Author: darran.lofthouse(a)jboss.com
Date: 2010-06-18 07:06:21 -0400 (Fri, 18 Jun 2010)
New Revision: 12499
Modified:
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/extensions/security/jaxrpc/WSSecurityHandler.java
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/extensions/security/jaxrpc/WSSecurityHandlerInbound.java
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Config.java
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Encrypt.java
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/RequireEncryption.java
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/RequireSignature.java
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Requires.java
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Sign.java
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/WSSecurityOMFactory.java
Log:
Round 1 of backports
Modified:
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java
===================================================================
---
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java 2010-06-18
11:04:04 UTC (rev 12498)
+++
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java 2010-06-18
11:06:21 UTC (rev 12499)
@@ -84,13 +84,10 @@
QName secQName = new QName(Constants.WSSE_NS, "Security");
Element secHeaderElement = (soapHeader != null) ? Util.findElement(soapHeader,
secQName) : null;
+ boolean fault = message.getSOAPBody().getFault() != null;
if (secHeaderElement == null)
{
- // This is ok, we always allow faults to be received because WS-Security does
not encrypt faults
- if (message.getSOAPBody().getFault() != null)
- return;
-
- if (hasRequirements(config))
+ if (hasRequirements(config, fault))
throw convertToFault(new InvalidSecurityHeaderException("This service
requires <wsse:Security>, which is missing."));
}
@@ -98,7 +95,7 @@
{
if (secHeaderElement != null)
{
- decodeHeader(configuration, config, message, secHeaderElement);
+ decodeHeader(configuration, config, message, secHeaderElement, fault);
}
authorize(config);
@@ -115,7 +112,7 @@
}
- private void decodeHeader(WSSecurityConfiguration configuration, Config config,
SOAPMessage message, Element secHeaderElement) throws WSSecurityException
+ private void decodeHeader(WSSecurityConfiguration configuration, Config config,
SOAPMessage message, Element secHeaderElement, boolean fault) throws WSSecurityException
{
SecurityStore securityStore = new SecurityStore(configuration.getKeyStoreURL(),
configuration.getKeyStoreType(), configuration.getKeyStorePassword(),
configuration.getKeyPasswords(), configuration.getTrustStoreURL(),
configuration.getTrustStoreType(), configuration.getTrustStorePassword());
@@ -135,7 +132,7 @@
if (log.isTraceEnabled())
log.trace("Decoded Message:\n" +
DOMWriter.printNode(message.getSOAPPart(), true));
- List<RequireOperation> operations = buildRequireOperations(config);
+ List<RequireOperation> operations = buildRequireOperations(config, fault);
decoder.verify(operations);
if (log.isDebugEnabled())
@@ -163,10 +160,11 @@
if (log.isDebugEnabled())
log.debug("WS-Security config: " + config);
+ boolean fault = message.getSOAPBody().getFault() != null;
// Nothing to process
- if (config == null)
+ if (config == null || (fault && !config.includesFaults()))
return;
-
+
ArrayList<EncodingOperation> operations = new
ArrayList<EncodingOperation>();
Timestamp timestamp = config.getTimestamp();
if (timestamp != null)
@@ -182,7 +180,7 @@
}
Sign sign = config.getSign();
- if (sign != null)
+ if (sign != null && (!fault || sign.isIncludeFaults()))
{
List<Target> targets = convertTargets(sign.getTargets());
if (sign.isIncludeTimestamp())
@@ -198,7 +196,7 @@
}
Encrypt encrypt = config.getEncrypt();
- if (encrypt != null)
+ if (encrypt != null && (!fault || encrypt.isIncludeFaults()))
{
List<Target> targets = convertTargets(encrypt.getTargets());
operations.add(new EncryptionOperation(targets, encrypt.getAlias(),
encrypt.getAlgorithm(), encrypt.getWrap(), encrypt.getTokenRefType()));
@@ -270,7 +268,7 @@
return new CommonSOAPFaultException(e.getFaultCode(), e.getFaultString());
}
- private List<RequireOperation> buildRequireOperations(Config operationConfig)
+ private List<RequireOperation> buildRequireOperations(Config operationConfig,
boolean fault)
{
if (operationConfig == null)
return null;
@@ -285,14 +283,14 @@
operations.add(new RequireTimestampOperation(requireTimestamp.getMaxAge()));
RequireSignature requireSignature = requires.getRequireSignature();
- if (requireSignature != null)
+ if (requireSignature != null && (!fault ||
requireSignature.isIncludeFaults()))
{
List<Target> targets = convertTargets(requireSignature.getTargets());
operations.add(new RequireSignatureOperation(targets));
- }
+ }
RequireEncryption requireEncryption = requires.getRequireEncryption();
- if (requireEncryption != null)
+ if (requireEncryption != null && (!fault ||
requireEncryption.isIncludeFaults()))
{
List<Target> targets = convertTargets(requireEncryption.getTargets());
operations.add(new RequireEncryptionOperation(targets));
@@ -354,8 +352,9 @@
return operation.getConfig();
}
- private boolean hasRequirements(Config config)
+ private boolean hasRequirements(Config config, boolean fault)
{
- return config != null && config.getRequires() != null;
+ Requires requires = (config != null) ? config.getRequires() : null;
+ return requires != null && (!fault || requires.includesFaults());
}
}
Modified:
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/extensions/security/jaxrpc/WSSecurityHandler.java
===================================================================
---
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/extensions/security/jaxrpc/WSSecurityHandler.java 2010-06-18
11:04:04 UTC (rev 12498)
+++
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/extensions/security/jaxrpc/WSSecurityHandler.java 2010-06-18
11:06:21 UTC (rev 12499)
@@ -27,11 +27,11 @@
import javax.xml.rpc.Stub;
import javax.xml.rpc.handler.GenericHandler;
import javax.xml.rpc.handler.MessageContext;
-import javax.xml.soap.SOAPException;
import org.jboss.logging.Logger;
import org.jboss.ws.WSException;
import org.jboss.ws.core.CommonMessageContext;
+import org.jboss.ws.core.CommonSOAPFaultException;
import org.jboss.ws.core.soap.SOAPMessageImpl;
import org.jboss.ws.extensions.security.Constants;
import org.jboss.ws.extensions.security.WSSecurityDispatcher;
@@ -52,13 +52,22 @@
// provide logging
private static Logger log = Logger.getLogger(WSSecurityHandler.class);
+ protected static final String FAULT_THROWN =
"org.jboss.ws.wsse.faultThrown";
+
public QName[] getHeaders()
{
return new QName[] {Constants.WSSE_HEADER_QNAME};
}
+
+ protected boolean thrownByMe(MessageContext msgContext)
+ {
+ Boolean bool = (Boolean) msgContext.getProperty(FAULT_THROWN);
+ return bool != null && bool.booleanValue();
+ }
protected boolean handleInboundSecurity(MessageContext msgContext)
{
+ Exception exception = null;
try
{
WSSecurityConfiguration configuration = getSecurityConfiguration(msgContext);
@@ -70,16 +79,28 @@
new WSSecurityDispatcher().decodeMessage(configuration, soapMessage, null);
}
}
- catch (SOAPException ex)
+ catch (Exception ex)
{
- log.error("Cannot handle inbound ws-security", ex);
+ exception = ex;
+ }
+
+ if (exception != null)
+ {
+ msgContext.setProperty(FAULT_THROWN, true);
+ if (exception instanceof CommonSOAPFaultException)
+ throw (CommonSOAPFaultException)exception;
+
+ // Unexpected exception, log it
+ log.error("Cannot handle inbound ws-security", exception);
return false;
}
+
return true;
}
protected boolean handleOutboundSecurity(MessageContext msgContext)
{
+ Exception exception = null;
try
{
WSSecurityConfiguration configuration = getSecurityConfiguration(msgContext);
@@ -93,11 +114,22 @@
new WSSecurityDispatcher().encodeMessage(configuration, soapMessage, null,
user, pass);
}
}
- catch (SOAPException ex)
+ catch (Exception ex)
{
- log.error("Cannot handle outbound ws-security", ex);
+ exception = ex;
+ }
+
+ if (exception != null)
+ {
+ msgContext.setProperty(FAULT_THROWN, true);
+ if (exception instanceof CommonSOAPFaultException)
+ throw (CommonSOAPFaultException)exception;
+
+ // Unexpected exception, log it
+ log.error("Cannot handle outbound ws-security", exception);
return false;
}
+
return true;
}
Modified:
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/extensions/security/jaxrpc/WSSecurityHandlerInbound.java
===================================================================
---
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/extensions/security/jaxrpc/WSSecurityHandlerInbound.java 2010-06-18
11:04:04 UTC (rev 12498)
+++
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/extensions/security/jaxrpc/WSSecurityHandlerInbound.java 2010-06-18
11:06:21 UTC (rev 12499)
@@ -22,6 +22,7 @@
package org.jboss.ws.extensions.security.jaxrpc;
import javax.xml.rpc.handler.MessageContext;
+import javax.xml.rpc.handler.soap.SOAPMessageContext;
import org.jboss.ws.metadata.wsse.WSSecurityOMFactory;
@@ -43,7 +44,19 @@
{
return handleOutboundSecurity(msgContext);
}
+
+ public boolean handleFault(MessageContext msgContext)
+ {
+ // Skip any WS-Security Faults
+ if (thrownByMe(msgContext))
+ return true;
+ // Mark the message as a fault, in case it ends up being encrypted
+ ((SOAPMessageContext)msgContext).getMessage().setFaultMessage(true);
+
+ return handleOutboundSecurity(msgContext);
+ }
+
protected String getConfigResourceName() {
return WSSecurityOMFactory.SERVER_RESOURCE_NAME;
}
Modified:
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Config.java
===================================================================
---
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Config.java 2010-06-18
11:04:04 UTC (rev 12498)
+++
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Config.java 2010-06-18
11:06:21 UTC (rev 12499)
@@ -75,6 +75,11 @@
return username;
}
+ public boolean includesFaults()
+ {
+ return (sign != null && sign.isIncludeFaults()) || (encrypt != null
&& encrypt.isIncludeFaults());
+ }
+
public void setUsername(Username username)
{
this.username = username;
Modified:
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Encrypt.java
===================================================================
---
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Encrypt.java 2010-06-18
11:04:04 UTC (rev 12498)
+++
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Encrypt.java 2010-06-18
11:06:21 UTC (rev 12499)
@@ -38,14 +38,16 @@
private String algorithm;
private String keyWrapAlgorithm;
private String tokenRefType;
+ private boolean includeFaults;
- public Encrypt(String type, String alias, String algorithm, String wrap, String
tokenRefType)
+ public Encrypt(String type, String alias, String algorithm, String wrap, String
tokenRefType, boolean includeFaults)
{
this.type = type;
this.alias = alias;
this.algorithm = algorithm;
this.keyWrapAlgorithm = wrap;
this.tokenRefType = tokenRefType;
+ this.includeFaults = includeFaults;
}
public String getAlias()
@@ -97,4 +99,14 @@
{
this.tokenRefType = tokenRefType;
}
+
+ public boolean isIncludeFaults()
+ {
+ return includeFaults;
+ }
+
+ public void setIncludeFaults(boolean includeFaults)
+ {
+ this.includeFaults = includeFaults;
+ }
}
Modified:
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/RequireEncryption.java
===================================================================
---
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/RequireEncryption.java 2010-06-18
11:04:04 UTC (rev 12498)
+++
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/RequireEncryption.java 2010-06-18
11:06:21 UTC (rev 12499)
@@ -30,4 +30,21 @@
public class RequireEncryption extends Targetable
{
private static final long serialVersionUID = 3765798680988205647L;
+
+ private boolean includeFaults;
+
+ public RequireEncryption(boolean includeFaults)
+ {
+ this.includeFaults = includeFaults;
+ }
+
+ public boolean isIncludeFaults()
+ {
+ return includeFaults;
+ }
+
+ public void setIncludeFaults(boolean includeFaults)
+ {
+ this.includeFaults = includeFaults;
+ }
}
Modified:
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/RequireSignature.java
===================================================================
---
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/RequireSignature.java 2010-06-18
11:04:04 UTC (rev 12498)
+++
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/RequireSignature.java 2010-06-18
11:06:21 UTC (rev 12499)
@@ -22,12 +22,28 @@
package org.jboss.ws.metadata.wsse;
/**
- * <code>Sign</code> represents the sign tag, which declares that a message
- * should be signed.
+ * <code>RequireSignature</code> indicates that a message received from a
peer must be signed.
*
* @author <a href="mailto:jason.greene@jboss.com">Jason T.
Greene</a>
*/
public class RequireSignature extends Targetable
{
private static final long serialVersionUID = -3854930944550152309L;
-}
+
+ private boolean includeFaults;
+
+ public RequireSignature(boolean includeFaults)
+ {
+ this.includeFaults = includeFaults;
+ }
+
+ public boolean isIncludeFaults()
+ {
+ return includeFaults;
+ }
+
+ public void setIncludeFaults(boolean includeFaults)
+ {
+ this.includeFaults = includeFaults;
+ }
+}
\ No newline at end of file
Modified:
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Requires.java
===================================================================
---
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Requires.java 2010-06-18
11:04:04 UTC (rev 12498)
+++
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Requires.java 2010-06-18
11:06:21 UTC (rev 12499)
@@ -65,4 +65,10 @@
{
this.requireTimestamp = requireTimestamp;
}
+
+ public boolean includesFaults()
+ {
+ return (requireSignature != null && requireSignature.isIncludeFaults())
+ || (requireEncryption != null && requireEncryption.isIncludeFaults());
+ }
}
Modified:
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Sign.java
===================================================================
---
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Sign.java 2010-06-18
11:04:04 UTC (rev 12498)
+++
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Sign.java 2010-06-18
11:06:21 UTC (rev 12499)
@@ -35,13 +35,15 @@
private String alias;
private boolean includeTimestamp;
private String tokenRefType;
+ private boolean includeFaults;
- public Sign(String type, String alias, boolean includeTimestamp, String tokenRefType)
+ public Sign(String type, String alias, boolean includeTimestamp, String tokenRefType,
boolean includeFaults)
{
this.type = type;
this.alias = alias;
this.includeTimestamp = includeTimestamp;
this.tokenRefType = tokenRefType;
+ this.includeFaults = includeFaults;
}
public String getAlias()
@@ -59,6 +61,16 @@
return type;
}
+ public boolean isIncludeFaults()
+ {
+ return includeFaults;
+ }
+
+ public void setIncludeFaults(boolean includeFaults)
+ {
+ this.includeFaults = includeFaults;
+ }
+
public void setType(String type)
{
this.type = type;
Modified:
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/WSSecurityOMFactory.java
===================================================================
---
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/WSSecurityOMFactory.java 2010-06-18
11:04:04 UTC (rev 12498)
+++
stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/WSSecurityOMFactory.java 2010-06-18
11:06:21 UTC (rev 12499)
@@ -50,7 +50,7 @@
public static final String CLIENT_RESOURCE_NAME = "jboss-wsse-client.xml";
- private static HashMap options = new HashMap(7);
+ private static HashMap<String, String> options = new HashMap<String,
String>(6);
static
{
@@ -93,6 +93,7 @@
}
catch (JBossXBException e)
{
+ log.error("Could not parse " + configURL + ":", e);
IOException ioex = new IOException("Cannot parse: " + configURL);
Throwable cause = e.getCause();
if (cause != null)
@@ -261,17 +262,26 @@
if ("sign".equals(localName))
{
// By default, we alwyas include a timestamp
- Boolean include = new Boolean(true);
- String timestamp = attrs.getValue("", "includeTimestamp");
- if (timestamp != null)
- include =
(Boolean)SimpleTypeBindings.unmarshal(SimpleTypeBindings.XS_BOOLEAN_NAME, timestamp,
null);
+ boolean includeTimestamp = true;
+ String value = attrs.getValue("", "includeTimestamp");
+ if (value != null)
+ includeTimestamp = (Boolean)
SimpleTypeBindings.unmarshal(SimpleTypeBindings.XS_BOOLEAN_NAME, value, null);
- return new Sign(attrs.getValue("", "type"),
attrs.getValue("", "alias"), include.booleanValue(),
attrs.getValue("", "tokenReference"));
+ boolean includeFaults = false;
+ value = attrs.getValue("", "includeFaults");
+ if (value != null)
+ includeFaults = (Boolean)
SimpleTypeBindings.unmarshal(SimpleTypeBindings.XS_BOOLEAN_NAME, value, null);
+
+ return new Sign(attrs.getValue("", "type"),
attrs.getValue("", "alias"), includeTimestamp,
attrs.getValue("", "tokenReference"), includeFaults);
}
else if ("encrypt".equals(localName))
{
- return new Encrypt(attrs.getValue("", "type"),
attrs.getValue("", "alias"), attrs.getValue("",
"algorithm"), attrs.getValue("", "keyWrapAlgorithm"), attrs
- .getValue("", "tokenReference"));
+ boolean includeFaults = false;
+ String value = attrs.getValue("", "includeFaults");
+ if (value != null)
+ includeFaults = (Boolean)
SimpleTypeBindings.unmarshal(SimpleTypeBindings.XS_BOOLEAN_NAME, value, null);
+
+ return new Encrypt(attrs.getValue("", "type"),
attrs.getValue("", "alias"), attrs.getValue("",
"algorithm"), attrs.getValue("", "keyWrapAlgorithm"),
attrs.getValue("", "tokenReference"),includeFaults);
}
else if ("timestamp".equals(localName))
{
@@ -452,11 +462,21 @@
log.trace("newChild: " + localName);
if ("signature".equals(localName))
{
- return new RequireSignature();
+ boolean includeFaults = false;
+ String value = attrs.getValue("", "includeFaults");
+ if (value != null)
+ includeFaults = (Boolean)
SimpleTypeBindings.unmarshal(SimpleTypeBindings.XS_BOOLEAN_NAME, value, null);
+
+ return new RequireSignature(includeFaults);
}
else if ("encryption".equals(localName))
{
- return new RequireEncryption();
+ boolean includeFaults = false;
+ String value = attrs.getValue("", "includeFaults");
+ if (value != null)
+ includeFaults = (Boolean)
SimpleTypeBindings.unmarshal(SimpleTypeBindings.XS_BOOLEAN_NAME, value, null);
+
+ return new RequireEncryption(includeFaults);
}
else if ("timestamp".equals(localName))
{