..df1e4c2 100644
---
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server_authorized_2.xml
+++
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server_authorized_2.xml
@@ -66,8 +66,6 @@
<!-- -->
<jaxws:endpoint id="UserNameOverTransport"
address="https://localhost:${testutil.ports.AuthorizedServer2.1}/UserNameOverTransport";
serviceName="interop:PingService"
endpointName="interop:UserNameOverTransport_IPingService"
implementor="org.apache.cxf.systest.ws.wssec10.server.UserNameOverTransportRestricted"
depends-on="tls-settings">
<jaxws:properties>
- <entry key="security.username" value="Alice"/>
- <entry key="security.callback-handler"
value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
<!-- new property -->
<entry key="ws-security.validate.token" value="false"/>
</jaxws:properties>
