Author: coheigea
Date: Mon Feb 14 16:08:48 2011
New Revision: 1070542
URL: http://svn.apache.org/viewvc?rev=1070542&view=rev
Log:
[WSS-256] - Added some more BSP spec compliance stuff for Signatures and
SignatureConfirmation.
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SignatureConfirmationProcessor.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SignatureProcessor.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java
webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/handler/SignatureConfirmationTest.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureTest.java
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SignatureConfirmationProcessor.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SignatureConfirmationProcessor.java?rev=1070542&r1=1070541&r2=1070542&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SignatureConfirmationProcessor.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SignatureConfirmationProcessor.java
Mon Feb 14 16:08:48 2011
@@ -60,9 +60,19 @@ public class SignatureConfirmationProces
// Decode SignatureConfirmation, just store in result
//
SignatureConfirmation sigConf = new SignatureConfirmation(elem);
+ String id = sigConf.getID();
+ // A wsu:Id is required as per the BSP spec
+ if (config.isWsiBSPCompliant() && (id == null || "".equals(id))) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY,
+ "requiredElementNoID",
+ new Object[] {elem.getLocalName()}
+ );
+ }
+
WSSecurityEngineResult result =
new WSSecurityEngineResult(WSConstants.SC, sigConf);
- result.put(WSSecurityEngineResult.TAG_ID, sigConf.getID());
+ result.put(WSSecurityEngineResult.TAG_ID, id);
wsDocInfo.addResult(result);
return java.util.Collections.singletonList(result);
}
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SignatureProcessor.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SignatureProcessor.java?rev=1070542&r1=1070541&r2=1070542&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SignatureProcessor.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SignatureProcessor.java
Mon Feb 14 16:08:48 2011
@@ -116,13 +116,25 @@ public class SignatureProcessor implemen
certs = getDefaultCerts(crypto);
principal = certs[0].getSubjectX500Principal();
} else {
- Element strElement =
- WSSecurityUtil.getDirectChildElement(
+ List<Element> strElements =
+ WSSecurityUtil.getDirectChildElements(
keyInfoElement,
SecurityTokenReference.SECURITY_TOKEN_REFERENCE,
WSConstants.WSSE_NS
);
- if (strElement == null) {
+ if (config.isWsiBSPCompliant()) {
+ if (strElements.isEmpty()) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY,
"noSecurityTokenReference"
+ );
+ } else if (strElements.size() > 1) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY,
"badSecurityTokenReference"
+ );
+ }
+ }
+
+ if (strElements.isEmpty()) {
publicKey = parseKeyValue(keyInfoElement);
Credential credential = new Credential();
credential.setPublicKey(publicKey);
@@ -138,7 +150,7 @@ public class SignatureProcessor implemen
SignatureSTRParser.SECRET_KEY_LENGTH, new
Integer(config.getSecretKeyLength())
);
strParser.parseSecurityTokenReference(
- strElement, crypto, cb, wsDocInfo, parameters
+ strElements.get(0), crypto, cb, wsDocInfo, parameters
);
principal = strParser.getPrincipal();
certs = strParser.getCertificates();
@@ -169,6 +181,12 @@ public class SignatureProcessor implemen
verifyXMLSignature(elem, certs, publicKey, secretKey,
signatureMethod, wsDocInfo);
byte[] signatureValue = xmlSignature.getSignatureValue().getValue();
String c14nMethod =
xmlSignature.getSignedInfo().getCanonicalizationMethod().getAlgorithm();
+ // The c14n algorithm must be as specified by the BSP spec
+ if (config.isWsiBSPCompliant() &&
!WSConstants.C14N_EXCL_OMIT_COMMENTS.equals(c14nMethod)) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY, "badC14nAlgo"
+ );
+ }
List<WSDataRef> dataRefs =
buildProtectedRefs(
elem.getOwnerDocument(), xmlSignature.getSignedInfo(), config,
wsDocInfo
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java?rev=1070542&r1=1070541&r2=1070542&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java
Mon Feb 14 16:08:48 2011
@@ -194,12 +194,12 @@ public class WSSecurityUtil {
* @param namespace the namespace of the children to get
* @return the list of nodes or <code>null</code> if not such nodes are
found
*/
- public static List<Node> getDirectChildElements(
+ public static List<Element> getDirectChildElements(
Node fNode,
String localName,
String namespace
) {
- List<Node> children = new ArrayList<Node>();
+ List<Element> children = new ArrayList<Element>();
for (
Node currentChild = fNode.getFirstChild();
currentChild != null;
@@ -208,7 +208,7 @@ public class WSSecurityUtil {
if (Node.ELEMENT_NODE == currentChild.getNodeType()
&& localName.equals(currentChild.getLocalName())
&& namespace.equals(currentChild.getNamespaceURI())) {
- children.add(currentChild);
+ children.add((Element)currentChild);
}
}
return children;
Modified:
webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties?rev=1070542&r1=1070541&r2=1070542&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties
(original)
+++
webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties
Mon Feb 14 16:08:48 2011
@@ -15,6 +15,8 @@
noToken = Reference \"{0}\"
noReference = <Reference> token could not be retrieved
badReferenceURI = Reference URI is null
+noSecurityTokenReference = The SecurityTokenReference was required but not
found
+badSecurityTokenReference = A bad SecurityTokenReference was specified
noEncodingType = No EncodingType attribute was specified
badEncodingType = A bad EncodingType attribute was specified \"{0}\"
unhandledToken = Security token supported but currently not handled \"{0}\"
@@ -35,6 +37,7 @@ noEncryptedData = Referenced encrypted d
badElement = Bad element, expected \"{0}\" while got \"{1}\"
badTokenType00 = Bad UsernameToken Type
badTokenType01 = Bad UsernameToken Values
+badC14nAlgo = A bad canonicalization algorithm was specified
failedAuthentication = User ({0}) not authenticated
missingUsernameToken = UsernameToken is missing
missingSecurityHeader = Security header is missing
@@ -86,7 +89,7 @@ decoding.general = Error while decoding
unknownAction=Unknown Action {0}
unableToLoadClass=Unable to load class {0}
-requiredElementNoID=Element {0} is not signed; it does not have a wsu:Id
attribute
+requiredElementNoID=Element {0} does not have a wsu:Id attribute
noSignResult=No SIGN result in WSS4J result vector
requiredElementNotSigned=Element {0} is not included in the signature
requiredElementNotProtected=Element {0} is not protected
Modified:
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/handler/SignatureConfirmationTest.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/handler/SignatureConfirmationTest.java?rev=1070542&r1=1070541&r2=1070542&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/handler/SignatureConfirmationTest.java
(original)
+++
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/handler/SignatureConfirmationTest.java
Mon Feb 14 16:08:48 2011
@@ -22,16 +22,21 @@ package org.apache.ws.security.handler;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.common.CustomHandler;
import org.apache.ws.security.common.KeystoreCallbackHandler;
import org.apache.ws.security.common.SOAPUtil;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.message.WSSecHeader;
+import org.apache.ws.security.message.token.SignatureConfirmation;
import org.apache.ws.security.util.Base64;
import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Document;
+import org.w3c.dom.Element;
import java.util.List;
import java.util.ArrayList;
@@ -247,6 +252,45 @@ public class SignatureConfirmationTest e
/**
+ * Test to see that a signature confirmation response that does not
contain a wsu:Id fails
+ * the BSP compliance is enabled.
+ */
+ @org.junit.Test
+ public void
+ testWsuId() throws Exception {
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ byte[] randomBytes = WSSecurityUtil.generateNonce(20);
+ SignatureConfirmation sigConf = new SignatureConfirmation(doc,
randomBytes);
+ Element sigConfElement = sigConf.getElement();
+ secHeader.getSecurityHeader().appendChild(sigConfElement);
+
+ if (LOG.isDebugEnabled()) {
+ String outputString =
+
org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+ LOG.debug(outputString);
+ }
+
+ // Verify the results
+ verify(doc);
+
+ // Now turn on BSP spec compliance
+ WSSecurityEngine newEngine = new WSSecurityEngine();
+ WSSConfig config = WSSConfig.getNewInstance();
+ config.setWsiBSPCompliant(true);
+ newEngine.setWssConfig(config);
+ try {
+ newEngine.processSecurityHeader(doc, null, callbackHandler,
crypto);
+ fail("Failure expected on a request with no wsu:Id");
+ } catch (WSSecurityException ex) {
+ assert ex.getMessage().contains("wsu:Id");
+ }
+ }
+
+
+ /**
* Verifies the soap envelope
* <p/>
*
Modified:
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureTest.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureTest.java?rev=1070542&r1=1070541&r2=1070542&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureTest.java
(original)
+++
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureTest.java
Mon Feb 14 16:08:48 2011
@@ -30,6 +30,7 @@ import org.apache.ws.security.WSEncrypti
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.common.CustomHandler;
import org.apache.ws.security.common.KeystoreCallbackHandler;
import org.apache.ws.security.common.SOAPUtil;
@@ -150,6 +151,18 @@ public class SignatureTest extends org.j
}
verify(signedDoc);
+
+ // Now turn on BSP spec compliance
+ WSSecurityEngine newEngine = new WSSecurityEngine();
+ WSSConfig config = WSSConfig.getNewInstance();
+ config.setWsiBSPCompliant(true);
+ newEngine.setWssConfig(config);
+ try {
+ newEngine.processSecurityHeader(doc, null, null, crypto);
+ fail("Failure expected on a bad c14n algorithm");
+ } catch (WSSecurityException ex) {
+ assert ex.getMessage().contains("bad canonicalization algorithm");
+ }
}
/**
