Author: darran.lofthouse(a)jboss.com Date: 2010-06-18 07:06:21 -0400 (Fri, 18 Jun 2010) New Revision: 12499 Modified: stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/extensions/security/jaxrpc/WSSecurityHandler.java stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/extensions/security/jaxrpc/WSSecurityHandlerInbound.java stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Config.java stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Encrypt.java stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/RequireEncryption.java stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/RequireSignature.java stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Requires.java stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Sign.java stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/WSSecurityOMFactory.java Log: Round 1 of backports Modified: stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java =================================================================== --- stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java 2010-06-18 11:04:04 UTC (rev 12498) +++ stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java 2010-06-18 11:06:21 UTC (rev 12499) @@ -84,13 +84,10 @@ QName secQName = new QName(Constants.WSSE_NS, "Security"); Element secHeaderElement = (soapHeader != null) ? Util.findElement(soapHeader, secQName) : null; + boolean fault = message.getSOAPBody().getFault() != null; if (secHeaderElement == null) { - // This is ok, we always allow faults to be received because WS-Security does not encrypt faults - if (message.getSOAPBody().getFault() != null) - return; - - if (hasRequirements(config)) + if (hasRequirements(config, fault)) throw convertToFault(new InvalidSecurityHeaderException("This service requires <wsse:Security>, which is missing.")); } @@ -98,7 +95,7 @@ { if (secHeaderElement != null) { - decodeHeader(configuration, config, message, secHeaderElement); + decodeHeader(configuration, config, message, secHeaderElement, fault); } authorize(config); @@ -115,7 +112,7 @@ } - private void decodeHeader(WSSecurityConfiguration configuration, Config config, SOAPMessage message, Element secHeaderElement) throws WSSecurityException + private void decodeHeader(WSSecurityConfiguration configuration, Config config, SOAPMessage message, Element secHeaderElement, boolean fault) throws WSSecurityException { SecurityStore securityStore = new SecurityStore(configuration.getKeyStoreURL(), configuration.getKeyStoreType(), configuration.getKeyStorePassword(), configuration.getKeyPasswords(), configuration.getTrustStoreURL(), configuration.getTrustStoreType(), configuration.getTrustStorePassword()); @@ -135,7 +132,7 @@ if (log.isTraceEnabled()) log.trace("Decoded Message:\n" + DOMWriter.printNode(message.getSOAPPart(), true)); - List<RequireOperation> operations = buildRequireOperations(config); + List<RequireOperation> operations = buildRequireOperations(config, fault); decoder.verify(operations); if (log.isDebugEnabled()) @@ -163,10 +160,11 @@ if (log.isDebugEnabled()) log.debug("WS-Security config: " + config); + boolean fault = message.getSOAPBody().getFault() != null; // Nothing to process - if (config == null) + if (config == null || (fault && !config.includesFaults())) return; - + ArrayList<EncodingOperation> operations = new ArrayList<EncodingOperation>(); Timestamp timestamp = config.getTimestamp(); if (timestamp != null) @@ -182,7 +180,7 @@ } Sign sign = config.getSign(); - if (sign != null) + if (sign != null && (!fault || sign.isIncludeFaults())) { List<Target> targets = convertTargets(sign.getTargets()); if (sign.isIncludeTimestamp()) @@ -198,7 +196,7 @@ } Encrypt encrypt = config.getEncrypt(); - if (encrypt != null) + if (encrypt != null && (!fault || encrypt.isIncludeFaults())) { List<Target> targets = convertTargets(encrypt.getTargets()); operations.add(new EncryptionOperation(targets, encrypt.getAlias(), encrypt.getAlgorithm(), encrypt.getWrap(), encrypt.getTokenRefType())); @@ -270,7 +268,7 @@ return new CommonSOAPFaultException(e.getFaultCode(), e.getFaultString()); } - private List<RequireOperation> buildRequireOperations(Config operationConfig) + private List<RequireOperation> buildRequireOperations(Config operationConfig, boolean fault) { if (operationConfig == null) return null; @@ -285,14 +283,14 @@ operations.add(new RequireTimestampOperation(requireTimestamp.getMaxAge())); RequireSignature requireSignature = requires.getRequireSignature(); - if (requireSignature != null) + if (requireSignature != null && (!fault || requireSignature.isIncludeFaults())) { List<Target> targets = convertTargets(requireSignature.getTargets()); operations.add(new RequireSignatureOperation(targets)); - } + } RequireEncryption requireEncryption = requires.getRequireEncryption(); - if (requireEncryption != null) + if (requireEncryption != null && (!fault || requireEncryption.isIncludeFaults())) { List<Target> targets = convertTargets(requireEncryption.getTargets()); operations.add(new RequireEncryptionOperation(targets)); @@ -354,8 +352,9 @@ return operation.getConfig(); } - private boolean hasRequirements(Config config) + private boolean hasRequirements(Config config, boolean fault) { - return config != null && config.getRequires() != null; + Requires requires = (config != null) ? config.getRequires() : null; + return requires != null && (!fault || requires.includesFaults()); } } Modified: stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/extensions/security/jaxrpc/WSSecurityHandler.java =================================================================== --- stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/extensions/security/jaxrpc/WSSecurityHandler.java 2010-06-18 11:04:04 UTC (rev 12498) +++ stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/extensions/security/jaxrpc/WSSecurityHandler.java 2010-06-18 11:06:21 UTC (rev 12499) @@ -27,11 +27,11 @@ import javax.xml.rpc.Stub; import javax.xml.rpc.handler.GenericHandler; import javax.xml.rpc.handler.MessageContext; -import javax.xml.soap.SOAPException; import org.jboss.logging.Logger; import org.jboss.ws.WSException; import org.jboss.ws.core.CommonMessageContext; +import org.jboss.ws.core.CommonSOAPFaultException; import org.jboss.ws.core.soap.SOAPMessageImpl; import org.jboss.ws.extensions.security.Constants; import org.jboss.ws.extensions.security.WSSecurityDispatcher; @@ -52,13 +52,22 @@ // provide logging private static Logger log = Logger.getLogger(WSSecurityHandler.class); + protected static final String FAULT_THROWN = "org.jboss.ws.wsse.faultThrown"; + public QName[] getHeaders() { return new QName[] {Constants.WSSE_HEADER_QNAME}; } + + protected boolean thrownByMe(MessageContext msgContext) + { + Boolean bool = (Boolean) msgContext.getProperty(FAULT_THROWN); + return bool != null && bool.booleanValue(); + } protected boolean handleInboundSecurity(MessageContext msgContext) { + Exception exception = null; try { WSSecurityConfiguration configuration = getSecurityConfiguration(msgContext); @@ -70,16 +79,28 @@ new WSSecurityDispatcher().decodeMessage(configuration, soapMessage, null); } } - catch (SOAPException ex) + catch (Exception ex) { - log.error("Cannot handle inbound ws-security", ex); + exception = ex; + } + + if (exception != null) + { + msgContext.setProperty(FAULT_THROWN, true); + if (exception instanceof CommonSOAPFaultException) + throw (CommonSOAPFaultException)exception; + + // Unexpected exception, log it + log.error("Cannot handle inbound ws-security", exception); return false; } + return true; } protected boolean handleOutboundSecurity(MessageContext msgContext) { + Exception exception = null; try { WSSecurityConfiguration configuration = getSecurityConfiguration(msgContext); @@ -93,11 +114,22 @@ new WSSecurityDispatcher().encodeMessage(configuration, soapMessage, null, user, pass); } } - catch (SOAPException ex) + catch (Exception ex) { - log.error("Cannot handle outbound ws-security", ex); + exception = ex; + } + + if (exception != null) + { + msgContext.setProperty(FAULT_THROWN, true); + if (exception instanceof CommonSOAPFaultException) + throw (CommonSOAPFaultException)exception; + + // Unexpected exception, log it + log.error("Cannot handle outbound ws-security", exception); return false; } + return true; } Modified: stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/extensions/security/jaxrpc/WSSecurityHandlerInbound.java =================================================================== --- stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/extensions/security/jaxrpc/WSSecurityHandlerInbound.java 2010-06-18 11:04:04 UTC (rev 12498) +++ stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/extensions/security/jaxrpc/WSSecurityHandlerInbound.java 2010-06-18 11:06:21 UTC (rev 12499) @@ -22,6 +22,7 @@ package org.jboss.ws.extensions.security.jaxrpc; import javax.xml.rpc.handler.MessageContext; +import javax.xml.rpc.handler.soap.SOAPMessageContext; import org.jboss.ws.metadata.wsse.WSSecurityOMFactory; @@ -43,7 +44,19 @@ { return handleOutboundSecurity(msgContext); } + + public boolean handleFault(MessageContext msgContext) + { + // Skip any WS-Security Faults + if (thrownByMe(msgContext)) + return true; + // Mark the message as a fault, in case it ends up being encrypted + ((SOAPMessageContext)msgContext).getMessage().setFaultMessage(true); + + return handleOutboundSecurity(msgContext); + } + protected String getConfigResourceName() { return WSSecurityOMFactory.SERVER_RESOURCE_NAME; } Modified: stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Config.java =================================================================== --- stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Config.java 2010-06-18 11:04:04 UTC (rev 12498) +++ stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Config.java 2010-06-18 11:06:21 UTC (rev 12499) @@ -75,6 +75,11 @@ return username; } + public boolean includesFaults() + { + return (sign != null && sign.isIncludeFaults()) || (encrypt != null && encrypt.isIncludeFaults()); + } + public void setUsername(Username username) { this.username = username; Modified: stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Encrypt.java =================================================================== --- stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Encrypt.java 2010-06-18 11:04:04 UTC (rev 12498) +++ stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Encrypt.java 2010-06-18 11:06:21 UTC (rev 12499) @@ -38,14 +38,16 @@ private String algorithm; private String keyWrapAlgorithm; private String tokenRefType; + private boolean includeFaults; - public Encrypt(String type, String alias, String algorithm, String wrap, String tokenRefType) + public Encrypt(String type, String alias, String algorithm, String wrap, String tokenRefType, boolean includeFaults) { this.type = type; this.alias = alias; this.algorithm = algorithm; this.keyWrapAlgorithm = wrap; this.tokenRefType = tokenRefType; + this.includeFaults = includeFaults; } public String getAlias() @@ -97,4 +99,14 @@ { this.tokenRefType = tokenRefType; } + + public boolean isIncludeFaults() + { + return includeFaults; + } + + public void setIncludeFaults(boolean includeFaults) + { + this.includeFaults = includeFaults; + } } Modified: stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/RequireEncryption.java =================================================================== --- stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/RequireEncryption.java 2010-06-18 11:04:04 UTC (rev 12498) +++ stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/RequireEncryption.java 2010-06-18 11:06:21 UTC (rev 12499) @@ -30,4 +30,21 @@ public class RequireEncryption extends Targetable { private static final long serialVersionUID = 3765798680988205647L; + + private boolean includeFaults; + + public RequireEncryption(boolean includeFaults) + { + this.includeFaults = includeFaults; + } + + public boolean isIncludeFaults() + { + return includeFaults; + } + + public void setIncludeFaults(boolean includeFaults) + { + this.includeFaults = includeFaults; + } } Modified: stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/RequireSignature.java =================================================================== --- stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/RequireSignature.java 2010-06-18 11:04:04 UTC (rev 12498) +++ stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/RequireSignature.java 2010-06-18 11:06:21 UTC (rev 12499) @@ -22,12 +22,28 @@ package org.jboss.ws.metadata.wsse; /** - * <code>Sign</code> represents the sign tag, which declares that a message - * should be signed. + * <code>RequireSignature</code> indicates that a message received from a peer must be signed. * * @author <a href="mailto:jason.greene@jboss.com">Jason T. Greene</a> */ public class RequireSignature extends Targetable { private static final long serialVersionUID = -3854930944550152309L; -} + + private boolean includeFaults; + + public RequireSignature(boolean includeFaults) + { + this.includeFaults = includeFaults; + } + + public boolean isIncludeFaults() + { + return includeFaults; + } + + public void setIncludeFaults(boolean includeFaults) + { + this.includeFaults = includeFaults; + } +} \ No newline at end of file Modified: stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Requires.java =================================================================== --- stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Requires.java 2010-06-18 11:04:04 UTC (rev 12498) +++ stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Requires.java 2010-06-18 11:06:21 UTC (rev 12499) @@ -65,4 +65,10 @@ { this.requireTimestamp = requireTimestamp; } + + public boolean includesFaults() + { + return (requireSignature != null && requireSignature.isIncludeFaults()) + || (requireEncryption != null && requireEncryption.isIncludeFaults()); + } } Modified: stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Sign.java =================================================================== --- stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Sign.java 2010-06-18 11:04:04 UTC (rev 12498) +++ stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/Sign.java 2010-06-18 11:06:21 UTC (rev 12499) @@ -35,13 +35,15 @@ private String alias; private boolean includeTimestamp; private String tokenRefType; + private boolean includeFaults; - public Sign(String type, String alias, boolean includeTimestamp, String tokenRefType) + public Sign(String type, String alias, boolean includeTimestamp, String tokenRefType, boolean includeFaults) { this.type = type; this.alias = alias; this.includeTimestamp = includeTimestamp; this.tokenRefType = tokenRefType; + this.includeFaults = includeFaults; } public String getAlias() @@ -59,6 +61,16 @@ return type; } + public boolean isIncludeFaults() + { + return includeFaults; + } + + public void setIncludeFaults(boolean includeFaults) + { + this.includeFaults = includeFaults; + } + public void setType(String type) { this.type = type; Modified: stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/WSSecurityOMFactory.java =================================================================== --- stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/WSSecurityOMFactory.java 2010-06-18 11:04:04 UTC (rev 12498) +++ stack/native/branches/dlofthouse/JBWS-1119/modules/core/src/main/java/org/jboss/ws/metadata/wsse/WSSecurityOMFactory.java 2010-06-18 11:06:21 UTC (rev 12499) @@ -50,7 +50,7 @@ public static final String CLIENT_RESOURCE_NAME = "jboss-wsse-client.xml"; - private static HashMap options = new HashMap(7); + private static HashMap<String, String> options = new HashMap<String, String>(6); static { @@ -93,6 +93,7 @@ } catch (JBossXBException e) { + log.error("Could not parse " + configURL + ":", e); IOException ioex = new IOException("Cannot parse: " + configURL); Throwable cause = e.getCause(); if (cause != null) @@ -261,17 +262,26 @@ if ("sign".equals(localName)) { // By default, we alwyas include a timestamp - Boolean include = new Boolean(true); - String timestamp = attrs.getValue("", "includeTimestamp"); - if (timestamp != null) - include = (Boolean)SimpleTypeBindings.unmarshal(SimpleTypeBindings.XS_BOOLEAN_NAME, timestamp, null); + boolean includeTimestamp = true; + String value = attrs.getValue("", "includeTimestamp"); + if (value != null) + includeTimestamp = (Boolean) SimpleTypeBindings.unmarshal(SimpleTypeBindings.XS_BOOLEAN_NAME, value, null); - return new Sign(attrs.getValue("", "type"), attrs.getValue("", "alias"), include.booleanValue(), attrs.getValue("", "tokenReference")); + boolean includeFaults = false; + value = attrs.getValue("", "includeFaults"); + if (value != null) + includeFaults = (Boolean) SimpleTypeBindings.unmarshal(SimpleTypeBindings.XS_BOOLEAN_NAME, value, null); + + return new Sign(attrs.getValue("", "type"), attrs.getValue("", "alias"), includeTimestamp, attrs.getValue("", "tokenReference"), includeFaults); } else if ("encrypt".equals(localName)) { - return new Encrypt(attrs.getValue("", "type"), attrs.getValue("", "alias"), attrs.getValue("", "algorithm"), attrs.getValue("", "keyWrapAlgorithm"), attrs - .getValue("", "tokenReference")); + boolean includeFaults = false; + String value = attrs.getValue("", "includeFaults"); + if (value != null) + includeFaults = (Boolean) SimpleTypeBindings.unmarshal(SimpleTypeBindings.XS_BOOLEAN_NAME, value, null); + + return new Encrypt(attrs.getValue("", "type"), attrs.getValue("", "alias"), attrs.getValue("", "algorithm"), attrs.getValue("", "keyWrapAlgorithm"), attrs.getValue("", "tokenReference"),includeFaults); } else if ("timestamp".equals(localName)) { @@ -452,11 +462,21 @@ log.trace("newChild: " + localName); if ("signature".equals(localName)) { - return new RequireSignature(); + boolean includeFaults = false; + String value = attrs.getValue("", "includeFaults"); + if (value != null) + includeFaults = (Boolean) SimpleTypeBindings.unmarshal(SimpleTypeBindings.XS_BOOLEAN_NAME, value, null); + + return new RequireSignature(includeFaults); } else if ("encryption".equals(localName)) { - return new RequireEncryption(); + boolean includeFaults = false; + String value = attrs.getValue("", "includeFaults"); + if (value != null) + includeFaults = (Boolean) SimpleTypeBindings.unmarshal(SimpleTypeBindings.XS_BOOLEAN_NAME, value, null); + + return new RequireEncryption(includeFaults); } else if ("timestamp".equals(localName)) {