Author: coheigea
Date: Fri Apr 5 10:05:23 2013
New Revision: 1464904
URL: http://svn.apache.org/r1464904
Log:
Enable Caching in DOM code by default
Modified:
webservices/wss4j/trunk/pom.xml
webservices/wss4j/trunk/ws-security-dom/pom.xml
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/ReplayTest.java
Modified: webservices/wss4j/trunk/pom.xml
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/pom.xml?rev=1464904&r1=1464903&r2=1464904&view=diff
==============================================================================
--- webservices/wss4j/trunk/pom.xml (original)
+++ webservices/wss4j/trunk/pom.xml Fri Apr 5 10:05:23 2013
@@ -121,16 +121,20 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
- <version>2.5</version>
+ <version>2.7.1</version>
<configuration>
- <sourceEncoding>utf-8</sourceEncoding>
+ <sourceEncoding>UTF-8</sourceEncoding>
<failOnViolation>true</failOnViolation>
<linkXRef>false</linkXRef>
+ <verbose>true</verbose>
<minimumTokens>100</minimumTokens>
<targetJdk>${targetJdk}</targetJdk>
<excludes>
<exclude>**/CryptoBase.java,
**/DOM2Writer.java</exclude>
</excludes>
+ <excludeRoots>
+
<excludeRoot>${basedir}/src/main/generated</excludeRoot>
+ </excludeRoots>
</configuration>
<executions>
<execution>
@@ -257,6 +261,9 @@
<includes>
<include>**/*Test.java</include>
</includes>
+ <systemPropertyVariables>
+ <java.io.tmpdir>${basedir}/target</java.io.tmpdir>
+ </systemPropertyVariables>
</configuration>
</plugin>
<plugin>
Modified: webservices/wss4j/trunk/ws-security-dom/pom.xml
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/pom.xml?rev=1464904&r1=1464903&r2=1464904&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/pom.xml (original)
+++ webservices/wss4j/trunk/ws-security-dom/pom.xml Fri Apr 5 10:05:23 2013
@@ -209,6 +209,11 @@
</exclusion>
</exclusions>
</dependency>
+ <dependency>
+ <groupId>net.sf.ehcache</groupId>
+ <artifactId>ehcache-core</artifactId>
+ <scope>runtime</scope>
+ </dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
Modified:
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java?rev=1464904&r1=1464903&r2=1464904&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java
(original)
+++
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java
Fri Apr 5 10:05:23 2013
@@ -37,12 +37,15 @@ import org.apache.wss4j.dom.WSSConfig;
import org.apache.wss4j.dom.bsp.BSPEnforcer;
import org.apache.wss4j.common.bsp.BSPRule;
import org.apache.wss4j.common.cache.ReplayCache;
+import org.apache.wss4j.common.cache.ReplayCacheFactory;
import org.apache.wss4j.common.crypto.AlgorithmSuite;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.dom.message.WSSecHeader;
import org.apache.wss4j.dom.message.token.UsernameToken;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.wss4j.dom.validate.Validator;
+import org.apache.xml.security.utils.Base64;
/**
* This class holds per request data.
@@ -64,7 +67,7 @@ public class RequestData {
private String sigAlgorithm;
private String signatureDigestAlgorithm;
private String encryptionDigestAlgorithm;
- private String encryptionMGFAlgorithm ;
+ private String encryptionMGFAlgorithm;
private List<WSEncryptionPart> signatureParts = new
ArrayList<WSEncryptionPart>();
private int encKeyId;
private String encSymmAlgo;
@@ -510,11 +513,22 @@ public class RequestData {
/**
* Get the replay cache for Timestamps
+ * @throws WSSecurityException
*/
- public ReplayCache getTimestampReplayCache() {
+ public ReplayCache getTimestampReplayCache() throws WSSecurityException {
+ if (timestampReplayCache == null) {
+ timestampReplayCache = createCache("wss4j-timestamp-cache-");
+ }
+
return timestampReplayCache;
}
+ private synchronized ReplayCache createCache(String key) throws
WSSecurityException {
+ ReplayCacheFactory replayCacheFactory =
ReplayCacheFactory.newInstance();
+ String cacheKey = key +
Base64.encode(WSSecurityUtil.generateNonce(10));
+ return replayCacheFactory.newReplayCache(cacheKey, null);
+ }
+
/**
* Set the replay cache for Nonces
*/
@@ -524,8 +538,13 @@ public class RequestData {
/**
* Get the replay cache for Nonces
+ * @throws WSSecurityException
*/
- public ReplayCache getNonceReplayCache() {
+ public ReplayCache getNonceReplayCache() throws WSSecurityException {
+ if (nonceReplayCache == null) {
+ nonceReplayCache = createCache("wss4j-nonce-cache-");
+ }
+
return nonceReplayCache;
}
Modified:
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java?rev=1464904&r1=1464903&r2=1464904&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
(original)
+++
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
Fri Apr 5 10:05:23 2013
@@ -529,7 +529,7 @@ public class SignatureProcessor implemen
RequestData requestData,
WSDocInfo wsDocInfo
) throws WSSecurityException {
- List<WSDataRef> protectedRefs = new java.util.ArrayList<WSDataRef>();
+ List<WSDataRef> protectedRefs = new ArrayList<WSDataRef>();
List<?> referencesList = signedInfo.getReferences();
for (int i = 0; i < referencesList.size(); i++) {
Reference siRef = (Reference)referencesList.get(i);
Modified:
webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/ReplayTest.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/ReplayTest.java?rev=1464904&r1=1464903&r2=1464904&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/ReplayTest.java
(original)
+++
webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/ReplayTest.java
Fri Apr 5 10:05:23 2013
@@ -110,6 +110,58 @@ public class ReplayTest extends org.juni
}
@org.junit.Test
+ public void testEhCacheReplayedTimestamp() throws Exception {
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ WSSecTimestamp timestamp = new WSSecTimestamp();
+ timestamp.setTimeToLive(300);
+ Document createdDoc = timestamp.build(doc, secHeader);
+
+ WSSecSignature builder = new WSSecSignature();
+ builder.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e",
"security");
+ builder.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
+
+ List<WSEncryptionPart> parts = new ArrayList<WSEncryptionPart>();
+ WSEncryptionPart encP =
+ new WSEncryptionPart(
+ "Timestamp", WSConstants.WSU_NS, "");
+ parts.add(encP);
+ builder.setParts(parts);
+
+ builder.prepare(createdDoc, crypto, secHeader);
+
+ List<javax.xml.crypto.dsig.Reference> referenceList =
+ builder.addReferencesToSign(parts, secHeader);
+
+ builder.computeSignature(referenceList, false, null);
+
+ if (LOG.isDebugEnabled()) {
+ String outputString =
+ XMLUtils.PrettyDocumentToString(createdDoc);
+ LOG.debug(outputString);
+ }
+
+ WSSConfig wssConfig = WSSConfig.getNewInstance();
+ RequestData data = new RequestData();
+ data.setWssConfig(wssConfig);
+ data.setCallbackHandler(callbackHandler);
+
+ // Successfully verify timestamp
+ verify(createdDoc, wssConfig, data);
+
+ // Now try again - a replay attack should be detected
+ try {
+ verify(createdDoc, wssConfig, data);
+ fail("Expected failure on a replay attack");
+ } catch (WSSecurityException ex) {
+ assertTrue(ex.getErrorCode() ==
WSSecurityException.ErrorCode.INVALID_SECURITY);
+ }
+ }
+
+ @org.junit.Test
public void testReplayedTimestampBelowSignature() throws Exception {
Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
@@ -158,6 +210,53 @@ public class ReplayTest extends org.juni
}
@org.junit.Test
+ public void testEhCacheReplayedTimestampBelowSignature() throws Exception {
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ WSSecTimestamp timestamp = new WSSecTimestamp();
+ timestamp.setTimeToLive(300);
+ Document createdDoc = timestamp.build(doc, secHeader);
+
+ WSSecSignature builder = new WSSecSignature();
+ builder.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e",
"security");
+ builder.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
+
+ List<WSEncryptionPart> parts = new ArrayList<WSEncryptionPart>();
+ WSEncryptionPart encP =
+ new WSEncryptionPart(
+ "Timestamp", WSConstants.WSU_NS, "");
+ parts.add(encP);
+ builder.setParts(parts);
+
+ builder.build(createdDoc, crypto, secHeader);
+
+ if (LOG.isDebugEnabled()) {
+ String outputString =
+ XMLUtils.PrettyDocumentToString(createdDoc);
+ LOG.debug(outputString);
+ }
+
+ WSSConfig wssConfig = WSSConfig.getNewInstance();
+ RequestData data = new RequestData();
+ data.setWssConfig(wssConfig);
+ data.setCallbackHandler(callbackHandler);
+
+ // Successfully verify timestamp
+ verify(createdDoc, wssConfig, data);
+
+ // Now try again - a replay attack should be detected
+ try {
+ verify(createdDoc, wssConfig, data);
+ fail("Expected failure on a replay attack");
+ } catch (WSSecurityException ex) {
+ assertTrue(ex.getErrorCode() ==
WSSecurityException.ErrorCode.INVALID_SECURITY);
+ }
+ }
+
+ @org.junit.Test
public void testReplayedTimestampNoExpires() throws Exception {
Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
@@ -211,6 +310,58 @@ public class ReplayTest extends org.juni
}
@org.junit.Test
+ public void testEhCacheReplayedTimestampNoExpires() throws Exception {
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ WSSecTimestamp timestamp = new WSSecTimestamp();
+ timestamp.setTimeToLive(0);
+ Document createdDoc = timestamp.build(doc, secHeader);
+
+ WSSecSignature builder = new WSSecSignature();
+ builder.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e",
"security");
+ builder.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
+
+ List<WSEncryptionPart> parts = new ArrayList<WSEncryptionPart>();
+ WSEncryptionPart encP =
+ new WSEncryptionPart(
+ "Timestamp", WSConstants.WSU_NS, "");
+ parts.add(encP);
+ builder.setParts(parts);
+
+ builder.prepare(createdDoc, crypto, secHeader);
+
+ List<javax.xml.crypto.dsig.Reference> referenceList =
+ builder.addReferencesToSign(parts, secHeader);
+
+ builder.computeSignature(referenceList, false, null);
+
+ if (LOG.isDebugEnabled()) {
+ String outputString =
+ XMLUtils.PrettyDocumentToString(createdDoc);
+ LOG.debug(outputString);
+ }
+
+ WSSConfig wssConfig = WSSConfig.getNewInstance();
+ RequestData data = new RequestData();
+ data.setWssConfig(wssConfig);
+ data.setCallbackHandler(callbackHandler);
+
+ // Successfully verify timestamp
+ verify(createdDoc, wssConfig, data);
+
+ // Now try again - a replay attack should be detected
+ try {
+ verify(createdDoc, wssConfig, data);
+ fail("Expected failure on a replay attack");
+ } catch (WSSecurityException ex) {
+ assertTrue(ex.getErrorCode() ==
WSSecurityException.ErrorCode.INVALID_SECURITY);
+ }
+ }
+
+ @org.junit.Test
public void testReplayedUsernameToken() throws Exception {
WSSecUsernameToken builder = new WSSecUsernameToken();
builder.setUserInfo("wernerd", "verySecret");
@@ -244,6 +395,39 @@ public class ReplayTest extends org.juni
}
}
+ @org.junit.Test
+ public void testEhCacheReplayedUsernameToken() throws Exception {
+ WSSecUsernameToken builder = new WSSecUsernameToken();
+ builder.setUserInfo("wernerd", "verySecret");
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+ Document signedDoc = builder.build(doc, secHeader);
+
+ if (LOG.isDebugEnabled()) {
+ String outputString =
+ XMLUtils.PrettyDocumentToString(signedDoc);
+ LOG.debug(outputString);
+ }
+
+ WSSConfig wssConfig = WSSConfig.getNewInstance();
+ RequestData data = new RequestData();
+ data.setCallbackHandler(new UsernamePasswordCallbackHandler());
+ data.setWssConfig(wssConfig);
+
+ // Successfully verify UsernameToken
+ verify(signedDoc, wssConfig, data);
+
+ // Now try again - a replay attack should be detected
+ try {
+ verify(signedDoc, wssConfig, data);
+ fail("Expected failure on a replay attack");
+ } catch (WSSecurityException ex) {
+ assertTrue(ex.getErrorCode() ==
WSSecurityException.ErrorCode.INVALID_SECURITY);
+ }
+ }
+
/**
* Verifies the soap envelope
*
