a...

coheigea Thu, 07 Feb 2013 03:24:21 -0800

Author: coheigea
Date: Thu Feb  7 11:23:55 2013
New Revision: 1443418

URL: http://svn.apache.org/viewvc?rev=1443418&view=rev
Log:
[WSS-420] - Applying to stax code


Modified:
    
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/PolicyInputProcessor.java
    
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/assertionStates/UsernameTokenAssertionState.java
    
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java
    
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSSecurityProperties.java
    
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/validate/UsernameTokenValidatorImpl.java
    
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/UsernameTokenTest.java

Modified: 
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/PolicyInputProcessor.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/PolicyInputProcessor.java?rev=1443418&r1=1443417&r2=1443418&view=diff
==============================================================================
--- 
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/PolicyInputProcessor.java
 (original)
+++ 
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/PolicyInputProcessor.java
 Thu Feb  7 11:23:55 2013
@@ -226,6 +226,7 @@ public class PolicyInputProcessor extend
             this.initDone = true;
             this.transportSecurityActive = Boolean.TRUE == 
inputProcessorChain.getSecurityContext().get(WSSConstants.TRANSPORT_SECURITY_ACTIVE);
             
inputProcessorChain.getSecurityContext().put(WSSConstants.PROP_ALLOW_RSA15_KEYTRANSPORT_ALGORITHM,
 Boolean.TRUE);
+            
inputProcessorChain.getSecurityContext().put(WSSConstants.PROP_ALLOW_USERNAMETOKEN_NOPASSWORD,
 Boolean.TRUE.toString());
         }
     }
 }

Modified: 
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/assertionStates/UsernameTokenAssertionState.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/assertionStates/UsernameTokenAssertionState.java?rev=1443418&r1=1443417&r2=1443418&view=diff
==============================================================================
--- 
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/assertionStates/UsernameTokenAssertionState.java
 (original)
+++ 
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/assertionStates/UsernameTokenAssertionState.java
 Thu Feb  7 11:23:55 2013
@@ -74,6 +74,10 @@ public class UsernameTokenAssertionState
                     }
                     break;
             }
+        } else if (usernameTokenSecurityEvent.getUsernameTokenPasswordType() 
== WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE) {
+            // We must have a password for the default case
+            setErrorMessage("UsernameToken must contain a password");
+            return false;
         }
         if (usernameToken.isCreated() && (usernameSecurityToken.getCreated() 
== null || usernameTokenSecurityEvent.getUsernameTokenPasswordType() != 
WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT)) {
             setErrorMessage("UsernameToken does not contain a created 
timestamp or password is not plain text");

Modified: 
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java?rev=1443418&r1=1443417&r2=1443418&view=diff
==============================================================================
--- 
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java
 (original)
+++ 
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java
 Thu Feb  7 11:23:55 2013
@@ -118,6 +118,7 @@ public class WSSConstants extends XMLSec
     public static final String TIMESTAMP_PROCESSED = "TimestampProcessed";
 
     public static final String PROP_ALLOW_RSA15_KEYTRANSPORT_ALGORITHM = 
"secureProcessing.AllowRSA15KeyTransportAlgorithm";
+    public static final String PROP_ALLOW_USERNAMETOKEN_NOPASSWORD = 
"secureProcessing.AllowUsernameTokenNoPassword";
 
     public static final String NS_WSSE10 = 
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";;
     public static final String NS_WSSE11 = 
"http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";;

Modified: 
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSSecurityProperties.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSSecurityProperties.java?rev=1443418&r1=1443417&r2=1443418&view=diff
==============================================================================
--- 
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSSecurityProperties.java
 (original)
+++ 
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSSecurityProperties.java
 Thu Feb  7 11:23:55 2013
@@ -58,6 +58,7 @@ public class WSSSecurityProperties exten
      * reject custom token types in the callback handler.
      */
     private boolean handleCustomPasswordTypes = false;
+    private boolean allowUsernameTokenNoPassword = false;
     private WSSConstants.UsernameTokenPasswordType usernameTokenPasswordType;
     private String tokenUser;
 
@@ -106,6 +107,7 @@ public class WSSSecurityProperties exten
         this.strictTimestampCheck = wssSecurityProperties.strictTimestampCheck;
         this.handleCustomPasswordTypes = 
wssSecurityProperties.handleCustomPasswordTypes;
         this.usernameTokenPasswordType = 
wssSecurityProperties.usernameTokenPasswordType;
+        this.allowUsernameTokenNoPassword = 
wssSecurityProperties.allowUsernameTokenNoPassword;
         this.tokenUser = wssSecurityProperties.tokenUser;
         this.derivedKeyKeyIdentifierType = 
wssSecurityProperties.derivedKeyKeyIdentifierType;
         this.derivedKeyTokenReference = 
wssSecurityProperties.derivedKeyTokenReference;
@@ -553,4 +555,12 @@ public class WSSSecurityProperties exten
     public void setEncryptionCompressionAlgorithm(String 
encryptionCompressionAlgorithm) {
         this.encryptionCompressionAlgorithm = encryptionCompressionAlgorithm;
     }
+
+    public boolean isAllowUsernameTokenNoPassword() {
+        return allowUsernameTokenNoPassword;
+    }
+
+    public void setAllowUsernameTokenNoPassword(boolean 
allowUsernameTokenNoPassword) {
+        this.allowUsernameTokenNoPassword = allowUsernameTokenNoPassword;
+    }
 }

Modified: 
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/validate/UsernameTokenValidatorImpl.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/validate/UsernameTokenValidatorImpl.java?rev=1443418&r1=1443417&r2=1443418&view=diff
==============================================================================
--- 
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/validate/UsernameTokenValidatorImpl.java
 (original)
+++ 
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/validate/UsernameTokenValidatorImpl.java
 Thu Feb  7 11:23:55 2013
@@ -56,6 +56,9 @@ public class UsernameTokenValidatorImpl 
         }
 
         boolean handleCustomPasswordTypes = 
tokenContext.getWssSecurityProperties().getHandleCustomPasswordTypes();
+        boolean allowUsernameTokenNoPassword = 
+            
tokenContext.getWssSecurityProperties().isAllowUsernameTokenNoPassword() 
+                || 
Boolean.parseBoolean((String)tokenContext.getWsSecurityContext().get(WSSConstants.PROP_ALLOW_USERNAMETOKEN_NOPASSWORD));
 
         final byte[] nonceVal;
         final String created;
@@ -172,6 +175,9 @@ public class UsernameTokenValidatorImpl 
             }
             passwordType.setValue(pwCb.getPassword());
         } else {
+            if (!allowUsernameTokenNoPassword) {
+                throw new 
WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+            }
             nonceVal = null;
             created = null;
         }

Modified: 
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/UsernameTokenTest.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/UsernameTokenTest.java?rev=1443418&r1=1443417&r2=1443418&view=diff
==============================================================================
--- 
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/UsernameTokenTest.java
 (original)
+++ 
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/UsernameTokenTest.java
 Thu Feb  7 11:23:55 2013
@@ -434,8 +434,26 @@ public class UsernameTokenTest extends A
         }
 
         //done UsernameToken; now verification:
+        
+        // Failure expected on no password
+        try {
+            WSSSecurityProperties securityProperties = new 
WSSSecurityProperties();
+            securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            XMLStreamReader xmlStreamReader = 
wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new 
ByteArrayInputStream(baos.toByteArray())));
+            
+            xmlStreamReader = 
wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new 
ByteArrayInputStream(baos.toByteArray())));
+            StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), 
xmlStreamReader);
+            Assert.fail("Expected XMLStreamException");
+        } catch (XMLStreamException e) {
+            Assert.assertEquals(e.getMessage(), 
"org.apache.ws.security.common.ext.WSSecurityException: The security token 
could not be authenticated or authorized");
+            Assert.assertEquals(((WSSecurityException) 
e.getCause()).getFaultCode(), WSSecurityException.FAILED_AUTHENTICATION);
+        }
+        
+        // Now set the appropriate boolean and it should pass
         {
             WSSSecurityProperties securityProperties = new 
WSSSecurityProperties();
+            securityProperties.setAllowUsernameTokenNoPassword(true);
             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
             XMLStreamReader xmlStreamReader = 
wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new 
ByteArrayInputStream(baos.toByteArray())));

svn commit: r1443418 - in /webservices/wss4j/trunk: ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/ ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/assertionStates/ ws-security-stax/src/main/java/org/a...

Reply via email to