Author: coheigea
Date: Thu Jan 27 17:01:05 2011
New Revision: 1064196
URL: http://svn.apache.org/viewvc?rev=1064196&view=rev
Log:
[WSS-266] - A general review of the validator code. Also changed the test
CallbackHandlers to reflect the fact that they just supply credentials now,
rather than throw exceptions for failed authentication.
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/UsernameTokenProcessor.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/Credential.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SignatureTrustValidator.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/TimestampValidator.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/Validator.java
webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/EncodedPasswordCallbackHandler.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/SecretKeyCallbackHandler.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/UsernamePasswordCallbackHandler.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SymmetricSignatureTest.java
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/UsernameTokenProcessor.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/UsernameTokenProcessor.java?rev=1064196&r1=1064195&r2=1064196&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/UsernameTokenProcessor.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/UsernameTokenProcessor.java
Thu Jan 27 17:01:05 2011
@@ -70,16 +70,7 @@ public class UsernameTokenProcessor impl
}
/**
- * Check the UsernameToken element. If the password type is plaintext or
digested,
- * then retrieve a password from the callback handler and authenticate the
UsernameToken
- * here.
- * <p/>
- * If the password is any other yet unknown password type then delegate
the password
- * validation to the callback class. Note that for unknown password types
an exception
- * is thrown if WSSConfig.getHandleCustomPasswordTypes() is set to false
(as it is
- * by default). The security engine hands over all necessary data to the
callback class
- * via the WSPasswordCallback object. The usage parameter of
WSPasswordCallback is set to
- * <code>USERNAME_TOKEN_UNKNOWN</code>.
+ * Check the UsernameToken element and validate it.
*
* @param token the DOM element that contains the UsernameToken
* @param wssConfig The WSSConfig object from which to obtain configuration
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/Credential.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/Credential.java?rev=1064196&r1=1064195&r2=1064196&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/Credential.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/Credential.java
Thu Jan 27 17:01:05 2011
@@ -26,7 +26,8 @@ import org.apache.ws.security.message.to
import org.apache.ws.security.message.token.UsernameToken;
/**
- * This interface describes an abstract concept of a Credential to be
validated.
+ * This class stores various Credential types that have to be validated by a
Validator
+ * implementation.
*/
public class Credential {
@@ -35,34 +36,66 @@ public class Credential {
private Timestamp timestamp;
private UsernameToken usernametoken;
+ /**
+ * Set a PublicKey to be validated
+ * @param publicKey a PublicKey to be validated
+ */
public void setPublicKey(PublicKey publicKey) {
this.publicKey = publicKey;
}
+ /**
+ * Get a PublicKey to be validated
+ * @return a PublicKey to be validated
+ */
public PublicKey getPublicKey() {
return publicKey;
}
+ /**
+ * Set an X509Certificate chain to be validated
+ * @param certs an X509Certificate chain to be validated
+ */
public void setCertificates(X509Certificate[] certs) {
this.certs = certs;
}
+ /**
+ * Get an X509Certificate chain to be validated
+ * @return an X509Certificate chain to be validated
+ */
public X509Certificate[] getCertificates() {
return certs;
}
+ /**
+ * Set a Timestamp to be validated
+ * @param timestamp a Timestamp to be validated
+ */
public void setTimestamp(Timestamp timestamp) {
this.timestamp = timestamp;
}
+ /**
+ * Get a Timestamp to be validated
+ * @return a Timestamp to be validated
+ */
public Timestamp getTimestamp() {
return timestamp;
}
+ /**
+ * Set a UsernameToken to be validated
+ * @param usernametoken a UsernameToken to be validated
+ */
public void setUsernametoken(UsernameToken usernametoken) {
this.usernametoken = usernametoken;
}
+ /**
+ * Get a UsernameToken to be validated
+ * @return a UsernameToken to be validated
+ */
public UsernameToken getUsernametoken() {
return usernametoken;
}
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SignatureTrustValidator.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SignatureTrustValidator.java?rev=1064196&r1=1064195&r2=1064196&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SignatureTrustValidator.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SignatureTrustValidator.java
Thu Jan 27 17:01:05 2011
@@ -34,22 +34,32 @@ import org.apache.ws.security.WSSecurity
import org.apache.ws.security.components.crypto.Crypto;
/**
- * This interface describes a pluggable way of validating credentials that
have been extracted
- * by the processors.
+ * This class verifies trust in a credential used to verify a signature, which
is extracted
+ * from the Credential passed to the validate method.
*/
public class SignatureTrustValidator implements Validator {
private static Log LOG =
LogFactory.getLog(SignatureTrustValidator.class.getName());
private Crypto crypto;
+ /**
+ * Validate the credential argument. It must contain a non-null
X509Certificate chain
+ * or a PublicKey. A Crypto implementation is also required to be set.
+ *
+ * This implementation first attempts to verify trust on the certificate
(chain). If
+ * this is not successful, then it will attempt to verify trust on the
Public Key.
+ *
+ * @param credential the Credential to be validated
+ * @throws WSSecurityException on a failed validation
+ */
public void validate(Credential credential) throws WSSecurityException {
if (credential == null) {
- throw new WSSecurityException("Credential cannot be null");
+ throw new WSSecurityException(WSSecurityException.FAILURE,
"noCredential");
}
X509Certificate[] certs = credential.getCertificates();
PublicKey publicKey = credential.getPublicKey();
if (crypto == null) {
- throw new WSSecurityException("Crypto instance cannot be null");
+ throw new WSSecurityException(WSSecurityException.FAILURE,
"noSigCryptoFile");
}
if (certs != null && certs.length > 0) {
@@ -70,17 +80,32 @@ public class SignatureTrustValidator imp
return;
}
}
- throw new
WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION, null);
+ throw new
WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
}
+ /**
+ * Set a WSSConfig instance used to extract configured options used to
+ * validate credentials. This method is not currently used for this
implementation.
+ * @param wssConfig a WSSConfig instance
+ */
public void setWSSConfig(WSSConfig wssConfig) {
//
}
+ /**
+ * Set a Crypto instance used to validate credentials. This is required
for this
+ * implementation.
+ * @param crypto a Crypto instance used to validate credentials
+ */
public void setCrypto(Crypto crypto) {
this.crypto = crypto;
}
+ /**
+ * Set a CallbackHandler instance used to validate credentials. This
method is not
+ * currently used for this implementation.
+ * @param callbackHandler a CallbackHandler instance used to validate
credentials
+ */
public void setCallbackHandler(CallbackHandler callbackHandler) {
//
}
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/TimestampValidator.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/TimestampValidator.java?rev=1064196&r1=1064195&r2=1064196&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/TimestampValidator.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/TimestampValidator.java
Thu Jan 27 17:01:05 2011
@@ -27,28 +27,38 @@ import org.apache.ws.security.components
import org.apache.ws.security.message.token.Timestamp;
/**
- * This interface describes a pluggable way of validating credentials that
have been extracted
- * by the processors.
+ * This class validates a processed Timestamp, extracted from the Credential
passed to
+ * the validate method.
*/
public class TimestampValidator implements Validator {
private WSSConfig wssConfig;
+ /**
+ * Validate the credential argument. It must contain a non-null Timestamp.
+ *
+ * @param credential the Credential to be validated
+ * @throws WSSecurityException on a failed validation
+ */
public void validate(Credential credential) throws WSSecurityException {
- if (credential == null) {
- throw new WSSecurityException("Credential cannot be null");
- }
- Timestamp timeStamp = credential.getTimestamp();
- if (timeStamp == null) {
- throw new WSSecurityException(WSSecurityException.MESSAGE_EXPIRED,
"invalidTimestamp");
+ if (credential == null || credential.getTimestamp() == null) {
+ throw new WSSecurityException(WSSecurityException.FAILURE,
"noCredential");
}
if (wssConfig == null) {
throw new WSSecurityException("WSSConfig cannot be null");
}
+ boolean timeStampStrict = true;
+ int timeStampTTL = 300;
+ if (wssConfig != null) {
+ timeStampStrict = wssConfig.isTimeStampStrict();
+ timeStampTTL = wssConfig.getTimeStampTTL();
+ }
+
+ Timestamp timeStamp = credential.getTimestamp();
// Validate whether the security semantics have expired
- if ((wssConfig.isTimeStampStrict() && timeStamp.isExpired())
- || !timeStamp.verifyCreated(wssConfig.getTimeStampTTL())) {
+ if ((timeStampStrict && timeStamp.isExpired())
+ || !timeStamp.verifyCreated(timeStampTTL)) {
throw new WSSecurityException(
WSSecurityException.MESSAGE_EXPIRED,
"invalidTimestamp",
@@ -57,14 +67,29 @@ public class TimestampValidator implemen
}
}
+ /**
+ * Set a WSSConfig instance used to extract configured options used to
+ * validate credentials. This is optional for this implementation.
+ * @param wssConfig a WSSConfig instance
+ */
public void setWSSConfig(WSSConfig wssConfig) {
this.wssConfig = wssConfig;
}
+ /**
+ * Set a Crypto instance used to validate credentials. This method is not
currently
+ * used for this implementation.
+ * @param crypto a Crypto instance used to validate credentials
+ */
public void setCrypto(Crypto crypto) {
//
}
+ /**
+ * Set a CallbackHandler instance used to validate credentials. This
method is not
+ * currently used for this implementation.
+ * @param callbackHandler a CallbackHandler instance used to validate
credentials
+ */
public void setCallbackHandler(CallbackHandler callbackHandler) {
//
}
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java?rev=1064196&r1=1064195&r2=1064196&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java
Thu Jan 27 17:01:05 2011
@@ -36,8 +36,8 @@ import org.apache.ws.security.message.to
import org.apache.ws.security.util.Base64;
/**
- * This interface describes a pluggable way of validating credentials that
have been extracted
- * by the processors.
+ * This class validates a processed UsernameToken, extracted from the
Credential passed to
+ * the validate method.
*/
public class UsernameTokenValidator implements Validator {
@@ -46,24 +46,38 @@ public class UsernameTokenValidator impl
private WSSConfig wssConfig;
private CallbackHandler callbackHandler;
+ /**
+ * Validate the credential argument. It must contain a non-null
UsernameToken. A
+ * CallbackHandler implementation is also required to be set.
+ *
+ * If the password type is either digest or plaintext, or if the password
is not
+ * null and the password type is null or empty, it extracts a password
from the
+ * CallbackHandler and then compares the passwords appropriately.
+ *
+ * If the password type is non-standard, or if the password is null, it
delegates
+ * the authentication to the CallbackHandler.
+ *
+ * @param credential the Credential to be validated
+ * @throws WSSecurityException on a failed validation
+ */
public void validate(Credential credential) throws WSSecurityException {
- if (credential == null) {
- throw new WSSecurityException("Credential cannot be null");
- }
- if (wssConfig == null) {
- throw new WSSecurityException("WSSConfig cannot be null");
+ if (credential == null || credential.getUsernametoken() == null) {
+ throw new WSSecurityException(WSSecurityException.FAILURE,
"noCredential");
}
if (callbackHandler == null) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"noCallback");
}
- boolean handleCustomPasswordTypes =
wssConfig.getHandleCustomPasswordTypes();
- boolean passwordsAreEncoded = wssConfig.getPasswordsAreEncoded();
+ boolean handleCustomPasswordTypes = false;
+ boolean passwordsAreEncoded = false;
+ String requiredPasswordType = null;
+ if (wssConfig != null) {
+ handleCustomPasswordTypes =
wssConfig.getHandleCustomPasswordTypes();
+ passwordsAreEncoded = wssConfig.getPasswordsAreEncoded();
+ requiredPasswordType = wssConfig.getRequiredPasswordType();
+ }
UsernameToken usernameToken = credential.getUsernametoken();
- if (usernameToken == null) {
- throw new WSSecurityException("Username Token cannot be null");
- }
usernameToken.setPasswordsAreEncoded(passwordsAreEncoded);
String user = usernameToken.getName();
@@ -76,7 +90,6 @@ public class UsernameTokenValidator impl
log.debug("UsernameToken password type " + pwType);
}
- String requiredPasswordType = wssConfig.getRequiredPasswordType();
if (requiredPasswordType != null &&
!requiredPasswordType.equals(pwType)) {
if (log.isDebugEnabled()) {
log.debug("Authentication failed as the received password type
does not "
@@ -85,7 +98,6 @@ public class UsernameTokenValidator impl
throw new
WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
}
-
//
// If the UsernameToken is hashed or plaintext, then retrieve the
password from the
// callback handler and compare directly. If the UsernameToken is of
some unknown type,
@@ -167,14 +179,29 @@ public class UsernameTokenValidator impl
}
+ /**
+ * Set a WSSConfig instance used to extract configured options used to
+ * validate credentials. This is optional for this implementation.
+ * @param wssConfig a WSSConfig instance
+ */
public void setWSSConfig(WSSConfig wssConfig) {
this.wssConfig = wssConfig;
}
+ /**
+ * Set a Crypto instance used to validate credentials. This method is not
currently
+ * used for this implementation.
+ * @param crypto a Crypto instance used to validate credentials
+ */
public void setCrypto(Crypto crypto) {
//
}
+ /**
+ * Set a CallbackHandler instance used to validate credentials. This is
required for
+ * this implementation.
+ * @param callbackHandler a CallbackHandler instance used to validate
credentials
+ */
public void setCallbackHandler(CallbackHandler callbackHandler) {
this.callbackHandler = callbackHandler;
}
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/Validator.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/Validator.java?rev=1064196&r1=1064195&r2=1064196&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/Validator.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/Validator.java
Thu Jan 27 17:01:05 2011
@@ -31,12 +31,30 @@ import org.apache.ws.security.components
*/
public interface Validator {
+ /**
+ * Validate the credential argument.
+ * @param credential the Credential to be validated
+ * @throws WSSecurityException on a failed validation
+ */
public void validate(Credential credential) throws WSSecurityException;
+ /**
+ * Set a Crypto instance used to validate credentials
+ * @param crypto a Crypto instance used to validate credentials
+ */
public void setCrypto(Crypto crypto);
+ /**
+ * Set a CallbackHandler instance used to validate credentials
+ * @param callbackHandler a CallbackHandler instance used to validate
credentials
+ */
public void setCallbackHandler(CallbackHandler callbackHandler);
+ /**
+ * Set a WSSConfig instance used to extract configured options used to
+ * validate credentials
+ * @param wssConfig a WSSConfig instance
+ */
public void setWSSConfig(WSSConfig wssConfig);
}
Modified:
webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties?rev=1064196&r1=1064195&r2=1064196&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties
(original)
+++
webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties
Thu Jan 27 17:01:05 2011
@@ -54,6 +54,7 @@ noCert = No certificate provided
noSigCryptoFile=WSSecurityEngine: No crypto property file supplied to verify
signature
noDecCryptoFile=WSSecurityEngine: No crypto property file supplied for
decryption
noCallback=WSSecurityEngine: No password callback supplied
+noCredential=WSSecurityEngine: No Credential was supplied to the Validator
noPassword=WSSecurityEngine: Callback supplied no password for: {0}
noKey=WSSecurityEngine: Callback supplied no key for: {0}
noEncAlgo=WSSecurityEngine: xenc:EncryptedKey does not contain
xenc:EncryptionMethod/@Algorithm
Modified:
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/EncodedPasswordCallbackHandler.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/EncodedPasswordCallbackHandler.java?rev=1064196&r1=1064195&r2=1064196&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/EncodedPasswordCallbackHandler.java
(original)
+++
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/EncodedPasswordCallbackHandler.java
Thu Jan 27 17:01:05 2011
@@ -54,8 +54,6 @@ public class EncodedPasswordCallbackHand
}
break;
}
- default:
- throw new IOException("Authentication failed");
}
} else {
throw new UnsupportedCallbackException(callbacks[i],
"Unrecognized Callback");
Modified:
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/SecretKeyCallbackHandler.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/SecretKeyCallbackHandler.java?rev=1064196&r1=1064195&r2=1064196&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/SecretKeyCallbackHandler.java
(original)
+++
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/SecretKeyCallbackHandler.java
Thu Jan 27 17:01:05 2011
@@ -55,8 +55,6 @@ public class SecretKeyCallbackHandler im
pc.setKey(outboundSecret);
break;
}
- default:
- throw new IOException("Authentication failed");
}
} else {
throw new UnsupportedCallbackException(callbacks[i],
"Unrecognized Callback");
Modified:
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/UsernamePasswordCallbackHandler.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/UsernamePasswordCallbackHandler.java?rev=1064196&r1=1064195&r2=1064196&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/UsernamePasswordCallbackHandler.java
(original)
+++
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/UsernamePasswordCallbackHandler.java
Thu Jan 27 17:01:05 2011
@@ -60,8 +60,6 @@ public class UsernamePasswordCallbackHan
}
break;
}
- default:
- throw new IOException("Authentication failed");
}
} else {
throw new UnsupportedCallbackException(callbacks[i],
"Unrecognized Callback");
Modified:
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SymmetricSignatureTest.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SymmetricSignatureTest.java?rev=1064196&r1=1064195&r2=1064196&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SymmetricSignatureTest.java
(original)
+++
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SymmetricSignatureTest.java
Thu Jan 27 17:01:05 2011
@@ -137,6 +137,7 @@ public class SymmetricSignatureTest exte
);
Document signedDoc = sign.build(doc, crypto, secHeader);
+ encrKey.prependToHeader(secHeader);
if (LOG.isDebugEnabled()) {
LOG.debug("Signed symmetric message DR:");
@@ -144,6 +145,8 @@ public class SymmetricSignatureTest exte
org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(signedDoc);
LOG.debug(outputString);
}
+
+ verify(signedDoc);
}
/**
