Author: coheigea
Date: Tue Feb 8 11:59:08 2011
New Revision: 1068350
URL: http://svn.apache.org/viewvc?rev=1068350&view=rev
Log:
[WSS-266] - Cleanup of WSPasswordCallback usage switches.
- Removed some redundant libraries.
Removed:
webservices/wss4j/trunk/legal/LICENSE.commons-collections
webservices/wss4j/trunk/legal/LICENSE.commons-lang
webservices/wss4j/trunk/lib/commons-collections-3.1.jar
webservices/wss4j/trunk/lib/commons-lang-2.1.jar
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/CustomTokenPrincipal.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSConstants.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSPasswordCallback.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandler.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandlerConstants.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/UsernameToken.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SignatureProcessor.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/UsernameTokenProcessor.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/X509Util.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLUtil.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/Credential.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/EncodedPasswordCallbackHandler.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/SecretKeyCallbackHandler.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/UsernamePasswordCallbackHandler.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/UsernameTokenTest.java
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/CustomTokenPrincipal.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/CustomTokenPrincipal.java?rev=1068350&r1=1068349&r2=1068350&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/CustomTokenPrincipal.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/CustomTokenPrincipal.java
Tue Feb 8 11:59:08 2011
@@ -26,10 +26,10 @@ import java.security.Principal;
public class CustomTokenPrincipal implements Principal, Serializable {
-
private Element tokenElement;
private String name;
private Object tokenObject;
+ private boolean requiresFurtherAuthentication = false;
public Object getTokenObject() {
return tokenObject;
@@ -54,5 +54,13 @@ public class CustomTokenPrincipal implem
public void setTokenElement(Element tokenElement) {
this.tokenElement = tokenElement;
}
+
+ public void setRequiresFurtherAuthentication(boolean
requiresFurtherAuthentication) {
+ this.requiresFurtherAuthentication = requiresFurtherAuthentication;
+ }
+
+ public boolean isRequiresFurtherAuthentication() {
+ return requiresFurtherAuthentication;
+ }
}
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSConstants.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSConstants.java?rev=1068350&r1=1068349&r2=1068350&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSConstants.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSConstants.java
Tue Feb 8 11:59:08 2011
@@ -409,7 +409,7 @@ public class WSConstants {
public static final int SCT = 0x400; //SecurityContextToken
public static final int DKT = 0x800; //DerivedKeyToken
public static final int BST = 0x1000; //BinarySecurityToken
- public static final int UT_UNKNOWN = 0x2000; // perform UsernameToken
+ public static final int UT_NOPASSWORD = 0x2000; // perform UsernameToken
/**
* Length of UsernameToken derived key used by .NET WSE to sign a message.
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSPasswordCallback.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSPasswordCallback.java?rev=1068350&r1=1068349&r2=1068350&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSPasswordCallback.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSPasswordCallback.java
Tue Feb 8 11:59:08 2011
@@ -25,57 +25,84 @@ import javax.security.auth.callback.Call
/**
* Simple class to provide a password callback mechanism.
- * <p/>
+ *
* It uses the JAAS authentication mechanisms and callback methods.
* In addition to the identifier (user name) this class also provides
* information what type of information the callback <code>handle</code>
* method shall provide.
- * <p/>
- * The <code> WSPasswordCallback</code> class defines the following usage
- * codes:
- * <ul>
- * <li><code>UNKNOWN</code> - an unknown usage. Never used by the WSS4J
- * implementation and shall be treated as an error by the <code>handle
- * </code> method.</li>
- * <li><code>DECRYPT</code> - need a password to get the private key of
- * this identifier (username) from the keystore. WSS4J uses this private
- * key to decrypt the session (symmetric) key. Because the encryption
- * method uses the public key to encrypt the session key it needs no
- * password (a public key is usually not protected by a password).</li>
- * <li><code>USERNAME_TOKEN</code> - need the password to fill in or to
- * verify a <code>UsernameToken</code>.</li>
- * <li><code>SIGNATURE</code> - need the password to get the private key of
- * this identifier (username) from the keystore. WSS4J uses this private
- * key to produce a signature. The signature verification uses the public
- * key to verify the signature.</li>
- * <li><code>KEY_NAME</code> - need the <i>key</i>, not the password,
- * associated with the identifier. WSS4J uses this key to encrypt or
- * decrypt parts of the SOAP request. Note, the key must match the
- * symmetric encryption/decryption algorithm specified (refer to
- * {@link
org.apache.ws.security.handler.WSHandlerConstants#ENC_SYM_ALGO}).</li>
- * <li><code>USERNAME_TOKEN_UNKNOWN</code> - A not specified password type.
- * In this case <b>only</b> the password variable is <b>set</b>. The callback
- * class now may check if the username and password match. If they don't match
- * the callback class must throw an exception. The exception can be a
- * UnsupportedCallbackException or an IOException.</li>
- * <li><code>SECURITY_CONTEXT_TOKEN</code> - need the key to to be associated
- * with a <code>wsc:SecurityContextToken</code>.</li>
- * </ul>
*
* @author Werner Dittmann ([email protected]).
*/
-
public class WSPasswordCallback implements Callback {
+ /**
+ * An unknown usage. Never used by the WSS4J implementation and should be
treated
+ * as an error.
+ */
public static final int UNKNOWN = 0;
+
+ /**
+ * DECRYPT usage is used when the calling code needs a password to get the
private key of
+ * this identifier (alias) from a keystore. This is only used for the
inbound case of
+ * decrypting a session (symmetric) key, and not for the case of getting a
private key to
+ * sign the message. The CallbackHandler must set the password via the
setPassword(String)
+ * method.
+ */
public static final int DECRYPT = 1;
+
+ /**
+ * USERNAME_TOKEN usage is used to obtain a password for either creating a
Username Token,
+ * or for validating it. It is also used for the case of deriving a key
from a Username Token.
+ * The CallbackHandler must set the password via the setPassword(String)
method.
+ */
public static final int USERNAME_TOKEN = 2;
+
+ /**
+ * SIGNATURE usage is used on the outbound side only, to get a password to
get the private
+ * key of this identifier (alias) from a keystore. The CallbackHandler
must set the password
+ * via the setPassword(String) method.
+ */
public static final int SIGNATURE = 3;
+
+ /**
+ * This identifier is deprecated and not used any more.
+ */
+ @Deprecated
public static final int KEY_NAME = 4;
+
+ /**
+ * This identifier is deprecated and not used any more.
+ */
+ @Deprecated
public static final int USERNAME_TOKEN_UNKNOWN = 5;
- public final static int SECURITY_CONTEXT_TOKEN = 6;
- public final static int CUSTOM_TOKEN = 7;
- public final static int ENCRYPTED_KEY_TOKEN = 8;
+
+ /**
+ * SECURITY_CONTEXT_TOKEN usage is for the case of when we want the
CallbackHandler to
+ * supply the key associated with a SecurityContextToken. The
CallbackHandler must set
+ * the key via the setKey(byte[]) method.
+ */
+ public static final int SECURITY_CONTEXT_TOKEN = 6;
+
+ /**
+ * CUSTOM_TOKEN usage is used for the case that we want the
CallbackHandler to supply a
+ * token as a DOM Element. For example, this is used for the case of a
reference to a
+ * SAML Assertion or Security Context Token that is not in the message.
The CallbackHandler
+ * must set the token via the setCustomToken(Element) method.
+ */
+ public static final int CUSTOM_TOKEN = 7;
+
+ /**
+ * This identifier is deprecated and not used any more.
+ */
+ @Deprecated
+ public static final int ENCRYPTED_KEY_TOKEN = 8;
+
+ /**
+ * SECRET_KEY usage is used for the case that we want to obtain a secret
key for encryption
+ * or signature on the outbound side, or for decryption or verification on
the inbound side.
+ * The CallbackHandler must set the key via the setKey(byte[]) method.
+ */
+ public static final int SECRET_KEY = 9;
private String identifier;
private String password;
@@ -118,12 +145,7 @@ public class WSPasswordCallback implemen
}
/**
- * Extended callback interface allows for setting the username as well.
- * Callback functions can change the identifier, this is intended in the
usernametoken scenario
- * where the usernametoken denotes the identity, but a fixed identity for
signing is used
- * The initial value is that from the configuration file. If this method
is not called, the
- * configured identity is used.
- *
+ * Set the identifier
* @param ident The identity.
*/
public void setIdentifier(String ident) {
@@ -179,28 +201,26 @@ public class WSPasswordCallback implemen
public int getUsage() {
return usage;
}
+
/**
- * The password type is only relevant for usage <code>USERNAME_TOKEN</code>
- * and <code>USERNAME_TOKEN_UNKNOWN</code>.
- *
- * @return Returns the passwordType.
+ * @return Returns the type.
*/
- public String getPasswordType() {
+ public String getType() {
return type;
}
/**
- * The key type is only relevant for usage <code>ENCRYPTED_KEY_TOKEN</code>
*
- * @return Returns the type.
+ * @return the custom token
*/
- public String getKeyType() {
- return type;
- }
public Element getCustomToken() {
return customToken;
}
+ /**
+ * Set the custom token
+ * @param customToken
+ */
public void setCustomToken(Element customToken) {
this.customToken = customToken;
}
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandler.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandler.java?rev=1068350&r1=1068349&r2=1068350&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandler.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandler.java
Tue Feb 8 11:59:08 2011
@@ -45,10 +45,10 @@ import javax.security.auth.callback.Call
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.ArrayList;
+import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Properties;
-import java.util.concurrent.ConcurrentHashMap;
/**
@@ -62,7 +62,7 @@ import java.util.concurrent.ConcurrentHa
public abstract class WSHandler {
private static Log log = LogFactory.getLog(WSHandler.class.getName());
protected WSSecurityEngine secEngine = new WSSecurityEngine();
- protected Map<String, Crypto> cryptos = new ConcurrentHashMap<String,
Crypto>();
+ protected Map<String, Crypto> cryptos = new HashMap<String, Crypto>();
private boolean doDebug = log.isDebugEnabled();
@@ -557,7 +557,7 @@ public abstract class WSHandler {
String keyId = getString(WSHandlerConstants.SIG_KEY_ID, mc);
if (keyId != null) {
- Integer id = (Integer) WSHandlerConstants.keyIdentifier.get(keyId);
+ Integer id = (Integer) WSHandlerConstants.getKeyIdentifier(keyId);
if (id == null) {
throw new WSSecurityException(
"WSHandler: Signature: unknown key identification"
@@ -623,7 +623,7 @@ public abstract class WSHandler {
*/
String encKeyId = getString(WSHandlerConstants.ENC_KEY_ID, mc);
if (encKeyId != null) {
- Integer id = (Integer)
WSHandlerConstants.keyIdentifier.get(encKeyId);
+ Integer id = (Integer)
WSHandlerConstants.getKeyIdentifier(encKeyId);
if (id == null) {
throw new WSSecurityException(
"WSHandler: Encryption: unknown key identification"
@@ -883,16 +883,14 @@ public abstract class WSHandler {
switch (doAction) {
case WSConstants.UT:
- reason = WSPasswordCallback.USERNAME_TOKEN;
- break;
case WSConstants.UT_SIGN:
- reason = WSPasswordCallback.USERNAME_TOKEN_UNKNOWN;
+ reason = WSPasswordCallback.USERNAME_TOKEN;
break;
case WSConstants.SIGN:
reason = WSPasswordCallback.SIGNATURE;
break;
case WSConstants.ENCR:
- reason = WSPasswordCallback.KEY_NAME;
+ reason = WSPasswordCallback.SECRET_KEY;
break;
}
return new WSPasswordCallback(username, reason);
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandlerConstants.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandlerConstants.java?rev=1068350&r1=1068349&r2=1068350&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandlerConstants.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandlerConstants.java
Tue Feb 8 11:59:08 2011
@@ -20,8 +20,9 @@
package org.apache.ws.security.handler;
import org.apache.ws.security.WSConstants;
+
+import java.util.HashMap;
import java.util.Map;
-import java.util.concurrent.ConcurrentHashMap;
/**
* This class defines the names, actions, and other string for the deployment
@@ -828,6 +829,13 @@ public class WSHandlerConstants {
*/
public static final String USE_ENCODED_PASSWORDS = "useEncodedPasswords";
+ /*
+ * internally used property names to store values inside the message
context
+ * that must have the same livetime as a message (request/response model).
+ */
+ public static final String SEND_SIGV = "_sendSignatureValues_";
+ public static final String SIG_CONF_DONE = "_sigConfDone_";
+
/**
* Define the parameter values to set the key identifier types. These are:
* <ul>
@@ -848,8 +856,7 @@ public class WSHandlerConstants {
* </ul>
* See {@link #SIG_KEY_ID} {@link #ENC_KEY_ID}.
*/
- public static Map<String, Integer> keyIdentifier =
- new ConcurrentHashMap<String, Integer>();
+ private static Map<String, Integer> keyIdentifier = new HashMap<String,
Integer>();
static {
keyIdentifier.put("DirectReference",
@@ -867,11 +874,14 @@ public class WSHandlerConstants {
keyIdentifier.put("EncryptedKeySHA1",
new Integer(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER));
}
- /*
- * internally used property names to store values inside the message
context
- * that must have the same livetime as a message (request/response model).
+
+ /**
+ * Get the key identifier type corresponding to the parameter
+ * @param parameter
+ * @return the key identifier type corresponding to the parameter
*/
- public static final String SEND_SIGV = "_sendSignatureValues_";
- public static final String SIG_CONF_DONE = "_sigConfDone_";
+ public static Integer getKeyIdentifier(String parameter) {
+ return keyIdentifier.get(parameter);
+ }
}
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/UsernameToken.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/UsernameToken.java?rev=1068350&r1=1068349&r2=1068350&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/UsernameToken.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/UsernameToken.java
Tue Feb 8 11:59:08 2011
@@ -490,7 +490,7 @@ public class UsernameToken {
WSPasswordCallback pwCb =
new WSPasswordCallback(
getName(), getPassword(), getPasswordType(),
- WSPasswordCallback.USERNAME_TOKEN_UNKNOWN
+ WSPasswordCallback.USERNAME_TOKEN
);
try {
callbackHandler.handle(new Callback[]{pwCb});
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SignatureProcessor.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SignatureProcessor.java?rev=1068350&r1=1068349&r2=1068350&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SignatureProcessor.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SignatureProcessor.java
Tue Feb 8 11:59:08 2011
@@ -126,8 +126,9 @@ public class SignatureProcessor implemen
publicKey = parseKeyValue(keyInfoElement);
Credential credential = new Credential();
credential.setPublicKey(publicKey);
- validator.validate(credential);
principal = new PublicKeyPrincipal(publicKey);
+ credential.setPrincipal(principal);
+ validator.validate(credential);
} else {
STRParser strParser = new SignatureSTRParser();
Map<String, Object> parameters = new HashMap<String, Object>();
@@ -142,10 +143,12 @@ public class SignatureProcessor implemen
certs = strParser.getCertificates();
publicKey = strParser.getPublicKey();
secretKey = strParser.getSecretKey();
- if (certs != null || publicKey != null) {
- Credential credential = new Credential();
- credential.setPublicKey(publicKey);
- credential.setCertificates(certs);
+
+ Credential credential = new Credential();
+ credential.setPublicKey(publicKey);
+ credential.setCertificates(certs);
+ credential.setPrincipal(principal);
+ if (publicKey != null || certs != null) {
validator.validate(credential);
}
}
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/UsernameTokenProcessor.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/UsernameTokenProcessor.java?rev=1068350&r1=1068349&r2=1068350&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/UsernameTokenProcessor.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/UsernameTokenProcessor.java
Tue Feb 8 11:59:08 2011
@@ -71,7 +71,7 @@ public class UsernameTokenProcessor impl
int action = WSConstants.UT;
if (token.getPassword() == null) {
- action = WSConstants.UT_UNKNOWN;
+ action = WSConstants.UT_NOPASSWORD;
}
WSSecurityEngineResult result =
new WSSecurityEngineResult(action, token, principal);
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/X509Util.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/X509Util.java?rev=1068350&r1=1068349&r2=1068350&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/X509Util.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/X509Util.java
Tue Feb 8 11:59:08 2011
@@ -93,7 +93,7 @@ public class X509Util {
if (keyName == null || keyName.length() <= 0) {
throw new
WSSecurityException(WSSecurityException.INVALID_SECURITY, "noKeyname");
}
- WSPasswordCallback pwCb = new WSPasswordCallback(keyName,
WSPasswordCallback.KEY_NAME);
+ WSPasswordCallback pwCb = new WSPasswordCallback(keyName,
WSPasswordCallback.SECRET_KEY);
try {
cb.handle(new Callback[]{pwCb});
} catch (IOException e) {
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLUtil.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLUtil.java?rev=1068350&r1=1068349&r2=1068350&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLUtil.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLUtil.java
Tue Feb 8 11:59:08 2011
@@ -125,7 +125,7 @@ public class SAMLUtil {
) throws WSSecurityException {
if (cb != null) {
WSPasswordCallback pwcb =
- new WSPasswordCallback(id, WSPasswordCallback.CUSTOM_TOKEN);
+ new WSPasswordCallback(id, WSPasswordCallback.SECRET_KEY);
try {
cb.handle(new Callback[]{pwcb});
} catch (Exception e1) {
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java?rev=1068350&r1=1068349&r2=1068350&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
Tue Feb 8 11:59:08 2011
@@ -91,7 +91,7 @@ public class DerivedKeyTokenSTRParser im
if (result != null) {
int action =
((Integer)result.get(WSSecurityEngineResult.TAG_ACTION)).intValue();
- if (WSConstants.UT_UNKNOWN == action || WSConstants.UT == action) {
+ if (WSConstants.UT_NOPASSWORD == action || WSConstants.UT ==
action) {
UsernameToken usernameToken =
(UsernameToken)result.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
usernameToken.setRawPassword(cb);
@@ -115,11 +115,16 @@ public class DerivedKeyTokenSTRParser im
}
} else if (result == null && uri != null) {
// Now use the callback and get it
- secretKey = getSecret(cb, uri);
+ secretKey =
+ getSecretKeyFromToken(uri, null,
WSPasswordCallback.SECURITY_CONTEXT_TOKEN, cb);
} else if (keyIdentifierValue != null && keyIdentifierValueType !=
null) {
X509Certificate[] certs = secRef.getKeyIdentifier(crypto);
if (certs == null || certs.length < 1 || certs[0] == null) {
- secretKey = this.getSecret(cb, keyIdentifierValue,
keyIdentifierValueType);
+ secretKey =
+ this.getSecretKeyFromToken(
+ keyIdentifierValue, keyIdentifierValueType,
+ WSPasswordCallback.SECRET_KEY, cb
+ );
} else {
secretKey = this.getSecret(cb, crypto, certs);
}
@@ -162,67 +167,37 @@ public class DerivedKeyTokenSTRParser im
return secretKey;
}
- private byte[] getSecret(CallbackHandler cb, String id) throws
WSSecurityException {
- if (cb == null) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
"noCallback");
- }
-
- WSPasswordCallback callback =
- new WSPasswordCallback(id,
WSPasswordCallback.SECURITY_CONTEXT_TOKEN);
- try {
- Callback[] callbacks = new Callback[]{callback};
- cb.handle(callbacks);
- } catch (IOException e) {
- throw new WSSecurityException(
- WSSecurityException.FAILURE,
- "noKey",
- new Object[] {id},
- e
- );
- } catch (UnsupportedCallbackException e) {
- throw new WSSecurityException(
- WSSecurityException.FAILURE,
- "noKey",
- new Object[] {id},
- e
- );
- }
-
- return callback.getKey();
- }
-
- private byte[] getSecret(
- CallbackHandler cb,
- String keyIdentifierValue,
- String keyIdentifierType
+ /**
+ * Get the Secret Key from a CallbackHandler
+ * @param id The id of the element
+ * @param type The type of the element (may be null)
+ * @param cb The CallbackHandler object
+ * @return A Secret Key
+ * @throws WSSecurityException
+ */
+ private byte[] getSecretKeyFromToken(
+ String id,
+ String type,
+ int identifier,
+ CallbackHandler cb
) throws WSSecurityException {
- if (cb == null) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
"noCallback");
+ if (id.charAt(0) == '#') {
+ id = id.substring(1);
}
-
WSPasswordCallback pwcb =
- new WSPasswordCallback(
- keyIdentifierValue, null, keyIdentifierType,
WSPasswordCallback.ENCRYPTED_KEY_TOKEN
- );
+ new WSPasswordCallback(id, null, type, identifier);
try {
Callback[] callbacks = new Callback[]{pwcb};
cb.handle(callbacks);
- } catch (IOException e) {
- throw new WSSecurityException(
- WSSecurityException.FAILURE,
- "noKey",
- new Object[] {keyIdentifierValue},
- e
- );
- } catch (UnsupportedCallbackException e) {
+ } catch (Exception e) {
throw new WSSecurityException(
- WSSecurityException.FAILURE,
- "noKey",
- new Object[] {keyIdentifierValue},
+ WSSecurityException.FAILURE,
+ "noPassword",
+ new Object[] {id},
e
);
}
-
+
return pwcb.getKey();
}
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java?rev=1068350&r1=1068349&r2=1068350&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
Tue Feb 8 11:59:08 2011
@@ -106,22 +106,8 @@ public class SecurityTokenRefSTRParser i
secretKey =
(byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
}
} else {
- // Try custom token
- WSPasswordCallback pwcb =
- new WSPasswordCallback(id,
WSPasswordCallback.CUSTOM_TOKEN);
- try {
- Callback[] callbacks = new Callback[]{pwcb};
- cb.handle(callbacks);
- } catch (Exception e) {
- throw new WSSecurityException(
- WSSecurityException.FAILURE,
- "noPassword",
- new Object[] {id},
- e
- );
- }
- secretKey = pwcb.getKey();
-
+ // Try asking the CallbackHandler for the secret key
+ secretKey = getSecretKeyFromToken(id, null, cb);
if (secretKey == null) {
throw new WSSecurityException(
WSSecurityException.FAILED_CHECK,
"unsupportedKeyId"
@@ -140,27 +126,10 @@ public class SecurityTokenRefSTRParser i
// secret in them
secretKey = samlKi.getSecret();
} else {
- String keyIdentifierValue = secRef.getKeyIdentifierValue();
- WSPasswordCallback pwcb =
- new WSPasswordCallback(
- keyIdentifierValue,
- null,
- secRef.getKeyIdentifierValueType(),
- WSPasswordCallback.ENCRYPTED_KEY_TOKEN
- );
-
- try {
- Callback[] callbacks = new Callback[]{pwcb};
- cb.handle(callbacks);
- } catch (Exception e) {
- throw new WSSecurityException(
- WSSecurityException.FAILURE,
- "noPassword",
- new Object[] {keyIdentifierValue},
- e
+ secretKey =
+ getSecretKeyFromToken(
+ secRef.getKeyIdentifierValue(),
secRef.getKeyIdentifierValueType(), cb
);
- }
- secretKey = pwcb.getKey();
}
} else {
throw new WSSecurityException(WSSecurityException.FAILED_CHECK,
"noReference");
@@ -199,5 +168,37 @@ public class SecurityTokenRefSTRParser i
return secretKey;
}
+ /**
+ * Get the Secret Key from a CallbackHandler
+ * @param id The id of the element
+ * @param type The type of the element (may be null)
+ * @param cb The CallbackHandler object
+ * @return A Secret Key
+ * @throws WSSecurityException
+ */
+ private byte[] getSecretKeyFromToken(
+ String id,
+ String type,
+ CallbackHandler cb
+ ) throws WSSecurityException {
+ if (id.charAt(0) == '#') {
+ id = id.substring(1);
+ }
+ WSPasswordCallback pwcb =
+ new WSPasswordCallback(id, null, type,
WSPasswordCallback.SECRET_KEY);
+ try {
+ Callback[] callbacks = new Callback[]{pwcb};
+ cb.handle(callbacks);
+ } catch (Exception e) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE,
+ "noPassword",
+ new Object[] {id},
+ e
+ );
+ }
+
+ return pwcb.getKey();
+ }
}
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java?rev=1068350&r1=1068349&r2=1068350&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
Tue Feb 8 11:59:08 2011
@@ -128,6 +128,9 @@ public class SignatureSTRParser implemen
}
secretKey = samlKi.getSecret();
principal = createPrincipalFromSAMLKeyInfo(samlKi,
assertion);
+ if (secretKey != null && certs == null) {
+
((CustomTokenPrincipal)principal).setRequiresFurtherAuthentication(false);
+ }
} else if (el.equals(WSSecurityEngine.ENCRYPTED_KEY)){
EncryptedKeyProcessor proc =
new EncryptedKeyProcessor();
@@ -139,14 +142,15 @@ public class SignatureSTRParser implemen
WSSecurityEngineResult.TAG_SECRET
);
principal = new
CustomTokenPrincipal(token.getAttribute("Id"));
+
((CustomTokenPrincipal)principal).setRequiresFurtherAuthentication(false);
} else {
String id = secRef.getReference().getURI();
- secretKey = getSecretKeyFromCustomToken(id, cb);
+ secretKey = getSecretKeyFromToken(id, null, cb);
principal = new CustomTokenPrincipal(id);
}
} else {
int action =
((Integer)result.get(WSSecurityEngineResult.TAG_ACTION)).intValue();
- if (WSConstants.UT_UNKNOWN == action || WSConstants.UT ==
action) {
+ if (WSConstants.UT_NOPASSWORD == action || WSConstants.UT ==
action) {
UsernameToken usernameToken =
(UsernameToken)result.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
@@ -165,6 +169,7 @@ public class SignatureSTRParser implemen
secretKey =
(byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
String id =
(String)result.get(WSSecurityEngineResult.TAG_ID);
principal = new CustomTokenPrincipal(id);
+
((CustomTokenPrincipal)principal).setRequiresFurtherAuthentication(false);
} else if (WSConstants.SCT == action) {
secretKey =
(byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
SecurityContextToken sct =
@@ -199,6 +204,9 @@ public class SignatureSTRParser implemen
secretKey = keyInfo.getSecret();
publicKey = keyInfo.getPublicKey();
principal = createPrincipalFromSAMLKeyInfo(keyInfo,
assertion);
+ if (secretKey != null && certs == null && publicKey ==
null) {
+
((CustomTokenPrincipal)principal).setRequiresFurtherAuthentication(false);
+ }
}
}
} else if (secRef.containsX509Data() ||
secRef.containsX509IssuerSerial()) {
@@ -209,7 +217,8 @@ public class SignatureSTRParser implemen
} else if (secRef.containsKeyIdentifier()) {
if
(secRef.getKeyIdentifierValueType().equals(SecurityTokenReference.ENC_KEY_SHA1_URI))
{
String id = secRef.getKeyIdentifierValue();
- secretKey = getSecretKeyFromEncKeySHA1KI(id, cb);
+ secretKey =
+ getSecretKeyFromToken(id,
SecurityTokenReference.ENC_KEY_SHA1_URI, cb);
principal = new CustomTokenPrincipal(id);
} else if
(WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())
||
WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType()))
{
@@ -225,6 +234,9 @@ public class SignatureSTRParser implemen
secretKey = samlKi.getSecret();
publicKey = samlKi.getPublicKey();
principal = createPrincipalFromSAMLKeyInfo(samlKi, assertion);
+ if (secretKey != null && certs == null && publicKey == null) {
+
((CustomTokenPrincipal)principal).setRequiresFurtherAuthentication(false);
+ }
} else {
X509Certificate[] foundCerts = secRef.getKeyIdentifier(crypto);
if (foundCerts != null) {
@@ -349,21 +361,23 @@ public class SignatureSTRParser implemen
}
/**
- * Get the Secret Key from a CallbackHandler for a custom token
+ * Get the Secret Key from a CallbackHandler
* @param id The id of the element
+ * @param type The type of the element (can be null)
* @param cb The CallbackHandler object
* @return A Secret Key
* @throws WSSecurityException
*/
- private byte[] getSecretKeyFromCustomToken(
+ private byte[] getSecretKeyFromToken(
String id,
+ String type,
CallbackHandler cb
) throws WSSecurityException {
if (id.charAt(0) == '#') {
id = id.substring(1);
}
WSPasswordCallback pwcb =
- new WSPasswordCallback(id, WSPasswordCallback.CUSTOM_TOKEN);
+ new WSPasswordCallback(id, null, type,
WSPasswordCallback.SECRET_KEY);
try {
Callback[] callbacks = new Callback[]{pwcb};
cb.handle(callbacks);
@@ -379,36 +393,5 @@ public class SignatureSTRParser implemen
return pwcb.getKey();
}
- /**
- * Get the Secret Key from a CallbackHandler for the Encrypted Key SHA1
case.
- * @param id The id of the element
- * @param cb The CallbackHandler object
- * @return A Secret Key
- * @throws WSSecurityException
- */
- private byte[] getSecretKeyFromEncKeySHA1KI(
- String id,
- CallbackHandler cb
- ) throws WSSecurityException {
- WSPasswordCallback pwcb =
- new WSPasswordCallback(
- id,
- null,
- SecurityTokenReference.ENC_KEY_SHA1_URI,
- WSPasswordCallback.ENCRYPTED_KEY_TOKEN
- );
- try {
- Callback[] callbacks = new Callback[]{pwcb};
- cb.handle(callbacks);
- } catch (Exception e) {
- throw new WSSecurityException(
- WSSecurityException.FAILURE,
- "noPassword",
- new Object[] {id},
- e
- );
- }
- return pwcb.getKey();
- }
}
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/Credential.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/Credential.java?rev=1068350&r1=1068349&r2=1068350&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/Credential.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/Credential.java
Tue Feb 8 11:59:08 2011
@@ -19,6 +19,7 @@
package org.apache.ws.security.validate;
+import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
@@ -28,7 +29,8 @@ import org.apache.ws.security.saml.ext.A
/**
* This class stores various Credential types that have to be validated by a
Validator
- * implementation.
+ * implementation. It also stores an optional Principal object which can
provide context
+ * information to the validators.
*/
public class Credential {
@@ -37,6 +39,7 @@ public class Credential {
private Timestamp timestamp;
private UsernameToken usernametoken;
private AssertionWrapper assertion;
+ private Principal principal;
/**
* Set a PublicKey to be validated
@@ -118,4 +121,20 @@ public class Credential {
return assertion;
}
+ /**
+ * Set the principal that supplies context information to the validators.
+ * @param principal the principal that supplies context information to the
validators
+ */
+ public void setPrincipal(Principal principal) {
+ this.principal = principal;
+ }
+
+ /**
+ * Get the principal
+ * @return the principal
+ */
+ public Principal getPrincipal() {
+ return principal;
+ }
+
}
Modified:
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/EncodedPasswordCallbackHandler.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/EncodedPasswordCallbackHandler.java?rev=1068350&r1=1068349&r2=1068350&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/EncodedPasswordCallbackHandler.java
(original)
+++
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/EncodedPasswordCallbackHandler.java
Tue Feb 8 11:59:08 2011
@@ -37,23 +37,14 @@ public class EncodedPasswordCallbackHand
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof WSPasswordCallback) {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
- switch (pc.getUsage()) {
- case WSPasswordCallback.USERNAME_TOKEN: {
+ if (pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN) {
if ("wernerd".equals(pc.getIdentifier())) {
// Base64 encoded SHA-1 hash of "verySecret"
pc.setPassword("hGqoUreBgahTJblQ3DbJIkE6uNs=");
- }
- break;
- }
- case WSPasswordCallback.USERNAME_TOKEN_UNKNOWN: {
- if ("bob".equals(pc.getIdentifier())) {
+ } else if ("bob".equals(pc.getIdentifier())) {
// Base64 encoded SHA-1 hash of "security"
pc.setPassword("jux7xGGAjguKKHg9C+waOiLrCCE=");
- } else {
- throw new IOException("Authentication failed");
}
- break;
- }
}
} else {
throw new UnsupportedCallbackException(callbacks[i],
"Unrecognized Callback");
Modified:
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/SecretKeyCallbackHandler.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/SecretKeyCallbackHandler.java?rev=1068350&r1=1068349&r2=1068350&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/SecretKeyCallbackHandler.java
(original)
+++
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/SecretKeyCallbackHandler.java
Tue Feb 8 11:59:08 2011
@@ -45,16 +45,15 @@ public class SecretKeyCallbackHandler im
if (callbacks[i] instanceof WSPasswordCallback) {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
switch (pc.getUsage()) {
- case WSPasswordCallback.ENCRYPTED_KEY_TOKEN:
+ case WSPasswordCallback.SECRET_KEY:
case WSPasswordCallback.SECURITY_CONTEXT_TOKEN: {
byte[] secret = (byte[])
this.secrets.get(pc.getIdentifier());
+ if (secret == null) {
+ secret = outboundSecret;
+ }
pc.setKey(secret);
break;
}
- case WSPasswordCallback.KEY_NAME: {
- pc.setKey(outboundSecret);
- break;
- }
}
} else {
throw new UnsupportedCallbackException(callbacks[i],
"Unrecognized Callback");
Modified:
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/UsernamePasswordCallbackHandler.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/UsernamePasswordCallbackHandler.java?rev=1068350&r1=1068349&r2=1068350&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/UsernamePasswordCallbackHandler.java
(original)
+++
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/UsernamePasswordCallbackHandler.java
Tue Feb 8 11:59:08 2011
@@ -46,19 +46,10 @@ public class UsernamePasswordCallbackHan
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof WSPasswordCallback) {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
- switch (pc.getUsage()) {
- case WSPasswordCallback.USERNAME_TOKEN: {
+ if (pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN) {
pc.setPassword(users.get(pc.getIdentifier()));
break;
}
- case WSPasswordCallback.USERNAME_TOKEN_UNKNOWN: {
- String password = users.get(pc.getIdentifier());
- if (password != null) {
- pc.setPassword(password);
- }
- break;
- }
- }
} else {
throw new UnsupportedCallbackException(callbacks[i],
"Unrecognized Callback");
}
Modified:
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/UsernameTokenTest.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/UsernameTokenTest.java?rev=1068350&r1=1068349&r2=1068350&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/UsernameTokenTest.java
(original)
+++
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/UsernameTokenTest.java
Tue Feb 8 11:59:08 2011
@@ -375,7 +375,7 @@ public class UsernameTokenTest extends o
List<WSSecurityEngineResult> results = verify(signedDoc);
WSSecurityEngineResult actionResult =
- WSSecurityUtil.fetchActionResult(results, WSConstants.UT_UNKNOWN);
+ WSSecurityUtil.fetchActionResult(results,
WSConstants.UT_NOPASSWORD);
UsernameToken receivedToken =
(UsernameToken)
actionResult.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
assertTrue(receivedToken != null);
@@ -663,19 +663,14 @@ public class UsernameTokenTest extends o
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof WSPasswordCallback) {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
- if (pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN
- && "emptyuser".equals(pc.getIdentifier())) {
- pc.setPassword("");
- } else if (
- pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN
- ) {
- if ("customUser".equals(pc.getIdentifier())) {
+ if (pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN) {
+ if ("emptyuser".equals(pc.getIdentifier())) {
+ pc.setPassword("");
+ } else if ("customUser".equals(pc.getIdentifier())) {
return;
} else if (null == pc.getIdentifier()) {
// Note that this is not secure! Just doing this to
test a NPE
return;
- } else {
- throw new IOException("Authentication failed");
}
}
} else {
