Author: coheigea
Date: Fri Feb 1 16:22:05 2013
New Revision: 1441507
URL: http://svn.apache.org/viewvc?rev=1441507&view=rev
Log:
[WSS-420] - Add the ability to explicitly allow/disallow UsernameTokens with no
passwords
Modified:
webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/WSSConfig.java
webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/handler/WSHandler.java
webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/handler/WSHandlerConstants.java
webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/message/token/UsernameToken.java
webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java
webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/message/UTDerivedKeyTest.java
webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/message/UTSignatureTest.java
webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/message/UsernameTokenTest.java
Modified:
webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/WSSConfig.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/WSSConfig.java?rev=1441507&r1=1441506&r2=1441507&view=diff
==============================================================================
---
webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/WSSConfig.java
(original)
+++
webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/WSSConfig.java
Fri Feb 1 16:22:05 2013
@@ -234,6 +234,13 @@ public class WSSConfig {
protected String requiredPasswordType = null;
/**
+ * This variable controls whether a UsernameToken with no password element
is allowed.
+ * The default value is "false". Set it to "true" to allow deriving keys
from UsernameTokens
+ * or to support UsernameTokens for purposes other than authentication.
+ */
+ protected boolean allowUsernameTokenNoPassword = false;
+
+ /**
* The time in seconds between creation and expiry for a Timestamp. The
default
* is 300 seconds (5 minutes).
*/
@@ -954,5 +961,13 @@ public class WSSConfig {
}
return currentProvider.getName();
}
+
+ public boolean isAllowUsernameTokenNoPassword() {
+ return allowUsernameTokenNoPassword;
+ }
+
+ public void setAllowUsernameTokenNoPassword(boolean
allowUsernameTokenNoPassword) {
+ this.allowUsernameTokenNoPassword = allowUsernameTokenNoPassword;
+ }
}
Modified:
webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/handler/WSHandler.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/handler/WSHandler.java?rev=1441507&r1=1441506&r2=1441507&view=diff
==============================================================================
---
webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/handler/WSHandler.java
(original)
+++
webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/handler/WSHandler.java
Fri Feb 1 16:22:05 2013
@@ -292,6 +292,10 @@ public abstract class WSHandler {
wssConfig.setAllowNamespaceQualifiedPasswordTypes(
decodeNamespaceQualifiedPasswordTypes(reqData)
);
+ wssConfig.setAllowUsernameTokenNoPassword(
+ decodeAllowUsernameTokenNoPassword(reqData)
+ );
+
wssConfig.setSecretKeyLength(reqData.getSecretKeyLength());
wssConfig.setWsiBSPCompliant(decodeBSPCompliance(reqData));
reqData.setWssConfig(wssConfig);
@@ -717,6 +721,14 @@ public abstract class WSHandler {
);
}
+ protected boolean decodeAllowUsernameTokenNoPassword(
+ RequestData reqData
+ ) throws WSSecurityException {
+ return decodeBooleanConfigValue(
+ reqData, WSHandlerConstants.ALLOW_USERNAMETOKEN_NOPASSWORD, false
+ );
+ }
+
protected boolean decodeUseEncodedPasswords(RequestData reqData)
throws WSSecurityException {
return decodeBooleanConfigValue(
Modified:
webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/handler/WSHandlerConstants.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/handler/WSHandlerConstants.java?rev=1441507&r1=1441506&r2=1441507&view=diff
==============================================================================
---
webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/handler/WSHandlerConstants.java
(original)
+++
webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/handler/WSHandlerConstants.java
Fri Feb 1 16:22:05 2013
@@ -368,6 +368,13 @@ public final class WSHandlerConstants {
public static final String HANDLE_CUSTOM_PASSWORD_TYPES =
"handleCustomPasswordTypes";
/**
+ * This variable controls whether a UsernameToken with no password element
is allowed.
+ * The default value is "false". Set it to "true" to allow deriving keys
from UsernameTokens
+ * or to support UsernameTokens for purposes other than authentication.
+ */
+ public static final String ALLOW_USERNAMETOKEN_NOPASSWORD =
"allowUsernameTokenNoPassword";
+
+ /**
* Set the value of this parameter to true to enable strict Username Token
password type
* handling. The default value is "false".
*
Modified:
webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/message/token/UsernameToken.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/message/token/UsernameToken.java?rev=1441507&r1=1441506&r2=1441507&view=diff
==============================================================================
---
webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/message/token/UsernameToken.java
(original)
+++
webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/message/token/UsernameToken.java
Fri Feb 1 16:22:05 2013
@@ -414,6 +414,13 @@ public class UsernameToken {
}
return password;
}
+
+ /**
+ * Return true if this UsernameToken contains a Password element
+ */
+ public boolean containsPasswordElement() {
+ return elementPassword != null;
+ }
/**
* Get the Salt value of this UsernameToken.
Modified:
webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java?rev=1441507&r1=1441506&r2=1441507&view=diff
==============================================================================
---
webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java
(original)
+++
webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java
Fri Feb 1 16:22:05 2013
@@ -206,14 +206,27 @@ public class UsernameTokenValidator impl
}
/**
- * Verify a UsernameToken containing no password. This does nothing - but
is in a separate
- * method to allow the end-user to override validation easily.
+ * Verify a UsernameToken containing no password. An exception is thrown
unless the user
+ * has explicitly allowed this use-case via
WSHandlerConstants.ALLOW_USERNAMETOKEN_NOPASSWORD
* @param usernameToken The UsernameToken instance to verify
* @throws WSSecurityException on a failed authentication.
*/
protected void verifyUnknownPassword(UsernameToken usernameToken,
RequestData data) throws
WSSecurityException {
- //
+
+ boolean allowUsernameTokenDerivedKeys = false;
+ WSSConfig wssConfig = data.getWssConfig();
+ if (wssConfig != null) {
+ allowUsernameTokenDerivedKeys =
wssConfig.isAllowUsernameTokenNoPassword();
+ }
+
+ if (!(allowUsernameTokenDerivedKeys ||
usernameToken.containsPasswordElement())) {
+ if (log.isDebugEnabled()) {
+ log.debug("Authentication failed as the received UsernameToken
does not "
+ + "contain any password element");
+ }
+ throw new
WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
+ }
}
}
Modified:
webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/message/UTDerivedKeyTest.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/message/UTDerivedKeyTest.java?rev=1441507&r1=1441506&r2=1441507&view=diff
==============================================================================
---
webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/message/UTDerivedKeyTest.java
(original)
+++
webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/message/UTDerivedKeyTest.java
Fri Feb 1 16:22:05 2013
@@ -157,6 +157,13 @@ public class UTDerivedKeyTest extends or
}
verify(encryptedDoc);
+
+ try {
+ verify(encryptedDoc, false);
+ fail("Failure expected on deriving keys from a UsernameToken not
allowed");
+ } catch (WSSecurityException ex) {
+ // expected
+ }
}
/**
@@ -202,6 +209,7 @@ public class UTDerivedKeyTest extends or
WSSecurityEngine newEngine = new WSSecurityEngine();
newEngine.getWssConfig().setPasswordsAreEncoded(true);
+ newEngine.getWssConfig().setAllowUsernameTokenNoPassword(true);
newEngine.processSecurityHeader(
encryptedDoc, null, new EncodedPasswordCallbackHandler(), null
);
@@ -403,6 +411,7 @@ public class UTDerivedKeyTest extends or
WSSecurityEngine newEngine = new WSSecurityEngine();
newEngine.getWssConfig().setPasswordsAreEncoded(true);
+ newEngine.getWssConfig().setAllowUsernameTokenNoPassword(true);
List<WSSecurityEngineResult> results =
newEngine.processSecurityHeader(
signedDoc, null, new EncodedPasswordCallbackHandler(), null
);
@@ -661,6 +670,7 @@ public class UTDerivedKeyTest extends or
config.setWsiBSPCompliant(false);
WSSecurityEngine newEngine = new WSSecurityEngine();
newEngine.setWssConfig(config);
+ config.setAllowUsernameTokenNoPassword(true);
newEngine.processSecurityHeader(doc, null, callbackHandler, crypto);
}
@@ -718,6 +728,7 @@ public class UTDerivedKeyTest extends or
// Turn off BSP compliance and it should work
WSSConfig config = WSSConfig.getNewInstance();
config.setWsiBSPCompliant(false);
+ config.setAllowUsernameTokenNoPassword(true);
WSSecurityEngine newEngine = new WSSecurityEngine();
newEngine.setWssConfig(config);
newEngine.processSecurityHeader(doc, null, callbackHandler, crypto);
@@ -781,6 +792,7 @@ public class UTDerivedKeyTest extends or
// Turn off BSP compliance and it should work
WSSConfig config = WSSConfig.getNewInstance();
config.setWsiBSPCompliant(false);
+ config.setAllowUsernameTokenNoPassword(true);
WSSecurityEngine newEngine = new WSSecurityEngine();
newEngine.setWssConfig(config);
newEngine.processSecurityHeader(doc, null, callbackHandler, crypto);
@@ -794,7 +806,17 @@ public class UTDerivedKeyTest extends or
* @throws java.lang.Exception Thrown when there is a problem in
verification
*/
private List<WSSecurityEngineResult> verify(Document doc) throws Exception
{
+ return verify(doc, true);
+ }
+
+ private List<WSSecurityEngineResult> verify(
+ Document doc,
+ boolean allowUsernameTokenDerivedKeys
+ ) throws Exception {
WSSecurityEngine secEngine = new WSSecurityEngine();
+ WSSConfig config = WSSConfig.getNewInstance();
+ config.setAllowUsernameTokenNoPassword(allowUsernameTokenDerivedKeys);
+ secEngine.setWssConfig(config);
return secEngine.processSecurityHeader(doc, null, callbackHandler,
crypto);
}
Modified:
webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/message/UTSignatureTest.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/message/UTSignatureTest.java?rev=1441507&r1=1441506&r2=1441507&view=diff
==============================================================================
---
webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/message/UTSignatureTest.java
(original)
+++
webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/message/UTSignatureTest.java
Fri Feb 1 16:22:05 2013
@@ -49,7 +49,6 @@ import java.util.List;
public class UTSignatureTest extends org.junit.Assert {
private static final org.apache.commons.logging.Log LOG =
org.apache.commons.logging.LogFactory.getLog(UTSignatureTest.class);
- private WSSecurityEngine secEngine = new WSSecurityEngine();
private CallbackHandler callbackHandler = new
UsernamePasswordCallbackHandler();
private Crypto crypto = null;
@@ -97,6 +96,13 @@ public class UTSignatureTest extends org
java.security.Principal principal =
(java.security.Principal)
actionResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
assertTrue(principal.getName().indexOf("bob") != -1);
+
+ try {
+ verify(signedDoc, false);
+ fail("Failure expected on deriving keys from a UsernameToken not
allowed");
+ } catch (WSSecurityException ex) {
+ // expected
+ }
}
@@ -241,6 +247,17 @@ public class UTSignatureTest extends org
* @throws java.lang.Exception Thrown when there is a problem in
verification
*/
private List<WSSecurityEngineResult> verify(Document doc) throws Exception
{
+ return verify(doc, true);
+ }
+
+ private List<WSSecurityEngineResult> verify(
+ Document doc,
+ boolean allowUsernameTokenDerivedKeys
+ ) throws Exception {
+ WSSecurityEngine secEngine = new WSSecurityEngine();
+ WSSConfig config = WSSConfig.getNewInstance();
+ config.setAllowUsernameTokenNoPassword(allowUsernameTokenDerivedKeys);
+ secEngine.setWssConfig(config);
return secEngine.processSecurityHeader(doc, null, callbackHandler,
crypto);
}
Modified:
webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/message/UsernameTokenTest.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/message/UsernameTokenTest.java?rev=1441507&r1=1441506&r2=1441507&view=diff
==============================================================================
---
webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/message/UsernameTokenTest.java
(original)
+++
webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/message/UsernameTokenTest.java
Fri Feb 1 16:22:05 2013
@@ -102,7 +102,6 @@ public class UsernameTokenTest extends o
+ "<value xmlns=\"\">15</value>" + "</add>"
+ "</SOAP-ENV:Body>\r\n \r\n" + "</SOAP-ENV:Envelope>";
- private WSSecurityEngine secEngine = new WSSecurityEngine();
private CallbackHandler callbackHandler = new
UsernamePasswordCallbackHandler();
/**
@@ -403,7 +402,7 @@ public class UsernameTokenTest extends o
LOG.debug(outputString);
}
- List<WSSecurityEngineResult> results = verify(signedDoc);
+ List<WSSecurityEngineResult> results = verify(signedDoc, true);
WSSecurityEngineResult actionResult =
WSSecurityUtil.fetchActionResult(results,
WSConstants.UT_NOPASSWORD);
UsernameToken receivedToken =
@@ -429,6 +428,7 @@ public class UsernameTokenTest extends o
org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(signedDoc);
LOG.debug(outputString);
}
+ WSSecurityEngine secEngine = new WSSecurityEngine();
secEngine.processSecurityHeader(doc, null, this, null);
}
@@ -445,6 +445,7 @@ public class UsernameTokenTest extends o
LOG.debug(outputString);
}
+ WSSecurityEngine secEngine = new WSSecurityEngine();
secEngine.processSecurityHeader(doc, null, this, null);
}
@@ -470,6 +471,7 @@ public class UsernameTokenTest extends o
LOG.debug(outputString);
}
try {
+ WSSecurityEngine secEngine = new WSSecurityEngine();
secEngine.processSecurityHeader(signedDoc, null, this, null);
fail("Custom token types are not permitted");
} catch (WSSecurityException ex) {
@@ -505,14 +507,9 @@ public class UsernameTokenTest extends o
//
WSSConfig cfg = WSSConfig.getNewInstance();
cfg.setHandleCustomPasswordTypes(true);
+ WSSecurityEngine secEngine = new WSSecurityEngine();
secEngine.setWssConfig(cfg);
- verify(signedDoc);
-
- //
- // Go back to default for other tests
- //
- cfg.setHandleCustomPasswordTypes(false);
- secEngine.setWssConfig(cfg);
+ secEngine.processSecurityHeader(doc, null, callbackHandler, null);
}
@@ -871,13 +868,21 @@ public class UsernameTokenTest extends o
newEngine.processSecurityHeader(doc, null, callbackHandler, null);
}
+ private List<WSSecurityEngineResult> verify(Document doc) throws Exception
{
+ return verify(doc, false);
+ }
+
/**
* Verifies the soap envelope
*
* @param env soap envelope
* @throws java.lang.Exception Thrown when there is a problem in
verification
*/
- private List<WSSecurityEngineResult> verify(Document doc) throws Exception
{
+ private List<WSSecurityEngineResult> verify(Document doc, boolean
allowUsernameTokenDerivedKeys) throws Exception {
+ WSSecurityEngine secEngine = new WSSecurityEngine();
+ WSSConfig config = WSSConfig.getNewInstance();
+ config.setAllowUsernameTokenNoPassword(allowUsernameTokenDerivedKeys);
+ secEngine.setWssConfig(config);
return secEngine.processSecurityHeader(doc, null, callbackHandler,
null);
}
