Author: shankar
Date: Fri Oct 3 02:30:38 2008
New Revision: 701336
URL: http://svn.apache.org/viewvc?rev=701336&view=rev
Log:
implementation for issue RAMPARTC-114 and RAMPARTC-113
Fixing Rahas fault messages
Modified:
webservices/rampart/trunk/c/include/rampart_constants.h
webservices/rampart/trunk/c/include/rampart_context.h
webservices/rampart/trunk/c/include/rampart_timestamp_token.h
webservices/rampart/trunk/c/include/rampart_util.h
webservices/rampart/trunk/c/samples/sct_provider/sct_provider_stored_key.c
webservices/rampart/trunk/c/samples/secpolicy/scenario1/client-policy.xml
webservices/rampart/trunk/c/samples/secpolicy/scenario1/services.xml
webservices/rampart/trunk/c/src/omxmlsec/axiom.c
webservices/rampart/trunk/c/src/rahas/rahas_in_handler.c
webservices/rampart/trunk/c/src/rahas/rahas_request_processor.c
webservices/rampart/trunk/c/src/util/rampart_context.c
webservices/rampart/trunk/c/src/util/rampart_engine.c
webservices/rampart/trunk/c/src/util/rampart_sec_header_builder.c
webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c
webservices/rampart/trunk/c/src/util/rampart_timestamp_token.c
webservices/rampart/trunk/c/src/util/rampart_username_token.c
webservices/rampart/trunk/c/src/util/rampart_util.c
Modified: webservices/rampart/trunk/c/include/rampart_constants.h
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/rampart_constants.h?rev=701336&r1=701335&r2=701336&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/rampart_constants.h (original)
+++ webservices/rampart/trunk/c/include/rampart_constants.h Fri Oct 3 02:30:38
2008
@@ -62,6 +62,7 @@
/*Default values*/
#define RAMPART_DEFAULT_KT_ALGO OXS_DEFAULT_KT_ALGO_HREF
#define RAMPART_STR_DEFAULT OXS_STR_DEFAULT
+#define RAMPART_TIMESTAMP_TOKEN_DEFAULT_TIME_TO_LIVE 300
/* rampart element names*/
#define RAMPART_SECURITY "Security"
@@ -109,6 +110,8 @@
#define RAMPART_FAULT_FAILED_AUTHENTICATION "wsse:FailedAuthentication"
#define RAMPART_FAULT_FAILED_CHECK "wsse:FailedCheck"
#define RAMPART_FAULT_SECURITY_TOKEN_UNAVAILABLE
"wsse:SecurityTokenUnavailable"
+#define RAMPART_FAULT_TRUST_REQUEST_FAILED "wst:RequestFailed"
+#define RAMPART_FAULT_TRUST_REQUEST_INVALID "wst:InvalidRequest"
/***********fault related strings*********/
#define RAMPART_FAULT_IN_TIMESTAMP "wsse:Timestamp"
@@ -119,6 +122,7 @@
#define RAMPART_FAULT_MSG_REPLAYED "rampc:Message-Replayed"
#define RAMPART_FAULT_IN_POLICY "rampc:Policy"
+
/*Dynamically set values*/
#define RAMPART_ACTION_PASSWORD "password"
#define RAMPART_ACTION_ENC_USER_PASSWORD "encUserPassword"
Modified: webservices/rampart/trunk/c/include/rampart_context.h
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/rampart_context.h?rev=701336&r1=701335&r2=701336&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/rampart_context.h (original)
+++ webservices/rampart/trunk/c/include/rampart_context.h Fri Oct 3 02:30:38
2008
@@ -357,9 +357,23 @@
*/
AXIS2_EXTERN axis2_status_t AXIS2_CALL
- rampart_context_set_ttl(rampart_context_t *rampart_context,
- const axutil_env_t *env,
- int ttl);
+ rampart_context_set_ttl(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env,
+ int ttl);
+
+ AXIS2_EXTERN axis2_status_t AXIS2_CALL
+ rampart_context_set_need_millisecond_precision(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env,
+ axis2_bool_t need_millisecond_precision);
+
+ AXIS2_EXTERN axis2_status_t AXIS2_CALL
+ rampart_context_set_clock_skew_buffer(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env,
+ int skew_buffer);
+
/**
*
* @param rampart_context
@@ -584,6 +598,17 @@
rampart_context_get_ttl(
rampart_context_t *rampart_context,
const axutil_env_t *env);
+
+ AXIS2_EXTERN axis2_bool_t AXIS2_CALL
+ rampart_context_get_need_millisecond_precision(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env);
+
+ AXIS2_EXTERN int AXIS2_CALL
+ rampart_context_get_clock_skew_buffer(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env);
+
/**
*
* @param rampart_context
@@ -1344,6 +1369,17 @@
rampart_context_set_ttl_from_file(
rampart_context_t *rampart_context,
const axutil_env_t *env);
+
+ AXIS2_EXTERN axis2_status_t AXIS2_CALL
+ rampart_context_set_clock_skew_buffer_from_file(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env);
+
+ AXIS2_EXTERN axis2_status_t AXIS2_CALL
+ rampart_context_set_need_millisecond_precision_from_file(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env);
+
/**
*
* @param rampart_context
Modified: webservices/rampart/trunk/c/include/rampart_timestamp_token.h
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/rampart_timestamp_token.h?rev=701336&r1=701335&r2=701336&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/rampart_timestamp_token.h (original)
+++ webservices/rampart/trunk/c/include/rampart_timestamp_token.h Fri Oct 3
02:30:38 2008
@@ -34,39 +34,37 @@
{
#endif
-#define RAMPART_TIMESTAMP_TOKEN_DEFAULT_TIME_TO_LIVE 300
-
#include <axutil_env.h>
-#include <rampart_constants.h>
-
/**
* Builds timestamp token.
* @param env pointer to environment struct
- * @param ctx axis2 context
* @param sec_node security node
- * @param sec_ns_obj Security namespace object
- * @param ttl Time to live. The time difference btwn Created and Expired
+ * @param ttl Time to live. The time difference btwn Created and Expired.
If it is zero or less
+ * than zero, then Expired element will not be created.
+ * @param with_millisecond shows whether millisecond precision is needed
* @return AXIS2_SUCCESS on success, else AXIS2_FAILURE
*/
-
axis2_status_t AXIS2_CALL
rampart_timestamp_token_build(
const axutil_env_t *env,
axiom_node_t *sec_node,
- const axiom_namespace_t *sec_ns_obj,
- int ttl);
+ int ttl,
+ axis2_bool_t with_millisecond);
+
/**
- * Validates time stamp token. Validation is based in expiration time of
the
- * Expired element.
+ * Validates time stamp token. Validation is based in expiration time of
the Expired element.
* @param env pointer to environment struct
+ * @param msg_ctx pointer to message context structure
* @param ts_node Timestamp node
+ * @param clock_skew_buffer buffer of allowable skew of time between
sender and receiver
* @return AXIS2_SUCCESS on success, else AXIS2_FAILURE
*/
axis2_status_t AXIS2_CALL
rampart_timestamp_token_validate(
const axutil_env_t *env,
axis2_msg_ctx_t *msg_ctx,
- axiom_node_t *ts_node );
+ axiom_node_t *ts_node,
+ int clock_skew_buffer);
/* @} */
#ifdef __cplusplus
Modified: webservices/rampart/trunk/c/include/rampart_util.h
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/rampart_util.h?rev=701336&r1=701335&r2=701336&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/rampart_util.h (original)
+++ webservices/rampart/trunk/c/include/rampart_util.h Fri Oct 3 02:30:38 2008
@@ -178,18 +178,20 @@
* Generates time.
* User MUST free memory
* @param ttl Time to live. The time difference between created and
expired in mili seconds.
+ * @param with_millisecond shows whether millisecond precision is needed
or not
* @return generated time
**/
AXIS2_EXTERN axis2_char_t* AXIS2_CALL
rampart_generate_time(
const axutil_env_t *env,
- int ttl);
+ int ttl,
+ axis2_bool_t with_millisecond);
/**
* Check if @dt1 < @dt2. if not returns a false
* @param env pointer to environment struct
- * @param dt1 date time 1
- * @param dt2 date time 2
+ * @param dt1 date time 1.
+ * @param dt2 date time 2.
* @return AXIS2_SUCCESS if dt1 < dt2. AXIS2_FALSE otherwise
*/
AXIS2_EXTERN axis2_status_t AXIS2_CALL
Modified:
webservices/rampart/trunk/c/samples/sct_provider/sct_provider_stored_key.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/samples/sct_provider/sct_provider_stored_key.c?rev=701336&r1=701335&r2=701336&view=diff
==============================================================================
--- webservices/rampart/trunk/c/samples/sct_provider/sct_provider_stored_key.c
(original)
+++ webservices/rampart/trunk/c/samples/sct_provider/sct_provider_stored_key.c
Fri Oct 3 02:30:38 2008
@@ -150,7 +150,7 @@
if(sct)
{
oxs_buffer_t* key_buffer = NULL;
- axis2_bool_t *free_sctid = AXIS2_FALSE;
+ axis2_bool_t free_sctid = AXIS2_FALSE;
key_buffer = oxs_buffer_create(env);
oxs_buffer_populate(
Modified:
webservices/rampart/trunk/c/samples/secpolicy/scenario1/client-policy.xml
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/samples/secpolicy/scenario1/client-policy.xml?rev=701336&r1=701335&r2=701336&view=diff
==============================================================================
--- webservices/rampart/trunk/c/samples/secpolicy/scenario1/client-policy.xml
(original)
+++ webservices/rampart/trunk/c/samples/secpolicy/scenario1/client-policy.xml
Fri Oct 3 02:30:38 2008
@@ -31,6 +31,8 @@
</sp:AsymmetricBinding>
<rampc:RampartConfig
xmlns:rampc="http://ws.apache.org/rampart/c/policy";>
<rampc:TimeToLive>360</rampc:TimeToLive>
+
<rampc:ClockSkewBuffer>60</rampc:ClockSkewBuffer>
+
<rampc:PrecisionInMilliseconds>False</rampc:PrecisionInMilliseconds>
</rampc:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
Modified: webservices/rampart/trunk/c/samples/secpolicy/scenario1/services.xml
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/samples/secpolicy/scenario1/services.xml?rev=701336&r1=701335&r2=701336&view=diff
==============================================================================
--- webservices/rampart/trunk/c/samples/secpolicy/scenario1/services.xml
(original)
+++ webservices/rampart/trunk/c/samples/secpolicy/scenario1/services.xml Fri
Oct 3 02:30:38 2008
@@ -44,6 +44,8 @@
</sp:AsymmetricBinding>
<rampc:RampartConfig
xmlns:rampc="http://ws.apache.org/rampart/c/policy";>
<!--rampc:TimeToLive>360</rampc:TimeToLive-->
+
<rampc:ClockSkewBuffer>60</rampc:ClockSkewBuffer>
+
<rampc:PrecisionInMilliseconds>True</rampc:PrecisionInMilliseconds>
</rampc:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
Modified: webservices/rampart/trunk/c/src/omxmlsec/axiom.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/omxmlsec/axiom.c?rev=701336&r1=701335&r2=701336&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/omxmlsec/axiom.c (original)
+++ webservices/rampart/trunk/c/src/omxmlsec/axiom.c Fri Oct 3 02:30:38 2008
@@ -58,11 +58,12 @@
}
AXIS2_EXTERN int AXIS2_CALL
-oxs_axiom_get_number_of_children_with_qname(const axutil_env_t *env,
- axiom_node_t* parent,
- axis2_char_t* local_name,
- axis2_char_t* ns_uri,
- axis2_char_t* prefix)
+oxs_axiom_get_number_of_children_with_qname(
+ const axutil_env_t *env,
+ axiom_node_t* parent,
+ axis2_char_t* local_name,
+ axis2_char_t* ns_uri,
+ axis2_char_t* prefix)
{
axutil_qname_t *qname = NULL;
Modified: webservices/rampart/trunk/c/src/rahas/rahas_in_handler.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/rahas/rahas_in_handler.c?rev=701336&r1=701335&r2=701336&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/rahas/rahas_in_handler.c (original)
+++ webservices/rampart/trunk/c/src/rahas/rahas_in_handler.c Fri Oct 3
02:30:38 2008
@@ -24,6 +24,8 @@
#include <trust_rst.h>
#include <trust_rstr.h>
#include <rahas_request_processor.h>
+#include <rampart_handler_util.h>
+#include <rampart_constants.h>
static axis2_status_t
rahas_send_reply(
@@ -138,6 +140,8 @@
if(!soap_envelope)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rahas]SOAP envelope cannot
be found.");
+ rampart_create_fault_envelope(env,
RAMPART_FAULT_TRUST_REQUEST_INVALID,
+ "The request was invalid or malformed",
RAMPART_FAULT_TRUST_REQUEST_INVALID, msg_ctx);
return AXIS2_FAILURE;
}
@@ -145,6 +149,8 @@
if(!soap_body)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rahas]SOAP body cannot be
found.");
+ rampart_create_fault_envelope(env,
RAMPART_FAULT_TRUST_REQUEST_INVALID,
+ "The request was invalid or malformed",
RAMPART_FAULT_TRUST_REQUEST_INVALID, msg_ctx);
return AXIS2_FAILURE;
}
@@ -152,6 +158,8 @@
if(!body_node)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rahas]SOAP body node cannot
be found.");
+ rampart_create_fault_envelope(env,
RAMPART_FAULT_TRUST_REQUEST_INVALID,
+ "The request was invalid or malformed",
RAMPART_FAULT_TRUST_REQUEST_INVALID, msg_ctx);
return AXIS2_FAILURE;
}
@@ -160,6 +168,8 @@
{
/* body node is empty. Secure conversation related messages should
have a non empty body */
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rahas]SOAP body node is
empty.");
+ rampart_create_fault_envelope(env,
RAMPART_FAULT_TRUST_REQUEST_INVALID,
+ "The request was invalid or malformed",
RAMPART_FAULT_TRUST_REQUEST_INVALID, msg_ctx);
return AXIS2_FAILURE;
}
@@ -247,7 +257,9 @@
engine = axis2_engine_create(env, axis2_msg_ctx_get_conf_ctx(out_msg_ctx,
env));
axis2_engine_send(engine, env, out_msg_ctx);
if(engine)
+ {
axis2_engine_free(engine, env);
+ }
return AXIS2_SUCCESS;
@@ -284,6 +296,8 @@
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rahas]Cannot create RequestSecurityToken structure. Insufficient
memory.");
+ rampart_create_fault_envelope(env, RAMPART_FAULT_TRUST_REQUEST_FAILED,
+ "The specified request failed",
RAMPART_FAULT_TRUST_REQUEST_FAILED, msg_ctx);
return NULL;
}
@@ -294,6 +308,8 @@
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rahas]Cannot populate RequestSecurityToken structure. Given
message might not "
"be a valid security token request. ");
+ rampart_create_fault_envelope(env, RAMPART_FAULT_TRUST_REQUEST_FAILED,
+ "The specified request failed",
RAMPART_FAULT_TRUST_REQUEST_FAILED, msg_ctx);
trust_rst_free(rst, env);
return NULL;
}
@@ -303,7 +319,9 @@
if(!rstr)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[rahas]Cannot create RequestSecurityTokenResponse structure.
Insufficient memory.");
+ "[rahas]Cannot create RequestSecurityTokenResponse structure.");
+ rampart_create_fault_envelope(env, RAMPART_FAULT_TRUST_REQUEST_FAILED,
+ "The specified request failed",
RAMPART_FAULT_TRUST_REQUEST_FAILED, msg_ctx);
trust_rst_free(rst, env);
return NULL;
}
@@ -320,12 +338,20 @@
else if(request_type == SECCONV_ACTION_CANCEL)
{
/* TODO implement cancel method */
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rahas]Inidentified security context token request type. "
+ "Only 'issue' is supported.");
+ rampart_create_fault_envelope(env,
RAMPART_FAULT_TRUST_REQUEST_INVALID,
+ "The request was invalid or malformed",
RAMPART_FAULT_TRUST_REQUEST_INVALID, msg_ctx);
+ status = AXIS2_FAILURE;
}
else
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rahas]Inidentified security context token request type. "
"Only 'issue' and 'cancel' are supported.");
+ rampart_create_fault_envelope(env,
RAMPART_FAULT_TRUST_REQUEST_INVALID,
+ "The request was invalid or malformed",
RAMPART_FAULT_TRUST_REQUEST_INVALID, msg_ctx);
status = AXIS2_FAILURE;
}
@@ -340,6 +366,13 @@
/* build the rstr node */
rstr_node = trust_rstr_build_rstr(rstr, env, NULL);
+ if(!rstr_node)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rahas]Creation of RequestSecurityTokenResponse node failed.");
+ rampart_create_fault_envelope(env, RAMPART_FAULT_TRUST_REQUEST_FAILED,
+ "The specified request failed",
RAMPART_FAULT_TRUST_REQUEST_FAILED, msg_ctx);
+ }
/* clear stuff */
trust_rstr_free(rstr, env);
Modified: webservices/rampart/trunk/c/src/rahas/rahas_request_processor.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/rahas/rahas_request_processor.c?rev=701336&r1=701335&r2=701336&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/rahas/rahas_request_processor.c (original)
+++ webservices/rampart/trunk/c/src/rahas/rahas_request_processor.c Fri Oct 3
02:30:38 2008
@@ -26,6 +26,7 @@
#include <openssl_hmac.h>
#include <oxs_utility.h>
#include <openssl_util.h>
+#include <rampart_handler_util.h>
static security_context_token_t *
rahas_create_security_context_token(
@@ -100,6 +101,8 @@
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rahas]Cannot issue SecurityContextToken because security token
service policy "
"could not be found.");
+ rampart_create_fault_envelope(env, RAMPART_FAULT_TRUST_REQUEST_FAILED,
+ "The specified request failed",
RAMPART_FAULT_TRUST_REQUEST_FAILED, msg_ctx);
return AXIS2_FAILURE;
}
@@ -109,6 +112,8 @@
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rahas]Cannot issue SecurityContextToken because parameter
validation failed.");
+ rampart_create_fault_envelope(env,
RAMPART_FAULT_TRUST_REQUEST_INVALID,
+ "The request was invalid or malformed",
RAMPART_FAULT_TRUST_REQUEST_INVALID, msg_ctx);
return AXIS2_FAILURE;
}
@@ -128,6 +133,8 @@
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rahas]Cannot issue SecurityContextToken because SCT creation
failed.");
+ rampart_create_fault_envelope(env, RAMPART_FAULT_TRUST_REQUEST_FAILED,
+ "The specified request failed",
RAMPART_FAULT_TRUST_REQUEST_FAILED, msg_ctx);
return AXIS2_FAILURE;
}
@@ -147,6 +154,8 @@
if(rahas_store_security_context_token(env, sct, msg_ctx) != AXIS2_SUCCESS)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rahas]Cannot store
SecurityContextToken.");
+ rampart_create_fault_envelope(env, RAMPART_FAULT_TRUST_REQUEST_FAILED,
+ "The specified request failed",
RAMPART_FAULT_TRUST_REQUEST_FAILED, msg_ctx);
security_context_token_free(sct, env);
return AXIS2_FAILURE;
}
@@ -157,6 +166,8 @@
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rahas]Cannot issue SecurityContextToken because response
createion failed.");
+ rampart_create_fault_envelope(env, RAMPART_FAULT_TRUST_REQUEST_FAILED,
+ "The specified request failed",
RAMPART_FAULT_TRUST_REQUEST_FAILED, msg_ctx);
security_context_token_free(sct, env);
return AXIS2_FAILURE;
}
Modified: webservices/rampart/trunk/c/src/util/rampart_context.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_context.c?rev=701336&r1=701335&r2=701336&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_context.c (original)
+++ webservices/rampart/trunk/c/src/util/rampart_context.c Fri Oct 3 02:30:38
2008
@@ -41,6 +41,8 @@
password_callback_fn pwcb_function;
rampart_is_replayed_fn is_replayed_function;
int ttl;
+ axis2_bool_t need_millisecond_precision;
+ int clock_skew_buffer;
axis2_char_t *rd_val;
int ref;
oxs_key_mgr_t *key_mgr;
@@ -189,6 +191,8 @@
rampart_context->pwcb_function = NULL;
rampart_context->is_replayed_function = NULL;
rampart_context->ttl = 300;
+ rampart_context->clock_skew_buffer = 0;
+ rampart_context->need_millisecond_precision = AXIS2_TRUE;
rampart_context->rd_val = NULL;
rampart_context->password_type = NULL;
rampart_context->saml_tokens = NULL;
@@ -567,6 +571,42 @@
return AXIS2_SUCCESS;
}
+AXIS2_EXTERN axis2_bool_t AXIS2_CALL
+rampart_context_get_need_millisecond_precision(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env)
+{
+ return rampart_context->need_millisecond_precision;
+}
+
+AXIS2_EXTERN axis2_status_t AXIS2_CALL
+rampart_context_set_need_millisecond_precision(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env,
+ axis2_bool_t need_millisecond_precision)
+{
+ rampart_context->need_millisecond_precision = need_millisecond_precision;
+ return AXIS2_SUCCESS;
+}
+
+AXIS2_EXTERN axis2_status_t AXIS2_CALL
+rampart_context_set_clock_skew_buffer(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env,
+ int skew_buffer)
+{
+ rampart_context->clock_skew_buffer = skew_buffer;
+ return AXIS2_SUCCESS;
+}
+
+AXIS2_EXTERN int AXIS2_CALL
+rampart_context_get_clock_skew_buffer(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env)
+{
+ return rampart_context->clock_skew_buffer;
+}
+
AXIS2_EXTERN axis2_status_t AXIS2_CALL
rampart_context_set_rd_val(rampart_context_t *rampart_context,
const axutil_env_t *env,
@@ -2002,15 +2042,54 @@
return AXIS2_FAILURE;
time_to_live = rp_rampart_config_get_time_to_live(config,env);
- if(!time_to_live)
- rampart_context->ttl = 300;
- else
+ if(time_to_live)
rampart_context->ttl = axutil_atoi(time_to_live);
return AXIS2_SUCCESS;
}
AXIS2_EXTERN axis2_status_t AXIS2_CALL
+rampart_context_set_clock_skew_buffer_from_file(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env)
+{
+ rp_rampart_config_t *config = NULL;
+ axis2_char_t *clock_skew_buffer = NULL;
+ config = rp_secpolicy_get_rampart_config(rampart_context->secpolicy,env);
+ if(!config)
+ return AXIS2_FAILURE;
+
+ clock_skew_buffer = rp_rampart_config_get_clock_skew_buffer(config,env);
+ if(clock_skew_buffer)
+ rampart_context->clock_skew_buffer = axutil_atoi(clock_skew_buffer);
+
+ return AXIS2_SUCCESS;
+}
+
+AXIS2_EXTERN axis2_status_t AXIS2_CALL
+rampart_context_set_need_millisecond_precision_from_file(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env)
+{
+ rp_rampart_config_t *config = NULL;
+ axis2_char_t *need_millisecond = NULL;
+ config = rp_secpolicy_get_rampart_config(rampart_context->secpolicy,env);
+ if(!config)
+ return AXIS2_FAILURE;
+
+ need_millisecond =
rp_rampart_config_get_need_millisecond_precision(config,env);
+ if(need_millisecond)
+ {
+ if(!axutil_strcasecmp(need_millisecond, "TRUE"))
+ rampart_context->need_millisecond_precision = AXIS2_TRUE;
+ else
+ rampart_context->need_millisecond_precision = AXIS2_FALSE;
+ }
+
+ return AXIS2_SUCCESS;
+}
+
+AXIS2_EXTERN axis2_status_t AXIS2_CALL
rampart_context_set_rd_val_from_file(
rampart_context_t *rampart_context,
const axutil_env_t *env)
Modified: webservices/rampart/trunk/c/src/util/rampart_engine.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_engine.c?rev=701336&r1=701335&r2=701336&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_engine.c (original)
+++ webservices/rampart/trunk/c/src/util/rampart_engine.c Fri Oct 3 02:30:38
2008
@@ -435,6 +435,16 @@
return AXIS2_FAILURE;
}
+ if(rampart_context_set_clock_skew_buffer_from_file(rampart_context,env) !=
AXIS2_SUCCESS)
+ {
+ return AXIS2_FAILURE;
+ }
+
+
if(rampart_context_set_need_millisecond_precision_from_file(rampart_context,env)!=
AXIS2_SUCCESS)
+ {
+ return AXIS2_FAILURE;
+ }
+
if(rampart_context_set_rd_val_from_file(rampart_context,env) !=
AXIS2_SUCCESS)
{
return AXIS2_FAILURE;
Modified: webservices/rampart/trunk/c/src/util/rampart_sec_header_builder.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_sec_header_builder.c?rev=701336&r1=701335&r2=701336&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_sec_header_builder.c (original)
+++ webservices/rampart/trunk/c/src/util/rampart_sec_header_builder.c Fri Oct
3 02:30:38 2008
@@ -468,13 +468,15 @@
if(rampart_context_is_include_timestamp(rampart_context,env))
{
int ttl = -1;
+ axis2_bool_t need_millisecond = AXIS2_TRUE;
+
AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[rampart][shb] Building
Timestamp Token");
AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[rampart][shb] Using default
timeToLive value %d",
RAMPART_TIMESTAMP_TOKEN_DEFAULT_TIME_TO_LIVE);
ttl = rampart_context_get_ttl(rampart_context,env);
+ need_millisecond =
rampart_context_get_need_millisecond_precision(rampart_context, env);
- status = rampart_timestamp_token_build(env,
- sec_node, sec_ns_obj, ttl);
+ status = rampart_timestamp_token_build(env, sec_node, ttl,
need_millisecond);
if (status == AXIS2_FAILURE)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
Modified: webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c?rev=701336&r1=701335&r2=701336&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c
(original)
+++ webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c Fri Oct
3 02:30:38 2008
@@ -481,8 +481,9 @@
}
static axis2_bool_t
-rampart_shp_validate_qnames(const axutil_env_t *env,
- axiom_node_t *node)
+rampart_shp_validate_qnames(
+ const axutil_env_t *env,
+ axiom_node_t *node)
{
axiom_element_t *node_ele = NULL;
@@ -490,8 +491,6 @@
axutil_qname_t *node_qname = NULL;
axis2_char_t *local_name = NULL;
- AXIS2_ENV_CHECK(env,AXIS2_FALSE);
-
node_ele = axiom_node_get_data_element(node, env);
if(!node_ele)
return AXIS2_FALSE;
@@ -573,63 +572,45 @@
}
static axis2_status_t
-rampart_shp_process_timestamptoken(const axutil_env_t *env,
- axis2_msg_ctx_t *msg_ctx,
- rampart_context_t *rampart_context,
- axiom_node_t *sec_node)
+rampart_shp_process_timestamptoken(
+ const axutil_env_t *env,
+ axis2_msg_ctx_t *msg_ctx,
+ rampart_context_t *rampart_context,
+ axiom_node_t *ts_node)
{
axis2_status_t valid_ts = AXIS2_FAILURE;
- axiom_node_t *ts_node = NULL;
- ts_node = oxs_axiom_get_first_child_node_by_name(env, sec_node,
RAMPART_SECURITY_TIMESTAMP, OXS_WSU_XMLNS, NULL);
- if(!ts_node)
- {
- if(rampart_context_is_include_timestamp(rampart_context, env))
- {
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[rampart][shp] Timestamp is not in the message");
- rampart_create_fault_envelope(env,
RAMPART_FAULT_SECURITY_TOKEN_UNAVAILABLE,
- "Timestamp is not in the message ",
RAMPART_FAULT_IN_TIMESTAMP, msg_ctx);
- return AXIS2_FAILURE;
- }
- else
- {
- return AXIS2_SUCCESS;
- }
- }
- else if(!rampart_context_is_include_timestamp(rampart_context, env))
+ if(!rampart_context_is_include_timestamp(rampart_context, env))
{
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[rampart][shp] Timestamp should not be in the
message.");
- rampart_create_fault_envelope(env,
RAMPART_FAULT_INVALID_SECURITY_TOKEN,
- "Timestamp should not be in the message
", RAMPART_FAULT_IN_TIMESTAMP, msg_ctx);
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart]Timestamp should not
be in the message.");
+ rampart_create_fault_envelope(env,
RAMPART_FAULT_INVALID_SECURITY_TOKEN,
+ "Timestamp should not be in the message ",
RAMPART_FAULT_IN_TIMESTAMP, msg_ctx);
return AXIS2_FAILURE;
}
else
{
if(!rampart_shp_validate_qnames(env, ts_node))
{
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[rampart][shp] Error in the Timestamp element.");
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart]QName for given timestamp is not valid.");
rampart_create_fault_envelope(env,
RAMPART_FAULT_INVALID_SECURITY_TOKEN,
- "Error in the Timestamp Element. ",
RAMPART_FAULT_IN_TIMESTAMP, msg_ctx);
+ "Error in the Timestamp Element. ",
RAMPART_FAULT_IN_TIMESTAMP, msg_ctx);
return AXIS2_FAILURE;
}
-
- valid_ts = rampart_timestamp_token_validate(env, msg_ctx, ts_node);
+ valid_ts = rampart_timestamp_token_validate(
+ env, msg_ctx, ts_node,
rampart_context_get_clock_skew_buffer(rampart_context, env));
if (valid_ts)
{
- AXIS2_LOG_INFO(env->log, "[rampart][scp] Succesfully validated the
timestamp ");
+ AXIS2_LOG_INFO(env->log, "[rampart]Succesfully validated the
timestamp ");
return AXIS2_SUCCESS;
}
else
{
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[rampart][scp] Timestamp is not valid");
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart]Timestamp is not
valid");
rampart_create_fault_envelope(env, RAMPART_FAULT_FAILED_CHECK,
- "Timestamp is not valid",
RAMPART_FAULT_IN_TIMESTAMP, msg_ctx);
+ "Timestamp is not valid", RAMPART_FAULT_IN_TIMESTAMP, msg_ctx);
return AXIS2_FAILURE;
}
}
@@ -1833,17 +1814,18 @@
/*Public functions*/
AXIS2_EXTERN axis2_status_t AXIS2_CALL
-rampart_shp_process_sec_header(const axutil_env_t *env,
- axis2_msg_ctx_t *msg_ctx,
- rampart_context_t *rampart_context,
- axiom_soap_envelope_t *soap_envelope,
- axiom_node_t *sec_node)
+rampart_shp_process_sec_header(
+ const axutil_env_t *env,
+ axis2_msg_ctx_t *msg_ctx,
+ rampart_context_t *rampart_context,
+ axiom_soap_envelope_t *soap_envelope,
+ axiom_node_t *sec_node)
{
axiom_node_t *cur_node = NULL;
axis2_status_t status = AXIS2_FAILURE;
- axis2_bool_t first_signature= AXIS2_TRUE;
+ axis2_bool_t first_signature = AXIS2_TRUE;
- AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[rampart][shp] Processing
security header in Strict layout");
+ AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[rampart]Processing security
header in Strict layout");
cur_node = axiom_node_get_first_child(sec_node, env);
@@ -1851,102 +1833,123 @@
while(cur_node)
{
axis2_char_t *cur_local_name = NULL;
-
cur_local_name = axiom_util_get_localname(cur_node, env);
- AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[rampart][shp] Processing
security header element %s", cur_local_name);
+ AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI,
+ "[rampart]Processing security header element %s", cur_local_name);
- if(0 == axutil_strcmp(cur_local_name, OXS_NODE_ENCRYPTED_KEY))
+ if(!axutil_strcmp(cur_local_name, OXS_NODE_ENCRYPTED_KEY))
{
- status = rampart_shp_process_encrypted_key(env, msg_ctx,
rampart_context, soap_envelope, sec_node, cur_node);
+ status = rampart_shp_process_encrypted_key(
+ env, msg_ctx, rampart_context, soap_envelope, sec_node,
cur_node);
}
- else if(0 == axutil_strcmp(cur_local_name,
OXS_NODE_SECURITY_CONTEXT_TOKEN))
+ else if(!axutil_strcmp(cur_local_name,
OXS_NODE_SECURITY_CONTEXT_TOKEN))
{
- status = rampart_shp_process_security_context_token(env, cur_node,
rampart_context, msg_ctx);
+ status = rampart_shp_process_security_context_token(
+ env, cur_node, rampart_context, msg_ctx);
}
- else if(0 == axutil_strcmp(cur_local_name, RAMPART_SECURITY_TIMESTAMP))
+ else if(!axutil_strcmp(cur_local_name, RAMPART_SECURITY_TIMESTAMP))
{
- status = rampart_shp_process_timestamptoken(env, msg_ctx,
rampart_context, sec_node);
+ status = rampart_shp_process_timestamptoken(env, msg_ctx,
rampart_context, cur_node);
}
- else if(0 == axutil_strcmp(cur_local_name,
RAMPART_SECURITY_USERNAMETOKEN))
+ else if(!axutil_strcmp(cur_local_name, RAMPART_SECURITY_USERNAMETOKEN))
{
status = rampart_shp_process_usernametoken(env, msg_ctx,
rampart_context, sec_node);
}
- else if(0 == axutil_strcmp(cur_local_name, OXS_NODE_SIGNATURE))
+ else if(!axutil_strcmp(cur_local_name, OXS_NODE_SIGNATURE))
{
if(first_signature)
{
- status = rampart_shp_process_signature(env, msg_ctx,
rampart_context, soap_envelope, sec_node, cur_node);
+ status = rampart_shp_process_signature(
+ env, msg_ctx, rampart_context, soap_envelope, sec_node,
cur_node);
first_signature = AXIS2_FALSE;
}
else /*endorsing*/
{
- status = rampart_shp_process_asym_binding_signature(env,
msg_ctx, rampart_context, soap_envelope, sec_node, cur_node, AXIS2_TRUE);
+ status = rampart_shp_process_asym_binding_signature(
+ env, msg_ctx, rampart_context, soap_envelope, sec_node,
cur_node, AXIS2_TRUE);
if(AXIS2_SUCCESS == status)
{
axis2_char_t *sig_val = NULL;
axiom_node_t *sig_val_node = NULL;
- sig_val_node = oxs_axiom_get_first_child_node_by_name(env,
cur_node, OXS_NODE_SIGNATURE_VALUE, OXS_DSIG_NS, OXS_DS );
+ sig_val_node = oxs_axiom_get_first_child_node_by_name(
+ env, cur_node, OXS_NODE_SIGNATURE_VALUE, OXS_DSIG_NS,
OXS_DS );
sig_val = oxs_token_get_signature_value(env, sig_val_node);
- rampart_set_security_processed_result(env, msg_ctx,
RAMPART_SPR_ENDORSED_VALUE, sig_val);
+ rampart_set_security_processed_result(
+ env, msg_ctx, RAMPART_SPR_ENDORSED_VALUE, sig_val);
}
}
}
- else if(0 == axutil_strcmp(cur_local_name, OXS_NODE_REFERENCE_LIST))
+ else if(!axutil_strcmp(cur_local_name, OXS_NODE_REFERENCE_LIST))
{
- status = rampart_shp_process_reference_list(env, msg_ctx,
rampart_context, soap_envelope, sec_node, cur_node);
+ status = rampart_shp_process_reference_list(
+ env, msg_ctx, rampart_context, soap_envelope, sec_node,
cur_node);
}
- else if(0 == axutil_strcmp(cur_local_name, OXS_NODE_DERIVED_KEY_TOKEN))
+ else if(!axutil_strcmp(cur_local_name, OXS_NODE_DERIVED_KEY_TOKEN))
{
/* We need to extract this and store in the rampart context*/
- status = rampart_shp_process_derived_key(env, msg_ctx,
rampart_context, sec_node, cur_node);
+ status = rampart_shp_process_derived_key(
+ env, msg_ctx, rampart_context, sec_node, cur_node);
}
- else if(0 == axutil_strcmp(cur_local_name, OXS_NODE_ENCRYPTED_DATA))
+ else if(!axutil_strcmp(cur_local_name, OXS_NODE_ENCRYPTED_DATA))
{
- /*We do nothing. But this is possible when a security header is
Encrypted. But it would be decrypted thru a ref list*/
+ /* We do nothing. But this is possible when a security header is
Encrypted.
+ * But it would be decrypted thru a ref list */
status = AXIS2_SUCCESS;
}
- else if(0 == axutil_strcmp(cur_local_name,
OXS_NODE_SIGNATURE_CONFIRMATION))
+ else if(!axutil_strcmp(cur_local_name,
OXS_NODE_SIGNATURE_CONFIRMATION))
{
- status = rampart_shp_process_signature_confirmation(env, msg_ctx,
rampart_context, cur_node);
+ status = rampart_shp_process_signature_confirmation(
+ env, msg_ctx, rampart_context, cur_node);
}
- else if(0 == axutil_strcmp(cur_local_name,
OXS_NODE_BINARY_SECURITY_TOKEN))
+ else if(!axutil_strcmp(cur_local_name, OXS_NODE_BINARY_SECURITY_TOKEN))
{
/*We do nothing.*/
status = AXIS2_SUCCESS;
- }else if(0 == axutil_strcmp(cur_local_name, OXS_NODE_SAML_ASSERTION)){
- status = rampart_shp_process_saml_token(env, msg_ctx,
rampart_context, cur_node);
-
- }else if(0 == axutil_strcmp(cur_local_name,
OXS_NODE_SECURITY_TOKEN_REFRENCE)){
+ }
+ else if(!axutil_strcmp(cur_local_name, OXS_NODE_SAML_ASSERTION))
+ {
+ status = rampart_shp_process_saml_token(env, msg_ctx,
rampart_context, cur_node);
+ }
+ else if(!axutil_strcmp(cur_local_name,
OXS_NODE_SECURITY_TOKEN_REFRENCE))
+ {
/*We do nothing.*/
status = AXIS2_SUCCESS;
- }else{
- AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[rampart][shp] Unknown
security header %s", cur_local_name);
- status = AXIS2_SUCCESS;
+ }
+ else
+ {
+ /* if the security header is unknown, we should not continue. */
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart]Unknown security header %s", cur_local_name);
+ status = AXIS2_FAILURE;
}
if(status != AXIS2_SUCCESS)
{
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][shp] %s
processing failed", cur_local_name);
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart]%s processing failed", cur_local_name);
return AXIS2_FAILURE;
}
- /*Get next node*/
+ /* Get next node */
cur_node = axiom_node_get_next_sibling(cur_node, env);
}/*Eof while loop*/
AXIS2_LOG_INFO(env->log, "Security header processing done");
+
/*Now detect replays*/
- status = rampart_shp_detect_replays(env, msg_ctx, rampart_context,
soap_envelope, sec_node);
- if(status != AXIS2_SUCCESS){
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][shp] A replay
detected");
+ status = rampart_shp_detect_replays(env, msg_ctx, rampart_context,
soap_envelope, sec_node);
+ if(status != AXIS2_SUCCESS)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart]Message replay
detected.");
return AXIS2_FAILURE;
}
- /*Now validate security policies, those cannot be checked on the fly*/
+ /* Now validate security policies, those cannot be checked on the fly */
status = rampart_pv_validate_sec_header(env, rampart_context, sec_node,
msg_ctx);
- if(status != AXIS2_SUCCESS){
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][shp] Security
policy validation failed");
+ if(status != AXIS2_SUCCESS)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart]Security policy
validation failed.");
return AXIS2_FAILURE;
}
return AXIS2_SUCCESS;
Modified: webservices/rampart/trunk/c/src/util/rampart_timestamp_token.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_timestamp_token.c?rev=701336&r1=701335&r2=701336&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_timestamp_token.c (original)
+++ webservices/rampart/trunk/c/src/util/rampart_timestamp_token.c Fri Oct 3
02:30:38 2008
@@ -15,27 +15,27 @@
* limitations under the License.
*/
-#include <axutil_qname.h>
-#include <axis2_svc.h>
-#include <axiom_soap_header.h>
-#include <axiom_soap_body.h>
-#include <axiom_soap_header_block.h>
-#include <axis2_endpoint_ref.h>
-#include <axutil_property.h>
#include <rampart_constants.h>
-#include <rampart_crypto_util.h>
#include <rampart_util.h>
#include <rampart_timestamp_token.h>
#include <rampart_sec_processed_result.h>
#include <oxs_axiom.h>
-
+/**
+ * Builds timestamp token.
+ * @param env pointer to environment struct
+ * @param sec_node security node
+ * @param ttl Time to live. The time difference btwn Created and Expired. If
it is zero or less
+ * than zero, then Expired element will not be created.
+ * @param with_millisecond shows whether millisecond precision is needed
+ * @return AXIS2_SUCCESS on success, else AXIS2_FAILURE
+ */
axis2_status_t AXIS2_CALL
rampart_timestamp_token_build(
const axutil_env_t *env,
axiom_node_t *sec_node,
- const axiom_namespace_t *sec_ns_obj,
- int ttl)
+ int ttl,
+ axis2_bool_t with_millisecond)
{
axiom_node_t *ts_node = NULL;
axiom_node_t *created_node = NULL;
@@ -47,58 +47,77 @@
axis2_char_t *expires_val = NULL;
axiom_namespace_t *wsu_ns_obj = NULL;
- wsu_ns_obj = axiom_namespace_create(env, RAMPART_WSU_XMLNS,
- RAMPART_WSU);
+ wsu_ns_obj = axiom_namespace_create(env, RAMPART_WSU_XMLNS, RAMPART_WSU);
+ if(!wsu_ns_obj)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart]Unable to create %s namespace.", RAMPART_WSU);
+ return AXIS2_FAILURE;
+ }
+
+ ts_ele = axiom_element_create(env, sec_node, RAMPART_SECURITY_TIMESTAMP,
wsu_ns_obj, &ts_node);
+ if(!ts_ele)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart]Timestamp element
creation failed.");
+ axiom_namespace_free(wsu_ns_obj, env);
+ return AXIS2_FAILURE;
+ }
- ts_ele = axiom_element_create(env, sec_node,
- RAMPART_SECURITY_TIMESTAMP,
- wsu_ns_obj,
- &ts_node);
- if (ts_ele)
- {
- /*First we build Created element*/
- created_ele = axiom_element_create(env, ts_node,
RAMPART_SECURITY_TIMESTAMP_CREATED, wsu_ns_obj,
- &created_node);
-
- if (created_ele)
- {
- created_val = rampart_generate_time(env, 0); /*Current time*/
- axiom_element_set_text(created_ele, env, created_val,
created_node);
-
- AXIS2_FREE(env->allocator, created_val);
- created_val = NULL;
- }
-
- /*Then we build Expires element*/
- /*TIP: If ttl<0 then we dont build the expires element.*/
- if(ttl<0){
- AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI,
- " [rampart][ts] ttl is %d which is less then zero. Thus we do
not build the expires element. ");
- return AXIS2_SUCCESS;
- }
- expires_ele = axiom_element_create(env, ts_node,
RAMPART_SECURITY_TIMESTAMP_EXPIRES, wsu_ns_obj,
- &expires_node);
-
- if (expires_ele)
- {
- expires_val = rampart_generate_time(env, ttl);
- axiom_element_set_text(expires_ele, env, expires_val,
expires_node);
+ /* First we build Created element */
+ created_ele = axiom_element_create(
+ env, ts_node, RAMPART_SECURITY_TIMESTAMP_CREATED, wsu_ns_obj,
&created_node);
+ if(!created_ele)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart]Unable to build 'Created' child element of timestamp.");
+ return AXIS2_FAILURE;
+ }
- AXIS2_FREE(env->allocator, expires_val);
- expires_val = NULL;
+ created_val = rampart_generate_time(env, 0, with_millisecond); /*
Current time */
+ axiom_element_set_text(created_ele, env, created_val, created_node);
+ AXIS2_FREE(env->allocator, created_val);
+ created_val = NULL;
- }
+ /* Then we build Expires element */
+ /* TIP: If ttl<0 then we don't build the expires element. */
+ if(ttl <= 0)
+ {
+ AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, " [rampart]ttl is %d which is
less then zero. "
+ "Thus we do not need to build the expires element.", ttl);
+ return AXIS2_SUCCESS;
}
+ expires_ele = axiom_element_create(
+ env, ts_node, RAMPART_SECURITY_TIMESTAMP_EXPIRES, wsu_ns_obj,
&expires_node);
+ if (!expires_ele)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart]Unable to build 'Expires' child element of timestamp.");
+ return AXIS2_FAILURE;
+ }
+
+ expires_val = rampart_generate_time(env, ttl, with_millisecond);
+ axiom_element_set_text(expires_ele, env, expires_val, expires_node);
+ AXIS2_FREE(env->allocator, expires_val);
+ expires_val = NULL;
return AXIS2_SUCCESS;
-}/*rampart_build_timestamp_token*/
+}
+/**
+ * Validates time stamp token. Validation is based in expiration time of the
Expired element.
+ * @param env pointer to environment struct
+ * @param msg_ctx pointer to message context structure
+ * @param ts_node Timestamp node
+ * @param clock_skew_buffer buffer of allowable skew of time between sender
and receiver
+ * @return AXIS2_SUCCESS on success, else AXIS2_FAILURE
+*/
axis2_status_t AXIS2_CALL
rampart_timestamp_token_validate(
const axutil_env_t *env,
axis2_msg_ctx_t *msg_ctx,
- axiom_node_t *ts_node )
+ axiom_node_t *ts_node,
+ int clock_skew_buffer)
{
axis2_status_t validity = AXIS2_FAILURE;
axiom_element_t *created_ele = NULL;
@@ -110,90 +129,95 @@
axis2_char_t *expires_val = NULL;
axis2_char_t *current_val = NULL;
- /*Check: TIMESTAMP MUST contain exactly one CREATED*/
- if (1 != oxs_axiom_get_number_of_children_with_qname(env, ts_node,
RAMPART_SECURITY_TIMESTAMP_CREATED, RAMPART_WSU_XMLNS, RAMPART_WSU))
+ /* Check: TIMESTAMP MUST contain exactly one CREATED */
+ if(1 != oxs_axiom_get_number_of_children_with_qname(
+ env, ts_node, RAMPART_SECURITY_TIMESTAMP_CREATED, RAMPART_WSU_XMLNS,
RAMPART_WSU))
{
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,"[rampart][ts]Timestamp not
valid: Timestamp must contain exactly one Created element");
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart]Timestamp not valid: Timestamp must contain exactly one
Created element");
return AXIS2_FAILURE;
}
- /*Check: TIMESTAMP MUST NOT contain more than one EXPIRES*/
- if (1 < oxs_axiom_get_number_of_children_with_qname(env, ts_node,
RAMPART_SECURITY_TIMESTAMP_CREATED, RAMPART_WSU_XMLNS, RAMPART_WSU))
+ /* Check: TIMESTAMP MUST NOT contain more than one EXPIRES */
+ if(1 < oxs_axiom_get_number_of_children_with_qname(
+ env, ts_node, RAMPART_SECURITY_TIMESTAMP_EXPIRES, RAMPART_WSU_XMLNS,
RAMPART_WSU))
{
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][ts]Timestamp not
valid: Timestamp must not contain more than one Expires element");
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart]Timestamp not
valid: "
+ "Timestamp must not contain more than one Expires element");
return AXIS2_FAILURE;
}
ts_ele = axiom_node_get_data_element(ts_node, env);
if (!ts_ele)
{
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][ts]Timestamp not
valid: Cannot find timestamp ");
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart]Timestamp not valid: Cannot find timestamp element.");
return AXIS2_FAILURE;
}
- /*First child MUST be the Created element*/
+ /* First child MUST be the Created element */
created_node = axiom_node_get_first_element(ts_node, env);
created_ele = (axiom_element_t*)axiom_node_get_data_element(created_node,
env);
- if (axutil_strcmp(RAMPART_SECURITY_TIMESTAMP_CREATED ,
- axiom_element_get_localname(created_ele, env)) != 0)
+ if (axutil_strcmp(RAMPART_SECURITY_TIMESTAMP_CREATED,
+ axiom_element_get_localname(created_ele, env)))
{
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[rampart][ts]Timestamp not valid: Cannot find created
in timestamp element. The first element MUST be CREATED");
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart]Timestamp not valid:
"
+ "Cannot find Created element in timestamp element. The first
element MUST be CREATED");
return AXIS2_FAILURE;
}
created_val = axiom_element_get_text(created_ele, env, created_node);
rampart_set_security_processed_result(env, msg_ctx,RAMPART_SPR_TS_CREATED,
created_val);
- /*Check whether created is less than current time or not*/
- current_val = rampart_generate_time(env, 0);
- validity = rampart_compare_date_time(env, current_val, created_val);
+
+ /* Check whether created is less than current time or not */
+ current_val = rampart_generate_time(env, clock_skew_buffer, AXIS2_TRUE);
+ validity = rampart_compare_date_time(env, current_val, created_val);
+ AXIS2_FREE(env->allocator, current_val);
if (validity == AXIS2_SUCCESS)
{
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][ts]Timestamp not
valid: Created time is not valid");
- AXIS2_FREE(env->allocator, current_val);
- current_val = NULL;
+ /* this means current_val < created_val. Which is not a valid case */
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart]Timestamp not valid: Created time is not valid");
return AXIS2_FAILURE;
}
- /*Any TIMESTAMP containing an EXPIRES MUST contain a CREATED that preceeds
its sibling EXPIRES.*/
+ /* Any TIMESTAMP containing an EXPIRES MUST contain a CREATED that
preceeds its sibling
+ * EXPIRES. */
expires_node = axiom_node_get_next_sibling(created_node, env);
if (!expires_node)
{
- AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI,
- "[rampart][ts]Cannot find expires in timestamp element. This is
not critical. Assume that the message is not expiring");
- /*If the expire element is not present, it means that the message will
not be expired.*/
- AXIS2_FREE(env->allocator, current_val);
- current_val = NULL;
+ /* If the expire element is not present, it means that the message
will not be expired. */
+ AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI,"[rampart]Cannot find expires
in timestamp element."
+ " This is not critical. Assume that the message is not expiring");
return AXIS2_SUCCESS;
}
+
expires_ele = (axiom_element_t*)axiom_node_get_data_element(expires_node,
env);
if (axutil_strcmp(RAMPART_SECURITY_TIMESTAMP_EXPIRES ,
- axiom_element_get_localname(expires_ele, env)) != 0)
+ axiom_element_get_localname(expires_ele, env)))
{
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[rampart][ts] Timestamp not valid: The second element
of timestamp token (if any) MUST be EXPIRES");
- AXIS2_FREE(env->allocator, current_val);
- current_val = NULL;
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart]Timestamp not valid:
"
+ "The second element of timestamp token (if any) MUST be EXPIRES");
return AXIS2_FAILURE;
}
- /*Now the expires element is present. So check whether this has a valid
timestamp.
- If not it's a failure*/
+ /* Now the expires element is present. So check whether this has a valid
timestamp.
+ * If not it's a failure */
expires_val = axiom_element_get_text(expires_ele, env, expires_node);
rampart_set_security_processed_result(env, msg_ctx,RAMPART_SPR_TS_EXPIRES,
expires_val);
- /*Check whether time has expired or not*/
- validity = rampart_compare_date_time(env, current_val, expires_val);
- AXIS2_FREE(env->allocator, current_val);
- current_val = NULL;
+ /* Check whether time has expired or not */
+ validity = rampart_compare_date_time(env, created_val, expires_val);
if (validity == AXIS2_FAILURE)
{
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[rampart][ts]Timestamp not valid: Timestamp token has
expired");
+ /* this means created_value > expires_value. Which is not valid */
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart]Timestamp not valid: Timestamp token has expired");
return AXIS2_FAILURE;
}
- AXIS2_LOG_INFO(env->log, "[rampart][ts] Timstamp is valid");
+
+ AXIS2_LOG_INFO(env->log, "[rampart]Timstamp is valid");
+
rampart_set_security_processed_result(env, msg_ctx,RAMPART_SPR_TS_CHECKED,
RAMPART_YES);
- /*free memory for qnames*/
- return validity;
+ return AXIS2_SUCCESS;
}
Modified: webservices/rampart/trunk/c/src/util/rampart_username_token.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_username_token.c?rev=701336&r1=701335&r2=701336&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_username_token.c (original)
+++ webservices/rampart/trunk/c/src/util/rampart_username_token.c Fri Oct 3
02:30:38 2008
@@ -144,9 +144,11 @@
axis2_char_t *nonce_val = NULL;
axis2_char_t *created_val = NULL;
axis2_char_t *digest_val = NULL;
+ axis2_bool_t need_millisecond = AXIS2_TRUE;
+ need_millisecond =
rampart_context_get_need_millisecond_precision(rampart_context, env);
nonce_val = oxs_util_generate_nonce(env, 24) ;
- created_val = rampart_generate_time(env, 0);
+ created_val = rampart_generate_time(env, 0, need_millisecond);
digest_val = rampart_crypto_sha1(env, nonce_val, created_val,
password);
axiom_namespace_increment_ref(sec_ns_obj, env);
Modified: webservices/rampart/trunk/c/src/util/rampart_util.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_util.c?rev=701336&r1=701335&r2=701336&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_util.c (original)
+++ webservices/rampart/trunk/c/src/util/rampart_util.c Fri Oct 3 02:30:38 2008
@@ -264,13 +264,21 @@
AXIS2_EXTERN axis2_char_t* AXIS2_CALL
rampart_generate_time(
const axutil_env_t *env,
- int ttl)
+ int ttl,
+ axis2_bool_t with_millisecond)
{
axutil_date_time_t *dt = NULL;
axis2_char_t *dt_str = NULL;
dt = axutil_date_time_create_with_offset(env, ttl);
- dt_str = axutil_date_time_serialize_date_time(dt, env);
+ if(with_millisecond)
+ {
+ dt_str = axutil_date_time_serialize_date_time(dt, env);
+ }
+ else
+ {
+ dt_str = axutil_date_time_serialize_date_time_without_millisecond(dt,
env);
+ }
axutil_date_time_free(dt, env);
return dt_str;
}
