This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 4.1.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/4.1.x-fixes by this push:
new 24a692894c CXF-9167 - Enable Custom Processor Injection in
PolicyBasedWSS4JInInterceptor (#2859)
24a692894c is described below
commit 24a692894cc797cae3ddbaa53a321667ce6cded9
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Wed Feb 4 13:53:58 2026 +0000
CXF-9167 - Enable Custom Processor Injection in
PolicyBasedWSS4JInInterceptor (#2859)
(cherry picked from commit b10bb58a2e83cd187fe545e14d7d87e19a9fe9af)
---
.../wss4j/PolicyBasedWSS4JInInterceptor.java | 5 ++
.../cxf/ws/security/wss4j/WSS4JInInterceptor.java | 27 +++++----
.../systest/ws/ut/CustomUTPasswordCallback.java | 65 ++++++++++++++++++++++
.../cxf/systest/ws/ut/CustomUTProcessor.java | 43 ++++++++++++++
.../cxf/systest/ws/ut/UsernameTokenPolicyTest.java | 30 ++++++++++
.../apache/cxf/systest/ws/ut/DoubleItUtPolicy.wsdl | 3 +
.../org/apache/cxf/systest/ws/ut/policy-client.xml | 11 ++++
.../org/apache/cxf/systest/ws/ut/policy-server.xml | 20 +++++++
8 files changed, 192 insertions(+), 12 deletions(-)
diff --git
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
index ca8ada8fae..17e7e885c3 100644
---
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
+++
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
@@ -556,6 +556,11 @@ public class PolicyBasedWSS4JInInterceptor extends
WSS4JInInterceptor {
}
message.put(ConfigurationConstants.ACTION, action.trim());
+
+ // Set any custom WSS4J Processor instances that are configured
+ final Map<QName, Object> processorMap = CastUtils.cast(
+ (Map<?,
?>)SecurityUtils.getSecurityPropertyValue(PROCESSOR_MAP, message));
+ configureCustomProcessors(data.getWssConfig(), processorMap);
}
}
diff --git
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
index e6c26001aa..13c8bf902a 100644
---
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
+++
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
@@ -133,18 +133,7 @@ public class WSS4JInInterceptor extends
AbstractWSS4JInterceptor {
// Set any custom WSS4J Processor instances that are configured
final Map<QName, Object> processorMap = CastUtils.cast(
(Map<?, ?>)properties.get(PROCESSOR_MAP));
- if (processorMap != null) {
- for (Map.Entry<QName, Object> entry : processorMap.entrySet()) {
- Object val = entry.getValue();
- if (val instanceof Class<?>) {
- config.setProcessor(entry.getKey(), (Class<?>)val);
- } else if (val instanceof Processor) {
- config.setProcessor(entry.getKey(), (Processor)val);
- } else if (val == null) {
- config.setProcessor(entry.getKey(), (Class<?>)null);
- }
- }
- }
+ configureCustomProcessors(config, processorMap);
// Set any custom WSS4J Validator instances that are configured
Map<QName, Object> validatorMap = CastUtils.cast(
@@ -729,4 +718,18 @@ public class WSS4JInInterceptor extends
AbstractWSS4JInterceptor {
return WSS4JUtils.getReplayCache(message, booleanKey, instanceKey);
}
+ protected void configureCustomProcessors(WSSConfig config, final
Map<QName, Object> processorMap) {
+ if (processorMap != null) {
+ for (Map.Entry<QName, Object> entry : processorMap.entrySet()) {
+ Object val = entry.getValue();
+ if (val instanceof Class<?>) {
+ config.setProcessor(entry.getKey(), (Class<?>)val);
+ } else if (val instanceof Processor) {
+ config.setProcessor(entry.getKey(), (Processor)val);
+ } else if (val == null) {
+ config.setProcessor(entry.getKey(), (Class<?>)null);
+ }
+ }
+ }
+ }
}
diff --git
a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/CustomUTPasswordCallback.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/CustomUTPasswordCallback.java
new file mode 100644
index 0000000000..67d6eccbe8
--- /dev/null
+++
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/CustomUTPasswordCallback.java
@@ -0,0 +1,65 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.ws.ut;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import org.apache.wss4j.common.ext.WSPasswordCallback;
+
+/**
+ * A CallbackHandler implementation used to test custom Processors.
+ */
+public class CustomUTPasswordCallback implements CallbackHandler {
+
+ private Map<String, String> passwords =
+ new HashMap<>();
+
+ public CustomUTPasswordCallback() {
+ passwords.put("Alice", "ecilAAlice");
+ }
+
+ /**
+ * Here, we attempt to get the password from the private
+ * alias/passwords map.
+ */
+ public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
+ for (int i = 0; i < callbacks.length; i++) {
+ WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
+
+ String pass = passwords.get(pc.getIdentifier());
+ if (pass != null) {
+ pc.setPassword(pass);
+ return;
+ }
+ }
+ }
+
+ /**
+ * Add an alias/password pair to the callback mechanism.
+ */
+ public void setAliasPassword(String alias, String password) {
+ passwords.put(alias, password);
+ }
+}
diff --git
a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/CustomUTProcessor.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/CustomUTProcessor.java
new file mode 100644
index 0000000000..ef322cb829
--- /dev/null
+++
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/CustomUTProcessor.java
@@ -0,0 +1,43 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.ws.ut;
+
+import java.util.List;
+
+import org.w3c.dom.Element;
+
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.processor.Processor;
+import org.apache.wss4j.dom.processor.UsernameTokenProcessor;
+
+/**
+ * A custom Processor that overrides the default CallbackHandler to use a
CustomUTPasswordCallback
+ */
+public class CustomUTProcessor implements Processor {
+
+ @Override
+ public List<WSSecurityEngineResult> handleToken(Element elem, RequestData
request) throws WSSecurityException {
+ request.setCallbackHandler(new CustomUTPasswordCallback());
+ UsernameTokenProcessor processor = new UsernameTokenProcessor();
+ return processor.handleToken(elem, request);
+ }
+}
diff --git
a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenPolicyTest.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenPolicyTest.java
index f990946bcd..0f16c5c435 100644
---
a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenPolicyTest.java
+++
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenPolicyTest.java
@@ -406,5 +406,35 @@ public class UsernameTokenPolicyTest extends
AbstractBusClientServerTestBase {
}
+ // https://issues.apache.org/jira/browse/CXF-9167
+ // Here we're sending a UsernameToken with a password unknown by the
default CallbackHandler on the server side,
+ // but we are overriding the UsernameToken processor to use a
CallbackHandler that knows the password.
+ @org.junit.Test
+ public void testSupportingTokenCustomProcessor() throws Exception {
+
+ if (test.getPort().equals(STAX_PORT)) {
+ // We don't support custom processors with streaming for now
+ return;
+ }
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile =
UsernameTokenPolicyTest.class.getResource("policy-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ BusFactory.setDefaultBus(bus);
+ BusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl =
UsernameTokenPolicyTest.class.getResource("DoubleItUtPolicy.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItSupportingTokenPort3");
+ DoubleItPortType port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(port, test.getPort());
+
+ assertEquals(50, port.doubleIt(25));
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
}
diff --git
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUtPolicy.wsdl
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUtPolicy.wsdl
index 9ae032212d..7811d02939 100644
---
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUtPolicy.wsdl
+++
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUtPolicy.wsdl
@@ -41,6 +41,9 @@
<wsdl:port name="DoubleItSupportingTokenPort2"
binding="tns:DoubleItInlinePolicyBinding">
<soap:address
location="https://localhost:9009/DoubleItSupportingToken2"/>
</wsdl:port>
+ <wsdl:port name="DoubleItSupportingTokenPort3"
binding="tns:DoubleItInlinePolicyBinding">
+ <soap:address
location="https://localhost:9009/DoubleItSupportingToken3"/>
+ </wsdl:port>
<wsdl:port name="DoubleItPlaintextPort"
binding="tns:DoubleItInlinePolicyBinding">
<soap:address location="https://localhost:9009/DoubleItPlaintext"/>
</wsdl:port>
diff --git
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/policy-client.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/policy-client.xml
index 884d795b78..407467f4e0 100644
---
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/policy-client.xml
+++
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/policy-client.xml
@@ -60,6 +60,17 @@
</p:policies>
</jaxws:features>
</jaxws:client>
+ <jaxws:client
name="{http://www.example.org/contract/DoubleIt}DoubleItSupportingTokenPort3";
createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="security.username" value="Alice"/>
+ <entry key="security.callback-handler"
value="org.apache.cxf.systest.ws.ut.CustomUTPasswordCallback"/>
+ </jaxws:properties>
+ <jaxws:features>
+ <p:policies>
+ <wsp:PolicyReference
xmlns:wsp="http://www.w3.org/ns/ws-policy";
URI="classpath:/org/apache/cxf/systest/ws/ut/supp-token-policy.xml"/>
+ </p:policies>
+ </jaxws:features>
+ </jaxws:client>
<jaxws:client
name="{http://www.example.org/contract/DoubleIt}DoubleItPlaintextPort";
createdFromAPI="true">
<jaxws:properties>
<entry key="security.username" value="Alice"/>
diff --git
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/policy-server.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/policy-server.xml
index 5b22a3d18f..a5799350b3 100644
---
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/policy-server.xml
+++
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/policy-server.xml
@@ -70,6 +70,26 @@
</p:policies>
</jaxws:features>
</jaxws:endpoint>
+ <!-- Add a java QName for a WS-Security UsernameToken -->
+ <bean id="wsse-username-token" class="javax.xml.namespace.QName">
+ <constructor-arg
value="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
+ <constructor-arg value="UsernameToken"/>
+ </bean>
+ <bean id="custom-ut-processor"
class="org.apache.cxf.systest.ws.ut.CustomUTProcessor"/>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="SupportingToken3"
address="https://localhost:${testutil.ports.PolicyServer}/DoubleItSupportingToken3";
serviceName="s:DoubleItService" endpointName="s:DoubleItSupportingTokenPort3"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/ut/DoubleItUtPolicy.wsdl"
depends-on="tls-settings">
+ <jaxws:properties>
+ <entry key="wss4j.processor.map">
+ <map>
+ <entry key-ref="wsse-username-token"
value-ref="custom-ut-processor"/>
+ </map>
+ </entry>
+ </jaxws:properties>
+ <jaxws:features>
+ <p:policies>
+ <wsp:PolicyReference
xmlns:wsp="http://www.w3.org/ns/ws-policy";
URI="classpath:/org/apache/cxf/systest/ws/ut/supp-token-policy.xml"/>
+ </p:policies>
+ </jaxws:features>
+ </jaxws:endpoint>
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="PlainText"
address="https://localhost:${testutil.ports.PolicyServer}/DoubleItPlaintext";
serviceName="s:DoubleItService" endpointName="s:DoubleItPlaintextPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/ut/DoubleItUtPolicy.wsdl"
depends-on="tls-settings">
<jaxws:properties>
<entry key="security.callback-handler"
value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
