This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch coheigea/saml-refactor-new in repository https://gitbox.apache.org/repos/asf/ws-wss4j.git
commit d10df4e9eaef198b747a02f991d6bac717aa6914 Author: Colm O hEigeartaigh <[email protected]> AuthorDate: Fri Jun 27 09:39:11 2025 +0100 Switching to ServiceLoader for SAMLKeyInfoProcessor --- .../apache/wss4j/common/dom/engine/WSSConfig.java | 8 ++++ .../wss4j/dom/str/EncryptedKeySTRParser.java | 12 +++-- .../wss4j/dom/str/SecurityTokenRefSTRParser.java | 18 ++++---- .../apache/wss4j/dom/str/SignatureSTRParser.java | 53 ++++++++++++---------- ...g.apache.wss4j.common.saml.SAMLKeyInfoProcessor | 1 + 5 files changed, 55 insertions(+), 37 deletions(-) diff --git a/ws-security-common/src/main/java/org/apache/wss4j/common/dom/engine/WSSConfig.java b/ws-security-common/src/main/java/org/apache/wss4j/common/dom/engine/WSSConfig.java index a2e2e8349..e5e788bd3 100644 --- a/ws-security-common/src/main/java/org/apache/wss4j/common/dom/engine/WSSConfig.java +++ b/ws-security-common/src/main/java/org/apache/wss4j/common/dom/engine/WSSConfig.java @@ -24,6 +24,7 @@ import java.security.PrivilegedAction; import java.security.Security; import java.util.HashMap; import java.util.Map; +import java.util.Optional; import javax.xml.datatype.DatatypeConfigurationException; import javax.xml.datatype.DatatypeFactory; @@ -37,6 +38,7 @@ import org.apache.wss4j.common.dom.processor.Processor; import org.apache.wss4j.common.dom.resolvers.ResolverAttachment; import org.apache.wss4j.common.dom.validate.Validator; import org.apache.wss4j.common.ext.WSSecurityException; +import org.apache.wss4j.common.saml.SAMLKeyInfoProcessor; import org.apache.wss4j.common.util.WSCurrentTimeSource; import org.apache.wss4j.common.util.WSTimeSource; import org.apache.wss4j.common.dom.transform.AttachmentCiphertextTransform; @@ -481,4 +483,10 @@ public final class WSSConfig { WSSConfig.addJceProviders = addJceProviders; WSProviderConfig.setAddJceProviders(addJceProviders); } + + public Optional<SAMLKeyInfoProcessor> getSAMLKeyInfoProcessor() { + java.util.ServiceLoader<SAMLKeyInfoProcessor> loader = + java.util.ServiceLoader.load(SAMLKeyInfoProcessor.class); + return loader.findFirst(); + } } diff --git a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/EncryptedKeySTRParser.java b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/EncryptedKeySTRParser.java index 3fed798fe..adeb7d528 100644 --- a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/EncryptedKeySTRParser.java +++ b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/EncryptedKeySTRParser.java @@ -21,6 +21,7 @@ package org.apache.wss4j.dom.str; import java.security.PublicKey; import java.security.cert.X509Certificate; +import java.util.Optional; import javax.xml.namespace.QName; @@ -38,7 +39,6 @@ import org.apache.wss4j.common.dom.WSDocInfo; import org.apache.wss4j.common.dom.engine.WSSecurityEngineResult; import org.apache.wss4j.common.dom.processor.STRParserUtil; import org.apache.wss4j.common.dom.RequestData; -import org.apache.wss4j.common.saml.message.WSSSAMLKeyInfoProcessor; import org.w3c.dom.Element; /** @@ -142,10 +142,12 @@ public class EncryptedKeySTRParser implements STRParser { if (secRef.containsKeyIdentifier()) { if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType()) || WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())) { - SAMLKeyInfoProcessor keyInfoProcessor = new WSSSAMLKeyInfoProcessor(); - SAMLKeyInfo samlKi = keyInfoProcessor.processSAMLKeyInfoFromSecurityTokenReference(secRef, data); - parserResult.setCerts(samlKi.getCerts()); - parserResult.setPublicKey(samlKi.getPublicKey()); + Optional<SAMLKeyInfoProcessor> keyInfoProcessor = data.getWssConfig().getSAMLKeyInfoProcessor(); + if (keyInfoProcessor.isPresent()) { + SAMLKeyInfo samlKi = keyInfoProcessor.get().processSAMLKeyInfoFromSecurityTokenReference(secRef, data); + parserResult.setCerts(samlKi.getCerts()); + parserResult.setPublicKey(samlKi.getPublicKey()); + } } else { STRParserUtil.checkBinarySecurityBSPCompliance(secRef, null, data.getBSPEnforcer()); parserResult.setCerts(secRef.getKeyIdentifier(crypto)); diff --git a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java index 3644d0fcf..f9a7ca320 100644 --- a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java +++ b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java @@ -21,6 +21,7 @@ package org.apache.wss4j.dom.str; import java.util.Arrays; import java.util.List; +import java.util.Optional; import javax.xml.namespace.QName; @@ -42,7 +43,6 @@ import org.apache.wss4j.common.dom.message.token.DerivedKeyToken; import org.apache.wss4j.common.dom.message.token.UsernameToken; import org.apache.wss4j.common.dom.processor.Processor; import org.apache.wss4j.common.dom.processor.STRParserUtil; -import org.apache.wss4j.common.saml.message.WSSSAMLKeyInfoProcessor; import org.w3c.dom.Element; /** @@ -197,14 +197,16 @@ public class SecurityTokenRefSTRParser implements STRParser { STRParserUtil.getSecretKeyFromToken(secRef.getKeyIdentifierValue(), valueType, WSPasswordCallback.SECRET_KEY, data); if (secretKey == null || secretKey.length == 0) { - SAMLKeyInfoProcessor keyInfoProcessor = new WSSSAMLKeyInfoProcessor(); - SAMLKeyInfo samlKi = keyInfoProcessor.processSAMLKeyInfoFromSecurityTokenReference(secRef, data); - if (samlKi == null || samlKi.getSecret() == null) { - throw new WSSecurityException( - WSSecurityException.ErrorCode.FAILED_CHECK, "invalidSAMLToken", - new Object[] {"No Secret Key"}); + Optional<SAMLKeyInfoProcessor> keyInfoProcessor = data.getWssConfig().getSAMLKeyInfoProcessor(); + if (keyInfoProcessor.isPresent()) { + SAMLKeyInfo samlKi = keyInfoProcessor.get().processSAMLKeyInfoFromSecurityTokenReference(secRef, data); + if (samlKi == null || samlKi.getSecret() == null) { + throw new WSSecurityException( + WSSecurityException.ErrorCode.FAILED_CHECK, "invalidSAMLToken", + new Object[] {"No Secret Key"}); + } + secretKey = samlKi.getSecret(); } - secretKey = samlKi.getSecret(); } parserResult.setSecretKey(secretKey); } else if (WSConstants.WSS_KRB_KI_VALUE_TYPE.equals(valueType)) { diff --git a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java index 0d585905e..2d74788c7 100644 --- a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java +++ b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java @@ -25,6 +25,7 @@ import java.security.cert.CertificateEncodingException; import java.security.cert.X509Certificate; import java.util.Arrays; import java.util.List; +import java.util.Optional; import javax.xml.namespace.QName; @@ -52,7 +53,6 @@ import org.apache.wss4j.common.dom.message.token.SecurityContextToken; import org.apache.wss4j.common.dom.message.token.UsernameToken; import org.apache.wss4j.common.dom.processor.Processor; import org.apache.wss4j.common.dom.processor.STRParserUtil; -import org.apache.wss4j.common.saml.message.WSSSAMLKeyInfoProcessor; import org.w3c.dom.Element; /** @@ -132,18 +132,20 @@ public class SignatureSTRParser implements STRParser { byte[] secretKey = STRParserUtil.getSecretKeyFromToken(secRef.getKeyIdentifierValue(), valueType, WSPasswordCallback.SECRET_KEY, data); if (secretKey == null || secretKey.length == 0) { - SAMLKeyInfoProcessor keyInfoProcessor = new WSSSAMLKeyInfoProcessor(); - SAMLKeyInfo samlKi = keyInfoProcessor.processSAMLKeyInfoFromSecurityTokenReference(secRef, data); + Optional<SAMLKeyInfoProcessor> keyInfoProcessor = data.getWssConfig().getSAMLKeyInfoProcessor(); + if (keyInfoProcessor.isPresent()) { + SAMLKeyInfo samlKi = keyInfoProcessor.get().processSAMLKeyInfoFromSecurityTokenReference(secRef, data); - X509Certificate[] foundCerts = samlKi.getCerts(); - if (foundCerts != null && foundCerts.length > 0) { - parserResult.setCerts(new X509Certificate[]{foundCerts[0]}); - } - secretKey = samlKi.getSecret(); - parserResult.setPublicKey(samlKi.getPublicKey()); - parserResult.setPrincipal(samlKi.getSamlPrincipal()); - if (samlKi.isHolderOfKey() && samlKi.isAssertionSigned()) { - parserResult.setTrustedCredential(true); + X509Certificate[] foundCerts = samlKi.getCerts(); + if (foundCerts != null && foundCerts.length > 0) { + parserResult.setCerts(new X509Certificate[]{foundCerts[0]}); + } + secretKey = samlKi.getSecret(); + parserResult.setPublicKey(samlKi.getPublicKey()); + parserResult.setPrincipal(samlKi.getSamlPrincipal()); + if (samlKi.isHolderOfKey() && samlKi.isAssertionSigned()) { + parserResult.setTrustedCredential(true); + } } } parserResult.setSecretKey(secretKey); @@ -394,19 +396,22 @@ public class SignatureSTRParser implements STRParser { parserResult.setTrustedCredential(true); } } else { - samlAssertion = new SamlAssertionWrapper(processedToken); - samlAssertion.parseSubject( - new WSSSAMLKeyInfoProcessor(), data, data.getSigVerCrypto() - ); - STRParserUtil.checkSamlTokenBSPCompliance(secRef, samlAssertion.getSaml2() != null, data.getBSPEnforcer()); - - SAMLKeyInfo keyInfo = samlAssertion.getSubjectKeyInfo(); - X509Certificate[] foundCerts = keyInfo.getCerts(); - if (foundCerts != null && foundCerts.length > 0) { - parserResult.setCerts(new X509Certificate[]{foundCerts[0]}); + Optional<SAMLKeyInfoProcessor> keyInfoProcessor = data.getWssConfig().getSAMLKeyInfoProcessor(); + if (keyInfoProcessor.isPresent()) { + samlAssertion = new SamlAssertionWrapper(processedToken); + samlAssertion.parseSubject( + keyInfoProcessor.get(), data, data.getSigVerCrypto() + ); + STRParserUtil.checkSamlTokenBSPCompliance(secRef, samlAssertion.getSaml2() != null, data.getBSPEnforcer()); + + SAMLKeyInfo keyInfo = samlAssertion.getSubjectKeyInfo(); + X509Certificate[] foundCerts = keyInfo.getCerts(); + if (foundCerts != null && foundCerts.length > 0) { + parserResult.setCerts(new X509Certificate[]{foundCerts[0]}); + } + secretKey = keyInfo.getSecret(); + principal = createPrincipalFromSAML(samlAssertion, parserResult); } - secretKey = keyInfo.getSecret(); - principal = createPrincipalFromSAML(samlAssertion, parserResult); } } else if (el.equals(WSConstants.ENCRYPTED_KEY)) { STRParserUtil.checkEncryptedKeyBSPCompliance(secRef, data.getBSPEnforcer()); diff --git a/ws-security-saml/src/main/resources/META-INF/services/org.apache.wss4j.common.saml.SAMLKeyInfoProcessor b/ws-security-saml/src/main/resources/META-INF/services/org.apache.wss4j.common.saml.SAMLKeyInfoProcessor new file mode 100644 index 000000000..bc0a6c23b --- /dev/null +++ b/ws-security-saml/src/main/resources/META-INF/services/org.apache.wss4j.common.saml.SAMLKeyInfoProcessor @@ -0,0 +1 @@ +org.apache.wss4j.common.saml.message.WSSSAMLKeyInfoProcessor
