Repository: cxf Updated Branches: refs/heads/3.0.x-fixes e163f8a5d -> 5d18509f6
[CXF-6277] - Enhance the X509TokenValidator to also validate X509Data DOM Elements Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/5d18509f Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/5d18509f Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/5d18509f Branch: refs/heads/3.0.x-fixes Commit: 5d18509f6e1fba8d6dd374f30ca93745edbcc254 Parents: e163f8a Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Thu Mar 5 15:53:22 2015 +0000 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Thu Mar 5 15:54:42 2015 +0000 ---------------------------------------------------------------------- .../sts/token/validator/X509TokenValidator.java | 58 ++++++++++++-------- 1 file changed, 36 insertions(+), 22 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/5d18509f/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/X509TokenValidator.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/X509TokenValidator.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/X509TokenValidator.java index 368ed54..344d4ce 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/X509TokenValidator.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/X509TokenValidator.java @@ -27,6 +27,7 @@ import java.util.logging.Logger; import javax.security.auth.callback.CallbackHandler; import org.w3c.dom.Document; +import org.w3c.dom.Element; import org.w3c.dom.Text; import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.helpers.DOMUtils; @@ -39,6 +40,7 @@ import org.apache.wss4j.common.crypto.Crypto; import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.WSSConfig; +import org.apache.wss4j.dom.bsp.BSPEnforcer; import org.apache.wss4j.dom.handler.RequestData; import org.apache.wss4j.dom.message.token.BinarySecurity; import org.apache.wss4j.dom.message.token.X509Security; @@ -47,8 +49,8 @@ import org.apache.wss4j.dom.validate.SignatureTrustValidator; import org.apache.wss4j.dom.validate.Validator; /** - * This class validates an X.509 V.3 certificate (received as a BinarySecurityToken). The cert must - * be known (or trusted) by the STS crypto object. + * This class validates an X.509 V.3 certificate (received as a BinarySecurityToken or an X509Data + * DOM Element). The cert must be known (or trusted) by the STS crypto object. */ public class X509TokenValidator implements TokenValidator { @@ -95,6 +97,10 @@ public class X509TokenValidator implements TokenValidator { if ((token instanceof BinarySecurityTokenType) && X509_V3_TYPE.equals(((BinarySecurityTokenType)token).getValueType())) { return true; + } else if (token instanceof Element + && WSConstants.SIG_NS.equals(((Element)token).getNamespaceURI()) + && WSConstants.X509_DATA_LN.equals(((Element)token).getLocalName())) { + return true; } return false; } @@ -120,30 +126,38 @@ public class X509TokenValidator implements TokenValidator { validateTarget.setState(STATE.INVALID); response.setToken(validateTarget); - if (!validateTarget.isBinarySecurityToken()) { - return response; - } - - BinarySecurityTokenType binarySecurityType = (BinarySecurityTokenType)validateTarget.getToken(); - - // Test the encoding type - String encodingType = binarySecurityType.getEncodingType(); - if (!BASE64_ENCODING.equals(encodingType)) { - LOG.fine("Bad encoding type attribute specified: " + encodingType); + BinarySecurity binarySecurity = null; + if (validateTarget.isBinarySecurityToken()) { + BinarySecurityTokenType binarySecurityType = (BinarySecurityTokenType)validateTarget.getToken(); + + // Test the encoding type + String encodingType = binarySecurityType.getEncodingType(); + if (!BASE64_ENCODING.equals(encodingType)) { + LOG.fine("Bad encoding type attribute specified: " + encodingType); + return response; + } + + // + // Turn the received JAXB object into a DOM element + // + Document doc = DOMUtils.createDocument(); + binarySecurity = new X509Security(doc); + binarySecurity.setEncodingType(encodingType); + binarySecurity.setValueType(binarySecurityType.getValueType()); + String data = binarySecurityType.getValue(); + ((Text)binarySecurity.getElement().getFirstChild()).setData(data); + } else if (validateTarget.isDOMElement()) { + try { + binarySecurity = new X509Security((Element)validateTarget.getToken(), new BSPEnforcer()); + } catch (WSSecurityException ex) { + LOG.log(Level.WARNING, "", ex); + return response; + } + } else { return response; } // - // Turn the received JAXB object into a DOM element - // - Document doc = DOMUtils.createDocument(); - BinarySecurity binarySecurity = new X509Security(doc); - binarySecurity.setEncodingType(encodingType); - binarySecurity.setValueType(binarySecurityType.getValueType()); - String data = binarySecurityType.getValue(); - ((Text)binarySecurity.getElement().getFirstChild()).setData(data); - - // // Validate the token // try {