Author: alessio.soldano(a)jboss.com Date: 2008-03-12 12:13:36 -0400 (Wed, 12 Mar 2008) New Revision: 5945 Added: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/ stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/DefaultNonceFactory.java stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/DefaultNonceGenerator.java stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/DummyNonceStore.java stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/NonceFactory.java stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/NonceGenerator.java stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/NonceStore.java Modified: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/SecurityDecoder.java stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/Util.java stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/operation/ReceiveUsernameOperation.java stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/operation/SendUsernameOperation.java stack/native/trunk/src/main/java/org/jboss/ws/metadata/wsse/WSSecurityConfiguration.java stack/native/trunk/src/main/java/org/jboss/ws/metadata/wsse/WSSecurityOMFactory.java stack/native/trunk/src/main/resources/schema/jboss-ws-security_1_0.xsd stack/native/trunk/src/test/java/org/jboss/test/ws/jaxrpc/wsse/MicrosoftInteropTestCase.java stack/native/trunk/src/test/java/org/jboss/test/ws/jaxrpc/wsse/RoundTripTestCase.java stack/native/trunk/src/test/java/org/jboss/test/ws/jaxrpc/wsse/SunInteropTestCase.java stack/native/trunk/src/test/resources/jaxws/jbws1988/META-INF/jboss-service.xml Log: [JBWS-1988] Nonce factory, generator and store Modified: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/SecurityDecoder.java =================================================================== --- stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/SecurityDecoder.java 2008-03-12 16:03:34 UTC (rev 5944) +++ stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/SecurityDecoder.java 2008-03-12 16:13:36 UTC (rev 5945) @@ -34,6 +34,7 @@ import org.jboss.ws.extensions.security.element.Token; import org.jboss.ws.extensions.security.element.UsernameToken; import org.jboss.ws.extensions.security.exception.WSSecurityException; +import org.jboss.ws.extensions.security.nonce.NonceFactory; import org.jboss.ws.extensions.security.operation.DecryptionOperation; import org.jboss.ws.extensions.security.operation.ReceiveUsernameOperation; import org.jboss.ws.extensions.security.operation.RequireEncryptionOperation; @@ -57,6 +58,8 @@ private SecurityHeader header; private Document message; + + private NonceFactory nonceFactory; private SecurityStore store; @@ -64,10 +67,11 @@ private HashSet<String> encryptedIds = new HashSet<String>(); - public SecurityDecoder(SecurityStore store) + public SecurityDecoder(SecurityStore store, NonceFactory nonceFactory) { org.apache.xml.security.Init.init(); this.store = store; + this.nonceFactory = nonceFactory; } /** @@ -77,9 +81,9 @@ * @param SecurityStore the security store that contains key and trust information * @param now The timestamp to use as the current time when validating a message expiration */ - public SecurityDecoder(SecurityStore store, Calendar now) + public SecurityDecoder(SecurityStore store, Calendar now, NonceFactory nonceFactory) { - this(store); + this(store, nonceFactory); this.now = now; } @@ -113,7 +117,7 @@ for (Token token : header.getTokens()) { if (token instanceof UsernameToken) - new ReceiveUsernameOperation(header, store).process(message, token); + new ReceiveUsernameOperation(header, store, (nonceFactory != null ? nonceFactory.getStore() : null)).process(message, token); } signedIds.clear(); Modified: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/Util.java =================================================================== --- stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/Util.java 2008-03-12 16:03:34 UTC (rev 5944) +++ stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/Util.java 2008-03-12 16:13:36 UTC (rev 5945) @@ -23,14 +23,12 @@ //$Id$ -import java.security.NoSuchAlgorithmException; -import java.security.SecureRandom; import java.util.ArrayList; import java.util.List; import javax.xml.namespace.QName; -import org.jboss.util.Base64; +import org.jboss.ws.WSException; import org.w3c.dom.Element; import org.w3c.dom.Node; @@ -41,20 +39,7 @@ public class Util { public static int count = 0; - private static SecureRandom pseudoRng; - static - { - try - { - pseudoRng = SecureRandom.getInstance("SHA1PRNG"); - pseudoRng.setSeed(System.currentTimeMillis()); - } - catch (NoSuchAlgorithmException e) - { - } - } - public static String assignWsuId(Element element) { String id = element.getAttributeNS(Constants.WSU_NS, Constants.ID); @@ -233,10 +218,21 @@ return id.toString(); } - public static String generateNonce() + @SuppressWarnings("unchecked") + public static <T> T loadFactory(Class<T> factoryType, String factoryClassName, Class<? extends T> defaultFactoryClassName) { - byte[] bytes = new byte[32]; - pseudoRng.nextBytes(bytes); - return Base64.encodeBytes(bytes); + ClassLoader loader = Thread.currentThread().getContextClassLoader(); + String name = factoryClassName != null ? factoryClassName : System.getProperty(factoryType.getName()); + if (name == null) + name = defaultFactoryClassName.getName(); + try + { + Class<T> cl = (Class<T>)loader.loadClass(name); + return cl.newInstance(); + } + catch (Exception e) + { + throw new WSException(e); + } } } Modified: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java =================================================================== --- stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java 2008-03-12 16:03:34 UTC (rev 5944) +++ stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java 2008-03-12 16:13:36 UTC (rev 5945) @@ -35,6 +35,8 @@ import org.jboss.ws.core.CommonSOAPFaultException; import org.jboss.ws.extensions.security.exception.InvalidSecurityHeaderException; import org.jboss.ws.extensions.security.exception.WSSecurityException; +import org.jboss.ws.extensions.security.nonce.DefaultNonceFactory; +import org.jboss.ws.extensions.security.nonce.NonceFactory; import org.jboss.ws.extensions.security.operation.EncodingOperation; import org.jboss.ws.extensions.security.operation.EncryptionOperation; //import org.jboss.ws.extensions.security.operation.OperationDescription; @@ -156,7 +158,8 @@ { SecurityStore securityStore = new SecurityStore(configuration.getKeyStoreURL(), configuration.getKeyStoreType(), configuration.getKeyStorePassword(), configuration.getKeyPasswords(), configuration.getTrustStoreURL(), configuration.getTrustStoreType(), configuration.getTrustStorePassword()); - SecurityDecoder decoder = new SecurityDecoder(securityStore); + NonceFactory factory = Util.loadFactory(NonceFactory.class, configuration.getNonceFactory(), DefaultNonceFactory.class); + SecurityDecoder decoder = new SecurityDecoder(securityStore, factory); decoder.decode(message.getSOAPPart(), secHeaderElement); @@ -200,7 +203,8 @@ Username username = config.getUsername(); if (username != null && user != null && password != null) { - operations.add(new SendUsernameOperation(user, password, username.isDigestPassword(), username.isUseNonce(), username.isUseCreated())); + NonceFactory factory = Util.loadFactory(NonceFactory.class, configuration.getNonceFactory(), DefaultNonceFactory.class); + operations.add(new SendUsernameOperation(user, password, username.isDigestPassword(), username.isUseNonce(), username.isUseCreated(), factory.getGenerator())); } Sign sign = config.getSign(); Added: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/DefaultNonceFactory.java =================================================================== --- stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/DefaultNonceFactory.java (rev 0) +++ stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/DefaultNonceFactory.java 2008-03-12 16:13:36 UTC (rev 5945) @@ -0,0 +1,45 @@ +/* +* JBoss, Home of Professional Open Source +* Copyright 2005, JBoss Inc., and individual contributors as indicated +* by the @authors tag. See the copyright.txt in the distribution for a +* full listing of individual contributors. +* +* This is free software; you can redistribute it and/or modify it +* under the terms of the GNU Lesser General Public License as +* published by the Free Software Foundation; either version 2.1 of +* the License, or (at your option) any later version. +* +* This software is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this software; if not, write to the Free +* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +* 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ +package org.jboss.ws.extensions.security.nonce; + +//$Id$ + +/** + * The default nonce factory + * + * @author alessio.soldano(a)jboss.com + * @since 12-Mar-2008 + */ +public class DefaultNonceFactory implements NonceFactory +{ + + public NonceGenerator getGenerator() + { + return new DefaultNonceGenerator(); + } + + public NonceStore getStore() + { + return new DummyNonceStore(); + } + +} Property changes on: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/DefaultNonceFactory.java ___________________________________________________________________ Name: svn:keywords + Id Revision Name: svn:eol-style + LF Added: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/DefaultNonceGenerator.java =================================================================== --- stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/DefaultNonceGenerator.java (rev 0) +++ stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/DefaultNonceGenerator.java 2008-03-12 16:13:36 UTC (rev 5945) @@ -0,0 +1,60 @@ +/* +* JBoss, Home of Professional Open Source +* Copyright 2005, JBoss Inc., and individual contributors as indicated +* by the @authors tag. See the copyright.txt in the distribution for a +* full listing of individual contributors. +* +* This is free software; you can redistribute it and/or modify it +* under the terms of the GNU Lesser General Public License as +* published by the Free Software Foundation; either version 2.1 of +* the License, or (at your option) any later version. +* +* This software is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this software; if not, write to the Free +* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +* 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ +package org.jboss.ws.extensions.security.nonce; + +//$Id$ + +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; + +import org.jboss.util.Base64; + +/** + * A simple nonce generator using a SecureRandom instance. + * + * @author alessio.soldano(a)jboss.com + * @since 12-Mar-2008 + */ +public class DefaultNonceGenerator implements NonceGenerator +{ + private static SecureRandom pseudoRng; + + static + { + try + { + pseudoRng = SecureRandom.getInstance("SHA1PRNG"); + pseudoRng.setSeed(System.currentTimeMillis()); + } + catch (NoSuchAlgorithmException e) + { + } + } + + public String generateNonce() + { + byte[] bytes = new byte[32]; + pseudoRng.nextBytes(bytes); + return Base64.encodeBytes(bytes); + } + +} Property changes on: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/DefaultNonceGenerator.java ___________________________________________________________________ Name: svn:keywords + Id Revision Name: svn:eol-style + LF Added: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/DummyNonceStore.java =================================================================== --- stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/DummyNonceStore.java (rev 0) +++ stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/DummyNonceStore.java 2008-03-12 16:13:36 UTC (rev 5945) @@ -0,0 +1,47 @@ +/* +* JBoss, Home of Professional Open Source +* Copyright 2005, JBoss Inc., and individual contributors as indicated +* by the @authors tag. See the copyright.txt in the distribution for a +* full listing of individual contributors. +* +* This is free software; you can redistribute it and/or modify it +* under the terms of the GNU Lesser General Public License as +* published by the Free Software Foundation; either version 2.1 of +* the License, or (at your option) any later version. +* +* This software is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this software; if not, write to the Free +* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +* 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ +package org.jboss.ws.extensions.security.nonce; + +import org.jboss.logging.Logger; + +//$Id$ + +/** + * A dummy nonce store providing no actual + * security increase against replay attacks. + * + * @author alessio.soldano(a)jboss.com + */ +public class DummyNonceStore implements NonceStore +{ + + public boolean hasNonce(String nonce) + { + return false; + } + + public void putNonce(String nonce) + { + Logger.getLogger(this.getClass()).warn("Please consider using a real nonce store to increase security against replay attacks."); + } + +} Property changes on: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/DummyNonceStore.java ___________________________________________________________________ Name: svn:keywords + Id Revision Name: svn:eol-style + LF Added: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/NonceFactory.java =================================================================== --- stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/NonceFactory.java (rev 0) +++ stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/NonceFactory.java 2008-03-12 16:13:36 UTC (rev 5945) @@ -0,0 +1,38 @@ +/* +* JBoss, Home of Professional Open Source +* Copyright 2005, JBoss Inc., and individual contributors as indicated +* by the @authors tag. See the copyright.txt in the distribution for a +* full listing of individual contributors. +* +* This is free software; you can redistribute it and/or modify it +* under the terms of the GNU Lesser General Public License as +* published by the Free Software Foundation; either version 2.1 of +* the License, or (at your option) any later version. +* +* This software is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this software; if not, write to the Free +* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +* 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ +package org.jboss.ws.extensions.security.nonce; + +//$Id$ + +/** + * Generic interface for a factory of nonce generator and nonce store. + * + * @author alessio.soldano(a)jboss.com + * @since 12-Mar-2008 + * + */ +public interface NonceFactory +{ + public NonceGenerator getGenerator(); + + public NonceStore getStore(); +} Property changes on: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/NonceFactory.java ___________________________________________________________________ Name: svn:keywords + Id Revision Name: svn:eol-style + LF Added: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/NonceGenerator.java =================================================================== --- stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/NonceGenerator.java (rev 0) +++ stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/NonceGenerator.java 2008-03-12 16:13:36 UTC (rev 5945) @@ -0,0 +1,35 @@ +/* +* JBoss, Home of Professional Open Source +* Copyright 2005, JBoss Inc., and individual contributors as indicated +* by the @authors tag. See the copyright.txt in the distribution for a +* full listing of individual contributors. +* +* This is free software; you can redistribute it and/or modify it +* under the terms of the GNU Lesser General Public License as +* published by the Free Software Foundation; either version 2.1 of +* the License, or (at your option) any later version. +* +* This software is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this software; if not, write to the Free +* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +* 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ +package org.jboss.ws.extensions.security.nonce; + +//$Id$ + +/** + * Simple interface for a generator of nonces. + * + * @author alessio.soldano(a)jboss.com + * @since 12-Mar-2008 + */ +public interface NonceGenerator +{ + public String generateNonce(); +} Property changes on: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/NonceGenerator.java ___________________________________________________________________ Name: svn:keywords + Id Revision Name: svn:eol-style + LF Added: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/NonceStore.java =================================================================== --- stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/NonceStore.java (rev 0) +++ stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/NonceStore.java 2008-03-12 16:13:36 UTC (rev 5945) @@ -0,0 +1,49 @@ +/* +* JBoss, Home of Professional Open Source +* Copyright 2005, JBoss Inc., and individual contributors as indicated +* by the @authors tag. See the copyright.txt in the distribution for a +* full listing of individual contributors. +* +* This is free software; you can redistribute it and/or modify it +* under the terms of the GNU Lesser General Public License as +* published by the Free Software Foundation; either version 2.1 of +* the License, or (at your option) any later version. +* +* This software is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this software; if not, write to the Free +* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +* 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ +package org.jboss.ws.extensions.security.nonce; + +//$Id$ + +/** + * A nonce store collects recently used nonces. + * + * @author alessio.soldano(a)jboss.com + * @since 12-Mar-2008 + * + */ +public interface NonceStore +{ + /** + * Checks whether the store contains the provided nonce. + * + * @param nonce + * @return True if the provided nonce has been recently put in the store + */ + public boolean hasNonce(String nonce); + + /** + * Put the given nonce in the store. + * + * @param nonce + */ + public void putNonce(String nonce); +} Property changes on: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/nonce/NonceStore.java ___________________________________________________________________ Name: svn:keywords + Id Revision Name: svn:eol-style + LF Modified: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/operation/ReceiveUsernameOperation.java =================================================================== --- stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/operation/ReceiveUsernameOperation.java 2008-03-12 16:03:34 UTC (rev 5944) +++ stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/operation/ReceiveUsernameOperation.java 2008-03-12 16:13:36 UTC (rev 5945) @@ -23,6 +23,8 @@ // $Id$ +import java.util.Calendar; + import javax.security.auth.callback.CallbackHandler; import org.jboss.logging.Logger; @@ -34,23 +36,28 @@ import org.jboss.ws.extensions.security.element.Token; import org.jboss.ws.extensions.security.element.UsernameToken; import org.jboss.ws.extensions.security.exception.WSSecurityException; +import org.jboss.ws.extensions.security.nonce.NonceStore; import org.jboss.wsf.spi.SPIProvider; import org.jboss.wsf.spi.SPIProviderResolver; import org.jboss.wsf.spi.invocation.SecurityAdaptor; import org.jboss.wsf.spi.invocation.SecurityAdaptorFactory; +import org.jboss.xb.binding.SimpleTypeBindings; import org.w3c.dom.Document; public class ReceiveUsernameOperation implements TokenOperation { private SecurityHeader header; private SecurityStore store; + private NonceStore nonceStore; + private static final int TIMESTAMP_FRESHNESS_THRESHOLD = 300; private SecurityAdaptorFactory secAdapterfactory; - public ReceiveUsernameOperation(SecurityHeader header, SecurityStore store) + public ReceiveUsernameOperation(SecurityHeader header, SecurityStore store, NonceStore nonceStore) { this.header = header; this.store = store; + this.nonceStore = nonceStore; SPIProvider spiProvider = SPIProviderResolver.getInstance().getProvider(); secAdapterfactory = spiProvider.getSPI(SecurityAdaptorFactory.class); @@ -64,10 +71,30 @@ Logger.getLogger(this.getClass()).info("Password: " + user.getPassword()); if (user.isDigest()) { + verifyUsernameToken(user); CallbackHandler handler = new UsernameTokenCallbackHandler(user.getNonce(), user.getCreated()); CallbackHandlerPolicyContextHandler.setCallbackHandler(handler); } securityAdaptor.setPrincipal(new SimplePrincipal(user.getUsername())); securityAdaptor.setCredential(user.getPassword()); } + + private void verifyUsernameToken(UsernameToken token) throws WSSecurityException + { + if (token.getCreated() != null) + { + Calendar cal = SimpleTypeBindings.unmarshalDateTime(token.getCreated()); + Calendar ref = Calendar.getInstance(); + ref.add(Calendar.SECOND, -TIMESTAMP_FRESHNESS_THRESHOLD); + if (ref.after(cal)) + throw new WSSecurityException("Request rejected since a stale timestamp has been provided: " + token.getCreated()); + } + String nonce = token.getNonce(); + if (nonce != null) + { + if (nonceStore.hasNonce(nonce)) + throw new WSSecurityException("Request rejected since a message with the same nonce has been recently received; nonce = " + nonce); + nonceStore.putNonce(nonce); + } + } } Modified: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/operation/SendUsernameOperation.java =================================================================== --- stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/operation/SendUsernameOperation.java 2008-03-12 16:03:34 UTC (rev 5944) +++ stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/operation/SendUsernameOperation.java 2008-03-12 16:13:36 UTC (rev 5945) @@ -36,12 +36,12 @@ import org.jboss.logging.Logger; import org.jboss.security.Base64Encoder; import org.jboss.ws.extensions.security.SecurityStore; -import org.jboss.ws.extensions.security.Util; import org.jboss.ws.extensions.security.auth.callback.UsernameTokenCallback; import org.jboss.ws.extensions.security.auth.callback.UsernameTokenCallbackHandler; import org.jboss.ws.extensions.security.element.SecurityHeader; import org.jboss.ws.extensions.security.element.UsernameToken; import org.jboss.ws.extensions.security.exception.WSSecurityException; +import org.jboss.ws.extensions.security.nonce.NonceGenerator; import org.jboss.xb.binding.SimpleTypeBindings; import org.w3c.dom.Document; @@ -54,25 +54,26 @@ private boolean digestPassword; private boolean useNonce; private boolean useCreated; + private NonceGenerator nonceGenerator; - public SendUsernameOperation(String username, String credential, boolean digestPassword, boolean useNonce, boolean useCreated) + public SendUsernameOperation(String username, String credential, boolean digestPassword, boolean useNonce, boolean useCreated, NonceGenerator nonceGenerator) { this.username = username; this.credential = credential; this.digestPassword = digestPassword; this.useNonce = useNonce; this.useCreated = useCreated; + this.nonceGenerator = nonceGenerator; } public void process(Document message, SecurityHeader header, SecurityStore store) throws WSSecurityException { String created = useCreated ? getCurrentTimestampAsString() : null; - String nonce = useNonce ? Util.generateNonce() : null; + String nonce = useNonce ? nonceGenerator.generateNonce() : null; String password = digestPassword ? createPasswordDigest(nonce, created, credential) : credential; header.addToken(new UsernameToken(username, password, message, digestPassword, nonce, created)); } - private static String getCurrentTimestampAsString() { Calendar timestamp = new GregorianCalendar(TimeZone.getTimeZone("UTC")); Modified: stack/native/trunk/src/main/java/org/jboss/ws/metadata/wsse/WSSecurityConfiguration.java =================================================================== --- stack/native/trunk/src/main/java/org/jboss/ws/metadata/wsse/WSSecurityConfiguration.java 2008-03-12 16:03:34 UTC (rev 5944) +++ stack/native/trunk/src/main/java/org/jboss/ws/metadata/wsse/WSSecurityConfiguration.java 2008-03-12 16:13:36 UTC (rev 5945) @@ -46,6 +46,7 @@ private String trustStoreType; private String trustStorePassword; private HashMap<String, String> keyPasswords = new HashMap<String, String>(); + private String nonceFactory; public WSSecurityConfiguration() { @@ -165,4 +166,14 @@ { this.keyPasswords = keyPasswords; } + + public String getNonceFactory() + { + return nonceFactory; + } + + public void setNonceFactory(String nonceFactory) + { + this.nonceFactory = nonceFactory; + } } Modified: stack/native/trunk/src/main/java/org/jboss/ws/metadata/wsse/WSSecurityOMFactory.java =================================================================== --- stack/native/trunk/src/main/java/org/jboss/ws/metadata/wsse/WSSecurityOMFactory.java 2008-03-12 16:03:34 UTC (rev 5944) +++ stack/native/trunk/src/main/java/org/jboss/ws/metadata/wsse/WSSecurityOMFactory.java 2008-03-12 16:13:36 UTC (rev 5945) @@ -51,7 +51,7 @@ public static String CLIENT_RESOURCE_NAME = "jboss-wsse-client.xml"; - private static HashMap options = new HashMap(6); + private static HashMap options = new HashMap(7); static { @@ -61,6 +61,7 @@ options.put("trust-store-file", "setTrustStoreFile"); options.put("trust-store-type", "setTrustStoreType"); options.put("trust-store-password", "setTrustStorePassword"); + options.put("nonce-factory-class", "setNonceFactory"); } // provide logging @@ -147,7 +148,7 @@ if (method == null) return; - // Dispatch to propper initializer + // Dispatch to proper initializer try { WSSecurityConfiguration.class.getMethod(method, new Class[] { String.class }).invoke(configuration, new Object[] { value }); Modified: stack/native/trunk/src/main/resources/schema/jboss-ws-security_1_0.xsd =================================================================== --- stack/native/trunk/src/main/resources/schema/jboss-ws-security_1_0.xsd 2008-03-12 16:03:34 UTC (rev 5944) +++ stack/native/trunk/src/main/resources/schema/jboss-ws-security_1_0.xsd 2008-03-12 16:13:36 UTC (rev 5945) @@ -48,6 +48,11 @@ <xs:documentation>The WSDL port.</xs:documentation> </xs:annotation> </xs:element> + <xs:element name="nonce-factory-class" type="xs:string" minOccurs="0"> + <xs:annotation> + <xs:documentation>This specifies the nonce factory class name. It is used to get the custom generator and store of nonces.</xs:documentation> + </xs:annotation> + </xs:element> </xs:sequence> </xs:complexType> </xs:element> Modified: stack/native/trunk/src/test/java/org/jboss/test/ws/jaxrpc/wsse/MicrosoftInteropTestCase.java =================================================================== --- stack/native/trunk/src/test/java/org/jboss/test/ws/jaxrpc/wsse/MicrosoftInteropTestCase.java 2008-03-12 16:03:34 UTC (rev 5944) +++ stack/native/trunk/src/test/java/org/jboss/test/ws/jaxrpc/wsse/MicrosoftInteropTestCase.java 2008-03-12 16:13:36 UTC (rev 5945) @@ -95,7 +95,7 @@ cal.set(Calendar.MINUTE, 22); cal.set(Calendar.SECOND, 25); - SecurityDecoder decoder = new SecurityDecoder(new SecurityStore(), cal); + SecurityDecoder decoder = new SecurityDecoder(new SecurityStore(), cal, null); decoder.decode(soapEnv.getOwnerDocument()); decoder.complete(); Modified: stack/native/trunk/src/test/java/org/jboss/test/ws/jaxrpc/wsse/RoundTripTestCase.java =================================================================== --- stack/native/trunk/src/test/java/org/jboss/test/ws/jaxrpc/wsse/RoundTripTestCase.java 2008-03-12 16:03:34 UTC (rev 5944) +++ stack/native/trunk/src/test/java/org/jboss/test/ws/jaxrpc/wsse/RoundTripTestCase.java 2008-03-12 16:13:36 UTC (rev 5945) @@ -59,7 +59,7 @@ /** * Simple WS-Security round trip test - * + * * @author <a href="mailto:jason.greene@jboss.com>Jason T. Greene</a> */ public class RoundTripTestCase extends JBossWSTest @@ -95,7 +95,7 @@ env = soapMsg.getSOAPPart().getEnvelope(); doc = env.getOwnerDocument(); - SecurityDecoder decoder = new SecurityDecoder(new SecurityStore()); + SecurityDecoder decoder = new SecurityDecoder(new SecurityStore(), null); decoder.decode(doc); decoder.verify(buildRequireOperations()); decoder.complete(); @@ -106,53 +106,40 @@ assertEquals(inputString, DOMWriter.printNode(doc, true)); } - + public void testRoundTripUsingAPI() throws Exception { - String envStr = "<env:Envelope xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'>" - + " <env:Header>" + String envStr = "<env:Envelope xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'>" + " <env:Header>" + " <tns:someHeader xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'" - + " tns:test='hi' xmlns:tns='http://org.jboss.ws/2004'>some header value</tns:someHeader>" - + " </env:Header> " + + " tns:test='hi' xmlns:tns='http://org.jboss.ws/2004'>some header value</tns:someHeader>" + " </env:Header> " + " <env:Body wsu:Id='element-9-1205139829909-17908832' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-ws... + " <tns:echoString2 xmlns:env='http://schemas.xmlsoap.org/soap/envelope/' xmlns:tns='http://org.jboss.ws/2004' " - + " xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-ws... - + " <string>Hello World!</string>" - + " </tns:echoString2>" - + " <tns:echoString xmlns:tns='http://org.jboss.ws/2004'>" - + " <string>Hello World!</string>" - + " </tns:echoString>" - + " </env:Body>" - + "</env:Envelope>"; + + " xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-ws... + " <string>Hello World!</string>" + + " </tns:echoString2>" + " <tns:echoString xmlns:tns='http://org.jboss.ws/2004'>" + " <string>Hello World!</string>" + " </tns:echoString>" + + " </env:Body>" + "</env:Envelope>"; String conf = "<jboss-ws-security xmlns='http://www.jboss.com/ws-security/config' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'" - + " xsi:schemaLocation='http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd'>... - + " <config>" - + " <encrypt type='x509v3' alias='wsse'/>" - + " <sign alias='wsse'/>" - + " <username/>" - + " <requires>" - + " <encryption/>" - + " <signature/>" - + " </requires>" - + " </config>" - + "</jboss-ws-security>"; + + " xsi:schemaLocation='http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd'>... + " <config>" + + " <encrypt type='x509v3' alias='wsse'/>" + " <sign alias='wsse'/>" + " <username/>" + " <requires>" + " <encryption/>" + + " <signature/>" + " </requires>" + " </config>" + "</jboss-ws-security>"; WSSecurityConfiguration configuration = WSSecurityOMFactory.newInstance().parse(new StringReader(conf)); ByteArrayInputStream inputStream = new ByteArrayInputStream(envStr.getBytes()); MessageFactory factory = new MessageFactoryImpl(); SOAPMessage soapMsg = factory.createMessage(null, inputStream); String expected = DOMWriter.printNode(soapMsg.getSOAPPart().getEnvelope(), true); - + WSSecurityAPI sec = new WSSecurityDispatcher(); sec.encodeMessage(configuration, soapMsg, null, "kermit", "thefrog"); sec.decodeMessage(configuration, soapMsg, null); - + String actual = DOMWriter.printNode(soapMsg.getSOAPPart().getEnvelope(), true); assertEquals(expected, actual); } - // WS-Security leaves wsu:id attributes around on elements which are not cleaned - // up due to performance reasons. This, however, breaks comparisons, so we manually + // WS-Security leaves wsu:id attributes around on elements which are not + // cleaned + // up due to performance reasons. This, however, breaks comparisons, so we + // manually // fix this for tests. private void cleanupWsuIds(Element element) { @@ -192,7 +179,7 @@ targets.add(target); operations.add(new EncryptionOperation(targets, "wsse", null, null, null)); - operations.add(new SendUsernameOperation("hi", "there",false,false,false)); + operations.add(new SendUsernameOperation("hi", "there", false, false, false, null)); return operations; } @@ -206,7 +193,7 @@ name = new QName("http://org.jboss.ws/2004", "someHeader"); target = new QNameTarget(name); targets.add(target); - //targets.add(new WsuIdTarget("timestamp")); + // targets.add(new WsuIdTarget("timestamp")); LinkedList operations = new LinkedList(); operations.add(new RequireSignatureOperation(targets)); operations.add(new RequireEncryptionOperation(targets)); Modified: stack/native/trunk/src/test/java/org/jboss/test/ws/jaxrpc/wsse/SunInteropTestCase.java =================================================================== --- stack/native/trunk/src/test/java/org/jboss/test/ws/jaxrpc/wsse/SunInteropTestCase.java 2008-03-12 16:03:34 UTC (rev 5944) +++ stack/native/trunk/src/test/java/org/jboss/test/ws/jaxrpc/wsse/SunInteropTestCase.java 2008-03-12 16:13:36 UTC (rev 5945) @@ -72,7 +72,7 @@ cal.set(Calendar.MINUTE, 32); cal.set(Calendar.SECOND, 25); - SecurityDecoder decoder = new SecurityDecoder(new SecurityStore(), cal); + SecurityDecoder decoder = new SecurityDecoder(new SecurityStore(), cal, null); decoder.decode(doc); decoder.complete(); @@ -107,7 +107,7 @@ cal.set(Calendar.SECOND, 40); - SecurityDecoder decoder = new SecurityDecoder(new SecurityStore(), cal); + SecurityDecoder decoder = new SecurityDecoder(new SecurityStore(), cal, null); decoder.decode(doc); decoder.complete(); Modified: stack/native/trunk/src/test/resources/jaxws/jbws1988/META-INF/jboss-service.xml =================================================================== --- stack/native/trunk/src/test/resources/jaxws/jbws1988/META-INF/jboss-service.xml 2008-03-12 16:03:34 UTC (rev 5944) +++ stack/native/trunk/src/test/resources/jaxws/jbws1988/META-INF/jboss-service.xml 2008-03-12 16:13:36 UTC (rev 5945) @@ -1,6 +1,9 @@ <?xml version="1.0" encoding="UTF-8"?> <server> + <!-- ==================================================================== --> + <!-- Dynamic login config to install the login module using digest --> + <!-- ==================================================================== --> <mbean code="org.jboss.security.auth.login.DynamicLoginConfig" name="jboss:service=DynamicLoginConfig"> <attribute name="AuthConfig">META-INF/login-config.xml</attribute>