Author: coheigea
Date: Thu Nov 18 16:07:37 2010
New Revision: 1036510
URL: http://svn.apache.org/viewvc?rev=1036510&view=rev
Log:
Various bits and pieces.
- Re-enabled a test that was failing after the JSR-105 port (now fixed).
- Changed the way tokens are stored in WSDocInfo.
- EncryptedKeyProcessor now checks for a BST that was previously processed.
- STRTransform token location is a bit more efficient.
- Removed redundant way of setting token value in WSSecEncrypt.
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/WSDocInfo.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/EnvelopeIdResolver.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDKSign.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncrypt.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/SecurityTokenReference.java
webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java
webservices/wss4j/trunk/src/org/apache/ws/security/processor/SAMLTokenProcessor.java
webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java
webservices/wss4j/trunk/src/org/apache/ws/security/saml/WSSecSignatureSAML.java
webservices/wss4j/trunk/src/org/apache/ws/security/transform/STRTransform.java
webservices/wss4j/trunk/src/org/apache/ws/security/transform/STRTransformUtil.java
webservices/wss4j/trunk/test/wssec/TestModifiedRequest.java
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/WSDocInfo.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/WSDocInfo.java?rev=1036510&r1=1036509&r2=1036510&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/WSDocInfo.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/WSDocInfo.java Thu Nov
18 16:07:37 2010
@@ -45,10 +45,8 @@ import java.util.Vector;
public class WSDocInfo {
Document doc = null;
Crypto crypto = null;
- List<Element> bstList = null;
- Element assertion = null;
+ List<Element> tokenList = null;
List<Processor> processors = null;
- List<Element> securityTokenReferences = null;
public WSDocInfo(Document doc) {
//
@@ -63,65 +61,51 @@ public class WSDocInfo {
}
/**
- * Set a SecurityTokenReference element.
- */
- public void setSecurityTokenReference(Element securityTokenRef) {
- if (securityTokenReferences == null) {
- securityTokenReferences = new Vector<Element>();
- }
- securityTokenReferences.add(securityTokenRef);
- }
-
- /**
- * Get a SecurityTokenReference for the given (wsu) Id
- *
- * @param uri is the relative uri (starts with #) of the id
- * @return the STR element or null if nothing found
- */
- public Element getSecurityTokenReference(String uri) {
- if (securityTokenReferences != null) {
- for (Element elem : securityTokenReferences) {
- String cId = elem.getAttributeNS(WSConstants.WSU_NS, "Id");
- if (uri.equals(cId)) {
- return elem;
- }
- }
- }
- return null;
- }
-
- /**
* Clears the info data except the hash code
*/
public void clear() {
crypto = null;
- assertion = null;
- if (bstList != null && bstList.size() > 0) {
- bstList.clear();
+ if (tokenList != null && tokenList.size() > 0) {
+ tokenList.clear();
}
if (processors != null && processors.size() > 0) {
processors.clear();
}
- bstList = null;
+ tokenList = null;
processors = null;
}
-
+
/**
- * Get a BinarySecurityToken for the given Id
- *
- * @param uri is the relative uri (starts with #) of the id
- * @return the BST element or null if nothing found
+ * @param elem is the token element to store
*/
- public Element getBst(String uri) {
+ public void addTokenElement(Element elem) {
+ if (tokenList == null) {
+ tokenList = new Vector<Element>();
+ }
+ tokenList.add(elem);
+ }
+
+ /**
+ * Get a token Element for the given Id. The Id can be either a wsu:Id or
a
+ * SAML AssertionID/ID.
+ * TODO think about if it is better to restrict the default Id to wsu:Id?
+ * @param uri is the (relative) uri of the id
+ * @return the token element or null if nothing found
+ */
+ public Element getTokenElement(String uri) {
String id = uri;
- if (id.charAt(0) == '#') {
+ if (id == null) {
+ return null;
+ } else if (id.charAt(0) == '#') {
id = id.substring(1);
}
- if (bstList != null) {
- for (Element elem : bstList) {
+ if (tokenList != null) {
+ for (Element elem : tokenList) {
String cId = elem.getAttributeNS(WSConstants.WSU_NS, "Id");
- if (id.equals(cId)) {
+ String samlId = elem.getAttribute("AssertionID");
+ String samlId2 = elem.getAttribute("ID");
+ if (id.equals(cId) || id.equals(samlId) || id.equals(samlId2))
{
return elem;
}
}
@@ -179,16 +163,6 @@ public class WSDocInfo {
}
/**
- * @param elem is the BinarySecurityToken to store
- */
- public void setBst(Element elem) {
- if (bstList == null) {
- bstList = new Vector<Element>();
- }
- bstList.add(elem);
- }
-
- /**
* @param crypto is the signature crypto class used to
* process signature/verify
*/
@@ -196,17 +170,4 @@ public class WSDocInfo {
this.crypto = crypto;
}
- /**
- * @return Returns the assertion.
- */
- public Element getAssertion() {
- return assertion;
- }
-
- /**
- * @param assertion The assertion to set.
- */
- public void setAssertion(Element assertion) {
- this.assertion = assertion;
- }
}
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/message/EnvelopeIdResolver.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/EnvelopeIdResolver.java?rev=1036510&r1=1036509&r2=1036510&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/org/apache/ws/security/message/EnvelopeIdResolver.java
(original)
+++
webservices/wss4j/trunk/src/org/apache/ws/security/message/EnvelopeIdResolver.java
Thu Nov 18 16:07:37 2010
@@ -104,13 +104,13 @@ public class EnvelopeIdResolver extends
*/
/*
- * First check to see if the element that we require is a
SecurityTokenReference
- * that is stored in WSDocInfo.
+ * First check to see if the element that we require is a
SecurityTokenReference, or a
+ * previously processed Security Token that is stored in WSDocInfo.
*/
String id = uriNodeValue.substring(1);
Element selectedElem = null;
if (wsDocInfo != null) {
- selectedElem = wsDocInfo.getSecurityTokenReference(id);
+ selectedElem = wsDocInfo.getTokenElement(id);
}
/*
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDKSign.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDKSign.java?rev=1036510&r1=1036509&r2=1036510&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDKSign.java
(original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDKSign.java
Thu Nov 18 16:07:37 2010
@@ -263,7 +263,7 @@ public class WSSecDKSign extends WSSecDe
}
URIDereferencer dereferencer = new DOMURIDereferencer();
((DOMURIDereferencer)dereferencer).setWsDocInfo(wsDocInfo);
- signContext.setURIDereferencer(new DOMURIDereferencer());
+ signContext.setURIDereferencer(dereferencer);
sig.sign(signContext);
signatureValue = sig.getSignatureValue().getValue();
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncrypt.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncrypt.java?rev=1036510&r1=1036509&r2=1036510&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncrypt.java
(original)
+++
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncrypt.java
Thu Nov 18 16:07:37 2010
@@ -87,11 +87,6 @@ public class WSSecEncrypt extends WSSecE
private String customReferenceValue;
/**
- * ValueType for the encrypted key reference
- */
- private String encKeyValueType;
-
- /**
* True if the encKeyId is a direct reference to a key identifier instead
of a URI to a key
*/
private boolean encKeyIdDirectId;
@@ -551,8 +546,8 @@ public class WSSecEncrypt extends WSSecE
} else {
ref.setURI("#" + encKeyId);
}
- if (encKeyValueType != null) {
- ref.setValueType(encKeyValueType);
+ if (customReferenceValue != null) {
+ ref.setValueType(customReferenceValue);
}
secToken.setReference(ref);
keyInfo.addUnknownElement(secToken.getElement());
@@ -669,10 +664,6 @@ public class WSSecEncrypt extends WSSecE
this.customReferenceValue = customReferenceValue;
}
- public void setEncKeyValueType(String e) {
- encKeyValueType = e;
- }
-
public void setEncKeyIdDirectId(boolean b) {
encKeyIdDirectId = b;
}
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java?rev=1036510&r1=1036509&r2=1036510&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java
(original)
+++
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java
Thu Nov 18 16:07:37 2010
@@ -183,7 +183,7 @@ public class WSSecSignature extends WSSe
ref.setValueType(bstToken.getValueType());
secRef.setReference(ref);
bstToken.setID(certUri);
- wsDocInfo.setBst(bstToken.getElement());
+ wsDocInfo.addTokenElement(bstToken.getElement());
break;
case WSConstants.ISSUER_SERIAL:
@@ -254,7 +254,7 @@ public class WSSecSignature extends WSSe
}
if (keyIdentifierType != WSConstants.KEY_VALUE) {
XMLStructure structure = new DOMStructure(secRef.getElement());
- wsDocInfo.setSecurityTokenReference(secRef.getElement());
+ wsDocInfo.addTokenElement(secRef.getElement());
keyInfo =
keyInfoFactory.newKeyInfo(
java.util.Collections.singletonList(structure), keyInfoUri
@@ -462,7 +462,7 @@ public class WSSecSignature extends WSSe
}
URIDereferencer dereferencer = new DOMURIDereferencer();
((DOMURIDereferencer)dereferencer).setWsDocInfo(wsDocInfo);
- signContext.setURIDereferencer(new DOMURIDereferencer());
+ signContext.setURIDereferencer(dereferencer);
sig.sign(signContext);
signatureValue = sig.getSignatureValue().getValue();
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/SecurityTokenReference.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/token/SecurityTokenReference.java?rev=1036510&r1=1036509&r2=1036510&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/SecurityTokenReference.java
(original)
+++
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/SecurityTokenReference.java
Thu Nov 18 16:07:37 2010
@@ -226,61 +226,48 @@ public class SecurityTokenReference {
String uri,
String type
) {
- Element tokElement = null;
String id = uri;
if (id.charAt(0) == '#') {
id = id.substring(1);
}
//
- // If the type is a SAMLAssertionID then find the SAML assertion -
first check
- // if it has been previously processed, else search the header for it
+ // If the token type is a SAML Token or BinarySecurityToken, try to
find it from the
+ // WSDocInfo instance first, to avoid searching the DOM element for it
//
String assertionStr = WSConstants.WSS_SAML_NS +
WSConstants.ASSERTION_LN;
- if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(type)
- || assertionStr.equals(type)) {
- Element sa = docInfo.getAssertion();
- if (sa != null) {
- String saID = sa.getAttribute("AssertionID");
- if (doDebug) {
- log.debug("SAML token ID: " + saID);
- }
- if (saID.equals(id)) {
- tokElement = sa;
- }
- }
- if (tokElement == null) {
- Element assertion =
- WSSecurityUtil.findSAMLAssertionElementById(
- doc.getDocumentElement(),
- id
- );
- if (assertion != null) {
- tokElement = assertion;
- }
+ if (docInfo != null &&
+ (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(type)
+ || assertionStr.equals(type)
+ || X509Security.X509_V3_TYPE.equals(type)
+ || PKIPathSecurity.getType().equals(type))) {
+ Element token = docInfo.getTokenElement(id);
+ if (token != null) {
+ return token;
}
}
//
- // If the type is a BinarySecurityToken then check to see if it's
available in
- // the WSDocInfo
+ // Try to find a SAML Assertion by searching the DOM tree
//
- if (docInfo != null &&
- (X509Security.X509_V3_TYPE.equals(type) ||
PKIPathSecurity.getType().equals(type))) {
- Element bst = docInfo.getBst(uri);
- if (bst != null) {
- //
- // Add the WSSE/WSU namespaces to the element for C14n
- //
- WSSecurityUtil.setNamespace(bst, WSConstants.WSSE_NS,
WSConstants.WSSE_PREFIX);
- WSSecurityUtil.setNamespace(bst, WSConstants.WSU_NS,
WSConstants.WSU_PREFIX);
- return bst;
+ if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(type) ||
assertionStr.equals(type)) {
+ Element assertion =
+ WSSecurityUtil.findSAMLAssertionElementById(
+ doc.getDocumentElement(),
+ id
+ );
+ if (assertion != null) {
+ if (doDebug) {
+ log.debug("SAML token ID: " +
assertion.getAttribute("AssertionID"));
+ }
+ docInfo.addTokenElement(assertion);
+ return assertion;
}
}
//
// Try to find a custom token
//
- if (tokElement == null && WSConstants.WSC_SCT.equals(type) && cb !=
null) {
+ if (WSConstants.WSC_SCT.equals(type) && cb != null) {
//try to find a custom token
WSPasswordCallback pwcb =
new WSPasswordCallback(id, WSPasswordCallback.CUSTOM_TOKEN);
@@ -288,7 +275,7 @@ public class SecurityTokenReference {
cb.handle(new Callback[]{pwcb});
Element assertionElem = pwcb.getCustomToken();
if (assertionElem != null) {
- tokElement = (Element)doc.importNode(assertionElem, true);
+ return (Element)doc.importNode(assertionElem, true);
}
} catch (Exception e) {
log.debug(e.getMessage(), e);
@@ -297,15 +284,11 @@ public class SecurityTokenReference {
}
//
- // Finally try to find the element by its Id
+ // Finally try to find the element by its (wsu) Id
//
+ Element tokElement = WSSecurityUtil.getElementByWsuId(doc, uri);
if (tokElement == null) {
- tokElement = WSSecurityUtil.getElementByWsuId(doc, uri);
-
- // In some scenarios id is used rather than wsu:Id
- if (tokElement == null) {
- tokElement = WSSecurityUtil.getElementByGenId(doc, uri);
- }
+ tokElement = WSSecurityUtil.getElementByGenId(doc, uri);
}
return tokElement;
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java?rev=1036510&r1=1036509&r2=1036510&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java
(original)
+++
webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java
Thu Nov 18 16:07:37 2010
@@ -66,6 +66,8 @@ public class EncryptedKeyProcessor imple
private X509Certificate[] certs;
private String encryptedKeyTransportMethod = null;
+
+ private WSDocInfo docInfo = null;
public void handleToken(
Element elem,
@@ -86,6 +88,7 @@ public class EncryptedKeyProcessor imple
if (cb == null) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"noCallback");
}
+ docInfo = wsDocInfo;
List<WSDataRef> dataRefs = handleEncryptedKey(elem, cb, decCrypto,
null);
encryptedKeyId = elem.getAttribute("Id");
@@ -98,7 +101,10 @@ public class EncryptedKeyProcessor imple
certs
);
- result.put(WSSecurityEngineResult.TAG_ENCRYPTED_KEY_TRANSPORT_METHOD,
this.encryptedKeyTransportMethod);
+ result.put(
+ WSSecurityEngineResult.TAG_ENCRYPTED_KEY_TRANSPORT_METHOD,
+ this.encryptedKeyTransportMethod
+ );
returnResults.add(
0,
@@ -381,45 +387,61 @@ public class EncryptedKeyProcessor imple
log.debug("KeyIdentifier Alias: " + alias);
}
} else if (secRef.containsReference()) {
- Element bstElement = secRef.getTokenElement(doc, null, cb);
-
- // at this point ... check token type: Binary
- QName el =
- new QName(bstElement.getNamespaceURI(),
bstElement.getLocalName());
- if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
- X509Security token = new X509Security(bstElement);
- String value =
bstElement.getAttribute(WSSecurityEngine.VALUE_TYPE);
- if (!X509Security.X509_V3_TYPE.equals(value) || (token ==
null)) {
+ if (docInfo != null) {
+ String uri = secRef.getReference().getURI();
+ if (uri.charAt(0) == '#') {
+ uri = uri.substring(1);
+ }
+ Processor processor = docInfo.getProcessor(uri);
+ if (processor instanceof BinarySecurityTokenProcessor) {
+ certs =
((BinarySecurityTokenProcessor)processor).getCertificates();
+ } else if (processor != null) {
throw new WSSecurityException(
WSSecurityException.UNSUPPORTED_SECURITY_TOKEN,
"unsupportedBinaryTokenType",
- new Object[] {"for decryption (BST)"}
+ null
);
}
- certs = new
X509Certificate[]{token.getX509Certificate(crypto)};
- if (certs[0] == null) {
+ }
+ if (certs == null) {
+ Element bstElement = secRef.getTokenElement(doc, null, cb);
+
+ // at this point ... check token type: Binary
+ QName el = new QName(bstElement.getNamespaceURI(),
bstElement.getLocalName());
+ if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
+ X509Security token = new X509Security(bstElement);
+ if (token == null) {
+ throw new WSSecurityException(
+ WSSecurityException.UNSUPPORTED_SECURITY_TOKEN,
+ "unsupportedBinaryTokenType",
+ new Object[] {"for decryption (BST)"}
+ );
+ }
+ certs = new
X509Certificate[]{token.getX509Certificate(crypto)};
+ } else {
throw new WSSecurityException(
- WSSecurityException.FAILURE,
- "noCertsFound",
- new Object[] {"decryption"}
+ WSSecurityException.UNSUPPORTED_SECURITY_TOKEN,
+ "unsupportedBinaryTokenType",
+ null
);
}
- //
- // Here we have the certificate. Now find the alias for it.
Needed to identify
- // the private key associated with this certificate
- //
- alias = crypto.getAliasForX509Cert(certs[0]);
- if (log.isDebugEnabled()) {
- log.debug("BST Alias: " + alias);
- }
- } else {
+ }
+ if (certs == null || certs[0] == null) {
throw new WSSecurityException(
- WSSecurityException.UNSUPPORTED_SECURITY_TOKEN,
- "unsupportedBinaryTokenType",
- null
+ WSSecurityException.FAILURE,
+ "noCertsFound",
+ new Object[] {"decryption"}
);
}
//
+ // Here we have the certificate. Now find the alias for it. Needed
to identify
+ // the private key associated with this certificate
+ //
+ alias = crypto.getAliasForX509Cert(certs[0]);
+ if (log.isDebugEnabled()) {
+ log.debug("BST Alias: " + alias);
+ }
+ //
// The following code is somewhat strange: the called crypto
method gets
// the keyname and searches for a certificate with an issuer's
name that is
// equal to this keyname. No serialnumber is used - IMHO this does
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/processor/SAMLTokenProcessor.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/SAMLTokenProcessor.java?rev=1036510&r1=1036509&r2=1036510&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/org/apache/ws/security/processor/SAMLTokenProcessor.java
(original)
+++
webservices/wss4j/trunk/src/org/apache/ws/security/processor/SAMLTokenProcessor.java
Thu Nov 18 16:07:37 2010
@@ -54,7 +54,7 @@ public class SAMLTokenProcessor implemen
}
SAMLAssertion assertion = handleSAMLToken(elem);
id = assertion.getId();
- wsDocInfo.setAssertion(elem);
+ wsDocInfo.addTokenElement(elem);
returnResults.add(
0,
new WSSecurityEngineResult(WSConstants.ST_UNSIGNED, assertion)
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java?rev=1036510&r1=1036509&r2=1036510&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java
(original)
+++
webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java
Thu Nov 18 16:07:37 2010
@@ -310,7 +310,7 @@ public class SignatureProcessor implemen
(SecurityContextTokenProcessor)processor;
secretKey = sctProcessor.getSecret();
principal = new
CustomTokenPrincipal(sctProcessor.getIdentifier());
- } else if (processor instanceof DerivedKeyTokenProcessor)
{
+ } else if (processor instanceof DerivedKeyTokenProcessor) {
DerivedKeyTokenProcessor dktProcessor =
(DerivedKeyTokenProcessor) processor;
DerivedKeyToken dkt =
dktProcessor.getDerivedKeyToken();
@@ -321,7 +321,7 @@ public class SignatureProcessor implemen
}
secretKey = dktProcessor.getKeyBytes(keyLength);
principal = dkt.createPrincipal();
- } else if (processor instanceof SAMLTokenProcessor) {
+ } else if (processor instanceof SAMLTokenProcessor) {
if (crypto == null) {
throw new WSSecurityException(
WSSecurityException.FAILURE, "noSigCryptoFile"
@@ -416,7 +416,7 @@ public class SignatureProcessor implemen
context.setProperty("javax.xml.crypto.dsig.cacheReference",
Boolean.TRUE);
URIDereferencer dereferencer = new DOMURIDereferencer();
((DOMURIDereferencer)dereferencer).setWsDocInfo(wsDocInfo);
- context.setURIDereferencer(new DOMURIDereferencer());
+ context.setURIDereferencer(dereferencer);
try {
XMLSignature xmlSignature =
signatureFactory.unmarshalXMLSignature(context);
boolean signatureOk = xmlSignature.validate(context);
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/saml/WSSecSignatureSAML.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/saml/WSSecSignatureSAML.java?rev=1036510&r1=1036509&r2=1036510&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/org/apache/ws/security/saml/WSSecSignatureSAML.java
(original)
+++
webservices/wss4j/trunk/src/org/apache/ws/security/saml/WSSecSignatureSAML.java
Thu Nov 18 16:07:37 2010
@@ -392,7 +392,7 @@ public class WSSecSignatureSAML extends
ref.setValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
secRefSaml.setReference(ref);
}
- wsDocInfo.setSecurityTokenReference(secRefSaml.getElement());
+ wsDocInfo.addTokenElement(secRefSaml.getElement());
}
} catch (Exception ex) {
throw new WSSecurityException(
@@ -408,7 +408,7 @@ public class WSSecSignatureSAML extends
bstToken = new X509Security(doc);
((X509Security) bstToken).setX509Certificate(certs[0]);
bstToken.setID(certUri);
- wsDocInfo.setBst(bstToken.getElement());
+ wsDocInfo.addTokenElement(bstToken.getElement());
ref.setValueType(bstToken.getValueType());
secRef.setReference(ref);
break;
@@ -444,7 +444,7 @@ public class WSSecSignatureSAML extends
}
}
XMLStructure structure = new DOMStructure(secRef.getElement());
- wsDocInfo.setSecurityTokenReference(secRef.getElement());
+ wsDocInfo.addTokenElement(secRef.getElement());
keyInfo =
keyInfoFactory.newKeyInfo(
@@ -458,7 +458,7 @@ public class WSSecSignatureSAML extends
WSSecurityException.FAILED_SIGNATURE, "noSAMLdoc", null, e2
);
}
- wsDocInfo.setAssertion(samlToken);
+ wsDocInfo.addTokenElement(samlToken);
}
/**
@@ -539,7 +539,7 @@ public class WSSecSignatureSAML extends
}
URIDereferencer dereferencer = new DOMURIDereferencer();
((DOMURIDereferencer)dereferencer).setWsDocInfo(wsDocInfo);
- signContext.setURIDereferencer(new DOMURIDereferencer());
+ signContext.setURIDereferencer(dereferencer);
sig.sign(signContext);
signatureValue = sig.getSignatureValue().getValue();
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/transform/STRTransform.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/transform/STRTransform.java?rev=1036510&r1=1036509&r2=1036510&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/org/apache/ws/security/transform/STRTransform.java
(original)
+++
webservices/wss4j/trunk/src/org/apache/ws/security/transform/STRTransform.java
Thu Nov 18 16:07:37 2010
@@ -24,7 +24,9 @@ import org.apache.commons.logging.LogFac
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSDocInfoStore;
+import org.apache.ws.security.message.token.PKIPathSecurity;
import org.apache.ws.security.message.token.SecurityTokenReference;
+import org.apache.ws.security.message.token.X509Security;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.xml.security.c14n.Canonicalizer;
@@ -205,6 +207,22 @@ public class STRTransform extends Transf
Element dereferencedToken =
STRTransformUtil.dereferenceSTR(doc, secRef, wsDocInfo);
+ if (dereferencedToken != null) {
+ String type = dereferencedToken.getAttribute("ValueType");
+ if ((X509Security.X509_V3_TYPE.equals(type)
+ || PKIPathSecurity.getType().equals(type))) {
+ //
+ // Add the WSSE/WSU namespaces to the element for C14n
+ //
+ WSSecurityUtil.setNamespace(
+ dereferencedToken, WSConstants.WSSE_NS,
WSConstants.WSSE_PREFIX
+ );
+ WSSecurityUtil.setNamespace(
+ dereferencedToken, WSConstants.WSU_NS,
WSConstants.WSU_PREFIX
+ );
+ }
+ }
+
//
// C14n with specified algorithm. According to WSS Specification.
//
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/transform/STRTransformUtil.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/transform/STRTransformUtil.java?rev=1036510&r1=1036509&r2=1036510&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/org/apache/ws/security/transform/STRTransformUtil.java
(original)
+++
webservices/wss4j/trunk/src/org/apache/ws/security/transform/STRTransformUtil.java
Thu Nov 18 16:07:37 2010
@@ -29,6 +29,9 @@ import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.message.token.X509Security;
+import org.apache.ws.security.processor.BinarySecurityTokenProcessor;
+import org.apache.ws.security.processor.Processor;
+import org.apache.ws.security.processor.SAMLTokenProcessor;
import org.apache.ws.security.util.Base64;
import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Document;
@@ -58,33 +61,30 @@ public class STRTransformUtil {
public static Element dereferenceSTR(Document doc,
SecurityTokenReference secRef, WSDocInfo wsDocInfo) throws
WSSecurityException
{
-
- // NOTE: Here step numbers refer to the overall step in the complete
processing
- // of the STRTransform. See STRTransform for the lead up to these
steps.
- //
- // Third step: locate the security token referenced by the STR element.
- // Either the Token is contained in the document as a
- // BinarySecurityToken or stored in some key storage.
- //
- // Fourth step: after security token was located, prepare it. If its
- // reference via a direct reference, i.e. a relative URI that
references
- // the BST directly in the message then just return that element.
- // Otherwise wrap the located token in a newly created BST element as
- // described in WSS Specification.
- //
- //
- Element tokElement = null;
-
//
// First case: direct reference, according to chap 7.2 of OASIS WS
// specification (main document). Only in this case return a true
- // reference to the BST. Copying is done by the caller.
+ // reference to the BST or Assertion. Copying is done by the caller.
//
if (secRef.containsReference()) {
if (log.isDebugEnabled()) {
log.debug("STR: Reference");
}
- tokElement = secRef.getTokenElement(doc, wsDocInfo, null);
+ org.apache.ws.security.message.token.Reference ref =
secRef.getReference();
+
+ String uri = ref.getURI();
+ if (uri.charAt(0) == '#') {
+ uri = uri.substring(1);
+ }
+ Processor processor = wsDocInfo.getProcessor(uri);
+
+ if (processor == null) {
+ return secRef.getTokenElement(doc, wsDocInfo, null);
+ } else if (processor instanceof BinarySecurityTokenProcessor) {
+ return
((BinarySecurityTokenProcessor)processor).getToken().getElement();
+ } else if (processor instanceof SAMLTokenProcessor) {
+ return ((SAMLTokenProcessor)processor).getSamlTokenElement();
+ }
}
//
// second case: IssuerSerial, lookup in keystore, wrap in BST according
@@ -94,14 +94,12 @@ public class STRTransformUtil {
if (log.isDebugEnabled()) {
log.debug("STR: IssuerSerial");
}
- X509Certificate cert = null;
X509Certificate[] certs =
secRef.getX509IssuerSerial(wsDocInfo.getCrypto());
if (certs == null || certs.length == 0 || certs[0] == null) {
throw new
WSSecurityException(WSSecurityException.FAILED_CHECK);
}
- cert = certs[0];
- tokElement = createBSTX509(doc, cert, secRef.getElement());
+ return createBSTX509(doc, certs[0], secRef.getElement());
}
//
// third case: KeyIdentifier. For SKI, lookup in keystore, wrap in
@@ -113,21 +111,19 @@ public class STRTransformUtil {
log.debug("STR: KeyIdentifier");
}
if
(WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType()))
{
- tokElement = secRef.getKeyIdentifierTokenElement(doc,
wsDocInfo, null);
+ return secRef.getKeyIdentifierTokenElement(doc, wsDocInfo,
null);
} else {
- X509Certificate cert = null;
X509Certificate[] certs =
secRef.getKeyIdentifier(wsDocInfo.getCrypto());
if (certs == null || certs.length == 0 || certs[0] == null) {
throw new
WSSecurityException(WSSecurityException.FAILED_CHECK);
}
- cert = certs[0];
- tokElement = createBSTX509(doc, cert, secRef.getElement());
+ return createBSTX509(doc, certs[0], secRef.getElement());
}
}
- return tokElement;
+ return null;
}
- protected static Element createBSTX509(Document doc, X509Certificate cert,
Element secRefE)
+ public static Element createBSTX509(Document doc, X509Certificate cert,
Element secRefE)
throws WSSecurityException {
byte data[];
try {
Modified: webservices/wss4j/trunk/test/wssec/TestModifiedRequest.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/TestModifiedRequest.java?rev=1036510&r1=1036509&r2=1036510&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wssec/TestModifiedRequest.java (original)
+++ webservices/wss4j/trunk/test/wssec/TestModifiedRequest.java Thu Nov 18
16:07:37 2010
@@ -24,7 +24,7 @@ import junit.framework.TestCase;
import junit.framework.TestSuite;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
-// import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSEncryptionPart;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSecurityEngine;
@@ -33,7 +33,7 @@ import org.apache.ws.security.components
import org.apache.ws.security.components.crypto.CryptoFactory;
import org.apache.ws.security.message.WSSecSignature;
import org.apache.ws.security.message.WSSecHeader;
-// import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Document;
import javax.security.auth.callback.Callback;
@@ -143,6 +143,7 @@ public class TestModifiedRequest extends
* original element is changed. The wsu:Id value of the original element
is also
* changed. Signature verification will pass, so we need to check that
wsu:Id's.
* TODO - failing after JSR105 move
+ */
public void testMovedElementChangedId() throws Exception {
WSSecSignature builder = new WSSecSignature();
builder.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e",
"security");
@@ -151,7 +152,7 @@ public class TestModifiedRequest extends
WSSecHeader secHeader = new WSSecHeader();
secHeader.insertSecurityHeader(doc);
- List parts = new Vector();
+ List<WSEncryptionPart> parts = new Vector<WSEncryptionPart>();
WSEncryptionPart encP =
new WSEncryptionPart(
"value",
@@ -190,7 +191,8 @@ public class TestModifiedRequest extends
// Now we check that the wsu:Id of the element we want signed
corresponds to the
// wsu:Id that was actually signed...again, this should pass
//
- List results = verify(signedDoc);
+ List<WSSecurityEngineResult> results = verify(signedDoc);
+
WSSecurityEngineResult actionResult =
WSSecurityUtil.fetchActionResult(results, WSConstants.SIGN);
WSSecurityUtil.checkSignsAllElements(actionResult, new
String[]{savedId});
@@ -217,7 +219,6 @@ public class TestModifiedRequest extends
// expected
}
}
- */
/**
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
