This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch 3.2.x-fixes in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 5114ee6177831c767041012f32ebc5577b362aed Author: Colm O hEigeartaigh <[email protected]> AuthorDate: Fri Oct 25 17:22:30 2019 +0100 CXF-8137 - Using SecurityConstants.VALIDATE_TOKEN with WSS4JInInterceptor no longer allows skipping validation of token (cherry picked from commit 1d8bec1274316a30c62a767f3b4f715f3a1f8fad) (cherry picked from commit fe762469b5b3d3c21a79708504ef36c6aee39167) # Conflicts: # rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java # systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client.xml # systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server.xml # systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/stax-server.xml --- .../cxf/ws/security/wss4j/WSS4JInInterceptor.java | 10 +++--- .../apache/cxf/systest/ws/action/ActionTest.java | 24 +++++++++++++ .../cxf/systest/ws/ut/UsernameTokenTest.java | 40 ++++++++++++++++++++++ .../cxf/systest/ws/action/DoubleItAction.wsdl | 3 ++ .../org/apache/cxf/systest/ws/action/client.xml | 15 ++++++++ .../org/apache/cxf/systest/ws/action/server.xml | 14 ++++++++ .../org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl | 3 ++ .../org/apache/cxf/systest/ws/ut/client.xml | 6 ++++ .../org/apache/cxf/systest/ws/ut/server.xml | 18 ++++++++++ .../org/apache/cxf/systest/ws/ut/stax-server.xml | 19 ++++++++++ .../ws/wssec10/server_restricted_authorized.xml | 2 -- .../ws/wssec10/server_restricted_authorized_2.xml | 2 -- 12 files changed, 146 insertions(+), 10 deletions(-) diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java index f40ddd1..d0f6d41 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java @@ -662,17 +662,15 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor { * @return the WSSecurityEngine in use by this interceptor. */ protected WSSecurityEngine getSecurityEngine(boolean utWithCallbacks) { - if (defaultConfig != null) { - WSSecurityEngine engine = new WSSecurityEngine(); - engine.setWssConfig(defaultConfig); - return engine; - } - if (!utWithCallbacks) { Map<QName, Object> profiles = new HashMap<>(1); Validator validator = new NoOpValidator(); profiles.put(WSConstants.USERNAME_TOKEN, validator); return createSecurityEngine(profiles); + } else if (defaultConfig != null) { + WSSecurityEngine engine = new WSSecurityEngine(); + engine.setWssConfig(defaultConfig); + return engine; } return null; diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java index 7ce84f0..f973ab6 100644 --- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java +++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java @@ -195,6 +195,30 @@ public class ActionTest extends AbstractBusClientServerTestBase { } @org.junit.Test + public void testUsernameTokenNoValidation() throws Exception { + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = ActionTest.class.getResource("client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + BusFactory.setDefaultBus(bus); + BusFactory.setThreadDefaultBus(bus); + + URL wsdl = ActionTest.class.getResource("DoubleItAction.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItUsernameTokenNoValPort"); + DoubleItPortType port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(port, PORT); + + // Successful call + assertEquals(50, port.doubleIt(25)); + + ((java.io.Closeable)port).close(); + bus.shutdown(true); + } + + @org.junit.Test public void testEncryptedPassword() throws Exception { if (!unrestrictedPoliciesInstalled) { diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java index 62b0b12..ccfca15 100644 --- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java +++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java @@ -590,4 +590,44 @@ public class UsernameTokenTest extends AbstractBusClientServerTestBase { bus.shutdown(true); } + @org.junit.Test + public void testPlaintextPrincipal2() throws Exception { + if (STAX_PORT.equals(test.getPort())) { + // SecurityConstants.VALIDATE_TOKEN does not apply to the streaming layer + return; + } + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = UsernameTokenTest.class.getResource("client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + BusFactory.setDefaultBus(bus); + BusFactory.setThreadDefaultBus(bus); + + URL wsdl = UsernameTokenTest.class.getResource("DoubleItUt.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItPlaintextPrincipalPort2"); + DoubleItPortType utPort = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(utPort, test.getPort()); + + if (test.isStreaming()) { + SecurityTestUtil.enableStreaming(utPort); + } + + ((BindingProvider)utPort).getRequestContext().put(SecurityConstants.USERNAME, "Alice"); + assertEquals(50, utPort.doubleIt(25)); + + try { + ((BindingProvider)utPort).getRequestContext().put(SecurityConstants.USERNAME, "Frank"); + utPort.doubleIt(30); + fail("Failure expected on a user with the wrong role"); + } catch (javax.xml.ws.soap.SOAPFaultException ex) { + String error = "Unauthorized"; + assertTrue(ex.getMessage().contains(error)); + } + + ((java.io.Closeable)utPort).close(); + bus.shutdown(true); + } } diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl index 9c50b4d..e73051a 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl @@ -48,6 +48,9 @@ <wsdl:port name="DoubleItUsernameTokenPort3" binding="tns:DoubleItNoSecurityBinding"> <soap:address location="http://localhost:9001/DoubleItUsernameToken3"/> </wsdl:port> + <wsdl:port name="DoubleItUsernameTokenNoValPort" binding="tns:DoubleItNoSecurityBinding"> + <soap:address location="http://localhost:9001/DoubleItUsernameTokenNoVal"/> + </wsdl:port> <wsdl:port name="DoubleItEncryptedPasswordPort" binding="tns:DoubleItNoSecurityBinding"> <soap:address location="http://localhost:9001/DoubleItEncryptedPassword"/> </wsdl:port> diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml index 0013cb4..f35ffca 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml @@ -77,6 +77,21 @@ </bean> </jaxws:outInterceptors> </jaxws:client> + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItUsernameTokenNoValPort"; createdFromAPI="true"> + <jaxws:outInterceptors> + <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"> + <constructor-arg> + <map> + <entry key="action" value="UsernameToken"/> + <entry key="addUsernameTokenNonce" value="true"/> + <entry key="addUsernameTokenCreated" value="true"/> + <entry key="passwordCallbackClass" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/> + <entry key="user" value="Alice"/> + </map> + </constructor-arg> + </bean> + </jaxws:outInterceptors> + </jaxws:client> <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItEncryptedPasswordPort"; createdFromAPI="true"> <jaxws:outInterceptors> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"> diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml index 5bd5ce9..6fa1ee9 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml @@ -74,6 +74,20 @@ </bean> </jaxws:inInterceptors> </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt"; id="UsernameTokenNoVal" address="http://localhost:${testutil.ports.action.Server}/DoubleItUsernameTokenNoVal"; serviceName="s:DoubleItService" endpointName="s:DoubleItUsernameTokenNoValPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/action/DoubleItAction.wsdl"> + <jaxws:inInterceptors> + <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> + <constructor-arg> + <map> + <entry key="action" value="UsernameToken"/> + </map> + </constructor-arg> + </bean> + </jaxws:inInterceptors> + <jaxws:properties> + <entry key="ws-security.validate.token" value="false"/> + </jaxws:properties> + </jaxws:endpoint> <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt"; id="EncryptedPassword" address="http://localhost:${testutil.ports.action.Server}/DoubleItEncryptedPassword"; serviceName="s:DoubleItService" endpointName="s:DoubleItEncryptedPasswordPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/action/DoubleItAction.wsdl"> <jaxws:outInterceptors> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"> diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl index 4cc8ce2..ef099c9 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl @@ -244,6 +244,9 @@ <wsdl:port name="DoubleItPlaintextPrincipalPort" binding="tns:DoubleItPlaintextBinding"> <soap:address location="https://localhost:9009/DoubleItUTPlaintextPrincipal"/> </wsdl:port> + <wsdl:port name="DoubleItPlaintextPrincipalPort2" binding="tns:DoubleItPlaintextBinding"> + <soap:address location="https://localhost:9009/DoubleItUTPlaintextPrincipal2"/> + </wsdl:port> </wsdl:service> <wsp:Policy wsu:Id="DoubleItPlaintextPolicy"> <wsp:ExactlyOne> diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client.xml index 6a2290b..9128f0c 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client.xml @@ -198,4 +198,10 @@ <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/> </jaxws:properties> </jaxws:client> + + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItPlaintextPrincipalPort2"; createdFromAPI="true"> + <jaxws:properties> + <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/> + </jaxws:properties> + </jaxws:client> </beans> diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server.xml index 0da6275..5b7ba47 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server.xml @@ -185,4 +185,22 @@ <ref bean="authzInterceptor"/> </jaxws:inInterceptors> </jaxws:endpoint> + + <bean id="simpleUTInterceptor" class="org.apache.cxf.systest.ws.wssec10.server.SimpleUsernameTokenInterceptor"/> + <bean id="authzInterceptor2" class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor"> + <property name="methodRolesMap"> + <map> + <entry key="doubleIt" value="developers"/> + </map> + </property> + </bean> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt"; id="PlaintextPrincipal2" address="https://localhost:${testutil.ports.ut.Server}/DoubleItUTPlaintextPrincipal2"; serviceName="s:DoubleItService" endpointName="s:DoubleItPlaintextPrincipalPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="ws-security.validate.token" value="false"/> + </jaxws:properties> + <jaxws:inInterceptors> + <ref bean="simpleUTInterceptor"/> + <ref bean="authzInterceptor2"/> + </jaxws:inInterceptors> + </jaxws:endpoint> </beans> diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/stax-server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/stax-server.xml index bb829a2..188d459 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/stax-server.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/stax-server.xml @@ -197,4 +197,23 @@ <ref bean="authzInterceptor"/> </jaxws:inInterceptors> </jaxws:endpoint> + + <bean id="simpleUTInterceptor" class="org.apache.cxf.systest.ws.wssec10.server.SimpleUsernameTokenInterceptor"/> + <bean id="authzInterceptor2" class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor"> + <property name="methodRolesMap"> + <map> + <entry key="doubleIt" value="developers"/> + </map> + </property> + </bean> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt"; id="PlaintextPrincipal2" address="https://localhost:${testutil.ports.ut.StaxServer}/DoubleItUTPlaintextPrincipal2"; serviceName="s:DoubleItService" endpointName="s:DoubleItPlaintextPrincipalPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="ws-security.validate.token" value="false"/> + <entry key="ws-security.enable.streaming" value="true"/> + </jaxws:properties> + <jaxws:inInterceptors> + <ref bean="simpleUTInterceptor"/> + <ref bean="authzInterceptor2"/> + </jaxws:inInterceptors> + </jaxws:endpoint> </beans> diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server_restricted_authorized.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server_restricted_authorized.xml index fd692dd..5111f1b 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server_restricted_authorized.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server_restricted_authorized.xml @@ -71,8 +71,6 @@ <!-- --> <jaxws:endpoint id="UserNameOverTransport" address="https://localhost:${testutil.ports.wssec10.server.AuthorizedServer.1}/UserNameOverTransport"; serviceName="interop:PingService" endpointName="interop:UserNameOverTransport_IPingService" implementor="org.apache.cxf.systest.ws.wssec10.server.UserNameOverTransportRestricted" depends-on="tls-settings"> <jaxws:properties> - <entry key="security.username" value="Alice"/> - <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/> <!-- new property --> <entry key="ws-security.validate.token" value="false"/> </jaxws:properties> diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server_restricted_authorized_2.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server_restricted_authorized_2.xml index 2705b11..57debfd 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server_restricted_authorized_2.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server_restricted_authorized_2.xml @@ -57,8 +57,6 @@ <!-- --> <jaxws:endpoint id="UserNameOverTransport" address="https://localhost:${testutil.ports.AuthorizedServer2.1}/UserNameOverTransport"; serviceName="interop:PingService" endpointName="interop:UserNameOverTransport_IPingService" implementor="org.apache.cxf.systest.ws.wssec10.server.UserNameOverTransportRestricted" depends-on="tls-settings"> <jaxws:properties> - <entry key="security.username" value="Alice"/> - <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/> <!-- new property --> <entry key="ws-security.validate.token" value="false"/> </jaxws:properties>
