This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch wss4j_2.3.0 in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/wss4j_2.3.0 by this push: new 3b4e94c Picking up more changes in WSS4J 3b4e94c is described below commit 3b4e94ccb8d6d1ef4a3c1e6fe45d0e97c7b2f8cf Author: Colm O hEigeartaigh <cohei...@apache.org> AuthorDate: Mon Jun 17 13:44:27 2019 +0100 Picking up more changes in WSS4J --- parent/pom.xml | 1 + .../cxf/ws/security/trust/STSStaxTokenValidator.java | 3 ++- .../ws/wssec10/server/CustomUsernameTokenInterceptor.java | 14 ++++++++++---- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/parent/pom.xml b/parent/pom.xml index c7123b9..9c9d118 100644 --- a/parent/pom.xml +++ b/parent/pom.xml @@ -214,6 +214,7 @@ <cxf.woodstox.stax2-api.version>3.1.4</cxf.woodstox.stax2-api.version> <cxf.wsdl4j.version>1.6.3</cxf.wsdl4j.version> <cxf.wss4j.version>2.3.0-SNAPSHOT</cxf.wss4j.version> + <cxf.xalan.version>2.7.2</cxf.xalan.version> <cxf.xbean.version>4.14</cxf.xbean.version> <cxf.xerces.version>2.12.0</cxf.xerces.version> <cxf.xmlschema.version>2.2.4</cxf.xmlschema.version> diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java index ffb99e4..57429e2 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java @@ -42,6 +42,7 @@ import org.apache.wss4j.common.token.BinarySecurity; import org.apache.wss4j.common.token.PKIPathSecurity; import org.apache.wss4j.common.token.X509Security; import org.apache.wss4j.common.util.AttachmentUtils; +import org.apache.wss4j.common.util.UsernameTokenUtil; import org.apache.wss4j.dom.message.token.KerberosSecurity; import org.apache.wss4j.dom.message.token.UsernameToken; import org.apache.wss4j.stax.ext.WSSConstants; @@ -329,7 +330,7 @@ public class STSStaxTokenValidator throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION); } - String passDigest = WSSUtils.doPasswordDigest(nonceVal, created, pwCb.getPassword()); + String passDigest = UsernameTokenUtil.doPasswordDigest(nonceVal, created, pwCb.getPassword()); if (!passwordType.getValue().equals(passDigest)) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION); } diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java index e04d7b5..50ea95b 100644 --- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java +++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java @@ -26,7 +26,8 @@ import org.apache.cxf.common.security.SimplePrincipal; import org.apache.cxf.interceptor.Fault; import org.apache.cxf.ws.security.SecurityConstants; import org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor; -import org.apache.wss4j.dom.message.token.UsernameToken; +import org.apache.wss4j.common.util.UsernameTokenUtil; +import org.apache.xml.security.utils.XMLUtils; public class CustomUsernameTokenInterceptor extends UsernameTokenInterceptor { @@ -44,11 +45,16 @@ public class CustomUsernameTokenInterceptor extends UsernameTokenInterceptor { // add roles this user is in String roleName = "Alice".equals(name) ? "developers" : "pms"; - String expectedPassword = "Alice".equals(name) ? "ecilA" - : UsernameToken.doPasswordDigest(nonce, created, "invalid-password"); - if (!password.equals(expectedPassword)) { + try { + String expectedPassword = "Alice".equals(name) ? "ecilA" + : UsernameTokenUtil.doPasswordDigest(XMLUtils.decode(nonce), created, "invalid-password"); + if (!password.equals(expectedPassword)) { + throw new SecurityException("Wrong Password"); + } + } catch (org.apache.wss4j.common.ext.WSSecurityException ex) { throw new SecurityException("Wrong Password"); } + subject.getPrincipals().add(new SimpleGroup(roleName, name)); subject.setReadOnly(); return subject;