Repository: cxf Updated Branches: refs/heads/3.1.x-fixes a0bb3cc1b -> ab1e3ebf0
Add support to disable inclusive prefixes with WS-SecurityPolicy Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/ab1e3ebf Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/ab1e3ebf Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/ab1e3ebf Branch: refs/heads/3.1.x-fixes Commit: ab1e3ebf03c142df876be561e6720e788b7c6dac Parents: a0bb3cc Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Tue Apr 5 17:11:37 2016 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Tue Apr 5 17:12:25 2016 +0100 ---------------------------------------------------------------------- .../cxf/ws/security/SecurityConstants.java | 6 ++++ .../policyhandlers/AbstractBindingBuilder.java | 7 +++++ .../AbstractStaxBindingHandler.java | 5 ++++ .../AsymmetricBindingHandler.java | 7 +++++ .../policyhandlers/SymmetricBindingHandler.java | 15 ++++++++++ .../cxf/systest/ws/x509/X509TokenTest.java | 29 ++++++++++++++++++++ 6 files changed, 69 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/ab1e3ebf/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java index f431a14..e13dff3 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java @@ -139,6 +139,12 @@ public final class SecurityConstants extends org.apache.cxf.rt.security.Security * hence set this configuration option to "false" in this case. */ public static final String USE_STR_TRANSFORM = "ws-security.use.str.transform"; + + /** + * Whether to add an InclusiveNamespaces PrefixList as a CanonicalizationMethod child when generating + * Signatures using WSConstants.C14N_EXCL_OMIT_COMMENTS. Default is "true". + */ + public static final String ADD_INCLUSIVE_PREFIXES = "ws-security.add.inclusive.prefixes"; // // Non-boolean WS-Security Configuration parameters http://git-wip-us.apache.org/repos/asf/cxf/blob/ab1e3ebf/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java index 4d2f2c5..27254df 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java @@ -1808,6 +1808,13 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType(); sig.setDigestAlgo(algType.getDigest()); sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue()); + + boolean includePrefixes = + MessageUtils.getContextualBoolean( + message, SecurityConstants.ADD_INCLUSIVE_PREFIXES, true + ); + sig.setAddInclusivePrefixes(includePrefixes); + try { sig.prepare(saaj.getSOAPPart(), crypto, secHeader); } catch (WSSecurityException e) { http://git-wip-us.apache.org/repos/asf/cxf/blob/ab1e3ebf/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java index 70d377f..4b71628 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java @@ -548,6 +548,11 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa properties.setSignatureDigestAlgorithm(algType.getDigest()); // sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue()); + boolean includePrefixes = + MessageUtils.getContextualBoolean( + message, SecurityConstants.ADD_INCLUSIVE_PREFIXES, true + ); + properties.setAddExcC14NInclusivePrefixes(includePrefixes); } protected WSSecurityTokenConstants.KeyIdentifier getKeyIdentifierType( http://git-wip-us.apache.org/repos/asf/cxf/blob/ab1e3ebf/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java index 078a10d..c6ca2a8 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java @@ -37,6 +37,7 @@ import org.apache.cxf.binding.soap.SoapMessage; import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.helpers.CastUtils; import org.apache.cxf.interceptor.Fault; +import org.apache.cxf.message.MessageUtils; import org.apache.cxf.ws.policy.AssertionInfo; import org.apache.cxf.ws.policy.AssertionInfoMap; import org.apache.cxf.ws.security.SecurityConstants; @@ -650,6 +651,12 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { dkSign.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#" + WSConstants.ENC_KEY_VALUE_TYPE); + boolean includePrefixes = + MessageUtils.getContextualBoolean( + message, SecurityConstants.ADD_INCLUSIVE_PREFIXES, true + ); + dkSign.setAddInclusivePrefixes(includePrefixes); + try { dkSign.prepare(saaj.getSOAPPart(), secHeader); http://git-wip-us.apache.org/repos/asf/cxf/blob/ab1e3ebf/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java index bbdbd69..46e5301 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java @@ -35,6 +35,7 @@ import org.apache.cxf.binding.soap.SoapMessage; import org.apache.cxf.common.util.StringUtils; import org.apache.cxf.helpers.CastUtils; import org.apache.cxf.interceptor.Fault; +import org.apache.cxf.message.MessageUtils; import org.apache.cxf.ws.policy.AssertionInfoMap; import org.apache.cxf.ws.security.SecurityConstants; import org.apache.cxf.ws.security.policy.PolicyUtils; @@ -700,6 +701,13 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { AlgorithmSuiteType algType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType(); dkSign.setDigestAlgorithm(algType.getDigest()); dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8); + + boolean includePrefixes = + MessageUtils.getContextualBoolean( + message, SecurityConstants.ADD_INCLUSIVE_PREFIXES, true + ); + dkSign.setAddInclusivePrefixes(includePrefixes); + if (tok.getSHA1() != null) { //Set the value type of the reference String tokenType = tok.getTokenType(); @@ -858,6 +866,13 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { sig.setCustomTokenId(sigTokId); sig.setSecretKey(tok.getSecret()); sig.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature()); + + boolean includePrefixes = + MessageUtils.getContextualBoolean( + message, SecurityConstants.ADD_INCLUSIVE_PREFIXES, true + ); + sig.setAddInclusivePrefixes(includePrefixes); + AlgorithmSuiteType algType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType(); sig.setDigestAlgo(algType.getDigest()); sig.setSigCanonicalization(sbinding.getAlgorithmSuite().getC14n().getValue()); http://git-wip-us.apache.org/repos/asf/cxf/blob/ab1e3ebf/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java index 4fb6422..7e250e9 100644 --- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java +++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java @@ -284,6 +284,35 @@ public class X509TokenTest extends AbstractBusClientServerTestBase { } @org.junit.Test + public void testKeyIdentifierInclusivePrefixes() throws Exception { + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = X509TokenTest.class.getResource("client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = X509TokenTest.class.getResource("DoubleItX509.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItKeyIdentifierPort"); + DoubleItPortType x509Port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(x509Port, test.getPort()); + + ((BindingProvider)x509Port).getRequestContext().put(SecurityConstants.ADD_INCLUSIVE_PREFIXES, "false"); + + if (test.isStreaming()) { + SecurityTestUtil.enableStreaming(x509Port); + } + + x509Port.doubleIt(25); + + ((java.io.Closeable)x509Port).close(); + bus.shutdown(true); + } + + @org.junit.Test public void testIntermediary() throws Exception { if (test.isStreaming() || STAX_PORT.equals(test.getPort())) {