(cxf) branch 4.1.x-fixes updated: Wire the STSClient through to URIResolver (#3106)

Tue, 12 May 2026 03:18:00 -0700 

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 4.1.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/4.1.x-fixes by this push:
     new 2dadd0d5af6 Wire the STSClient through to URIResolver (#3106)
2dadd0d5af6 is described below

commit 2dadd0d5af6d142616935c662c46b3e21767a44e
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Tue May 12 11:11:29 2026 +0100

    Wire the STSClient through to URIResolver (#3106)
    
    * Switch to use constant time secret comparison
    
    * Use URIResolver allowlist for protocols in the STSClient
    
    (cherry picked from commit 8c17167614943249b2c1940b905ede2e3bb4ce5f)
---
 .../oauth2/services/AbstractTokenService.java      |  6 +++++-
 .../cxf/ws/security/trust/AbstractSTSClient.java   |  6 +++++-
 .../ws/security/trust/AbstractSTSClientTest.java   | 23 ++++++++++++++++++++++
 3 files changed, 33 insertions(+), 2 deletions(-)

diff --git 
a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
 
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
index 8a8702cc47f..683df9b04d3 100644
--- 
a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
+++ 
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
@@ -19,6 +19,8 @@
 
 package org.apache.cxf.rs.security.oauth2.services;
 
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
 import java.security.Principal;
 import java.security.cert.X509Certificate;
 import java.util.List;
@@ -138,7 +140,9 @@ public class AbstractTokenService extends 
AbstractOAuthService {
         if (clientSecretVerifier != null) {
             return clientSecretVerifier.validateClientSecret(client, 
providedClientSecret);
         }
-        return client.getClientSecret() != null && 
client.getClientSecret().equals(providedClientSecret);
+        return client.getClientSecret() != null && providedClientSecret != 
null 
+            && 
MessageDigest.isEqual(client.getClientSecret().getBytes(StandardCharsets.UTF_8),
 
+                                     
providedClientSecret.getBytes(StandardCharsets.UTF_8));
     }
     protected boolean isValidPublicClient(Client client, String clientId) {
         return canSupportPublicClients
diff --git 
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
 
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
index fd7a0eac05c..9c4aac9dbd2 100755
--- 
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
+++ 
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
@@ -79,6 +79,7 @@ import org.apache.cxf.jaxws.JaxWsProxyFactoryBean;
 import org.apache.cxf.message.Attachment;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.phase.PhaseInterceptorChain;
+import org.apache.cxf.resource.URIResolver;
 import org.apache.cxf.rt.security.claims.ClaimCollection;
 import org.apache.cxf.rt.security.utils.SecurityUtils;
 import org.apache.cxf.service.Service;
@@ -640,7 +641,10 @@ public abstract class AbstractSTSClient implements 
Configurable, InterceptorProv
         dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, 
true);
 
         DocumentBuilder documentBuilder = dbf.newDocumentBuilder();
-        Document document = documentBuilder.parse(schemaLocation);
+        Document document;
+        try (URIResolver resolver = new URIResolver(schemaLocation)) {
+            document = documentBuilder.parse(resolver.getInputStream());
+        }
         return document.getDocumentElement();
     }
 
diff --git 
a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AbstractSTSClientTest.java
 
b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AbstractSTSClientTest.java
index e91232220d3..61887908bb4 100644
--- 
a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AbstractSTSClientTest.java
+++ 
b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AbstractSTSClientTest.java
@@ -33,6 +33,7 @@ import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertSame;
 import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
 
 public class AbstractSTSClientTest {
 
@@ -78,6 +79,18 @@ public class AbstractSTSClientTest {
         assertEquals(0, client.getDownloadSchemaInvocations());
     }
 
+    @Test
+    public void testFtpProtocolAttemptedDownload() throws Exception {
+        DownloadingAbstractSTSClient client = new 
DownloadingAbstractSTSClient(null);
+        try {
+            
client.downloadSchemaWithDefaultResolver("ftp://example.org/schema.xsd";);
+            fail("Expected an exception for disallowed ftp:// scheme");
+        } catch (Exception ex) {
+            assertTrue(ex.getMessage().contains("ftp"));
+            assertTrue(ex.getMessage().contains("not permitted"));
+        }
+    }
+
     private static final class TestableAbstractSTSClient extends 
AbstractSTSClient {
         private int downloadSchemaInvocations;
         private String lastDownloadedLocation;
@@ -102,4 +115,14 @@ public class AbstractSTSClientTest {
             return lastDownloadedLocation;
         }
     }
+
+    private static final class DownloadingAbstractSTSClient extends 
AbstractSTSClient {
+        DownloadingAbstractSTSClient(Bus bus) {
+            super(bus);
+        }
+
+        Element downloadSchemaWithDefaultResolver(String schemaLocation) 
throws Exception {
+            return super.downloadSchema(schemaLocation);
+        }
+    }
 }

Reply via email to