Author: darran.lofthouse(a)jboss.com Date: 2009-01-09 12:56:34 -0500 (Fri, 09 Jan 2009) New Revision: 9006 Modified: stack/native/branches/dlofthouse/JBWS-1999/modules/core/src/main/java/org/jboss/ws/extensions/security/SecurityDecoder.java stack/native/branches/dlofthouse/JBWS-1999/modules/core/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java stack/native/branches/dlofthouse/JBWS-1999/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/AuthorizeOperation.java Log: Refactoring to ensure authorization check is always called if needed. Modified: stack/native/branches/dlofthouse/JBWS-1999/modules/core/src/main/java/org/jboss/ws/extensions/security/SecurityDecoder.java =================================================================== --- stack/native/branches/dlofthouse/JBWS-1999/modules/core/src/main/java/org/jboss/ws/extensions/security/SecurityDecoder.java 2009-01-09 17:12:10 UTC (rev 9005) +++ stack/native/branches/dlofthouse/JBWS-1999/modules/core/src/main/java/org/jboss/ws/extensions/security/SecurityDecoder.java 2009-01-09 17:56:34 UTC (rev 9006) @@ -69,22 +69,19 @@ private TimestampVerification timestampVerification; - private Authenticate authenticate; - - private Authorize authorize; + private Authenticate authenticate; private HashSet<String> signedIds = new HashSet<String>(); private HashSet<String> encryptedIds = new HashSet<String>(); - public SecurityDecoder(SecurityStore store, NonceFactory nonceFactory, TimestampVerification timestampVerification, Authenticate authenticate, Authorize authorize) + public SecurityDecoder(SecurityStore store, NonceFactory nonceFactory, TimestampVerification timestampVerification, Authenticate authenticate) { org.apache.xml.security.Init.init(); this.store = store; this.nonceFactory = nonceFactory; this.timestampVerification = timestampVerification; this.authenticate = authenticate; - this.authorize = authorize; } /** @@ -94,9 +91,9 @@ * @param SecurityStore the security store that contains key and trust information * @param now The timestamp to use as the current time when validating a message expiration */ - public SecurityDecoder(SecurityStore store, Calendar now, NonceFactory nonceFactory, TimestampVerification timestampVerification, Authenticate authenticate, Authorize authorize) + public SecurityDecoder(SecurityStore store, Calendar now, NonceFactory nonceFactory, TimestampVerification timestampVerification, Authenticate authenticate) { - this(store, nonceFactory, timestampVerification, authenticate, authorize); + this(store, nonceFactory, timestampVerification, authenticate); this.now = now; } @@ -160,14 +157,8 @@ if (ids != null) encryptedIds.addAll(ids); } - } + } - if (authorize != null) - { - AuthorizeOperation authorizeOp = new AuthorizeOperation(authorize); - authorizeOp.process(); - } - } public void verify(List<RequireOperation> requireOperations) throws WSSecurityException Modified: stack/native/branches/dlofthouse/JBWS-1999/modules/core/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java =================================================================== --- stack/native/branches/dlofthouse/JBWS-1999/modules/core/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java 2009-01-09 17:12:10 UTC (rev 9005) +++ stack/native/branches/dlofthouse/JBWS-1999/modules/core/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java 2009-01-09 17:56:34 UTC (rev 9006) @@ -39,6 +39,7 @@ import org.jboss.ws.extensions.security.exception.WSSecurityException; import org.jboss.ws.extensions.security.nonce.DefaultNonceFactory; import org.jboss.ws.extensions.security.nonce.NonceFactory; +import org.jboss.ws.extensions.security.operation.AuthorizeOperation; import org.jboss.ws.extensions.security.operation.EncodingOperation; import org.jboss.ws.extensions.security.operation.EncryptionOperation; import org.jboss.ws.extensions.security.operation.RequireEncryptionOperation; @@ -81,7 +82,7 @@ Config config = getActualConfig(configuration, operationConfig); SOAPHeader soapHeader = message.getSOAPHeader(); QName secQName = new QName(Constants.WSSE_NS, "Security"); - Element secHeaderElement = (soapHeader != null) ? Util.findElement(soapHeader, secQName) : null; + Element secHeaderElement = (soapHeader != null) ? Util.findElement(soapHeader, secQName) : null; if (secHeaderElement == null) { @@ -91,54 +92,76 @@ if (hasRequirements(config)) throw convertToFault(new InvalidSecurityHeaderException("This service requires <wsse:Security>, which is missing.")); - - return; } try { - SecurityStore securityStore = new SecurityStore(configuration.getKeyStoreURL(), configuration.getKeyStoreType(), configuration.getKeyStorePassword(), - configuration.getKeyPasswords(), configuration.getTrustStoreURL(), configuration.getTrustStoreType(), configuration.getTrustStorePassword()); - NonceFactory factory = Util.loadFactory(NonceFactory.class, configuration.getNonceFactory(), DefaultNonceFactory.class); - - Authenticate authenticate = null; - Authorize authorize = null; - if (config != null) + if (secHeaderElement != null) { - authenticate = config.getAuthenticate(); - authorize = config.getAuthorize(); + decodeHeader(configuration, config, message, secHeaderElement); } - SecurityDecoder decoder = new SecurityDecoder(securityStore, factory, configuration.getTimestampVerification(), authenticate, authorize); - - decoder.decode(message.getSOAPPart(), secHeaderElement); - - if (log.isTraceEnabled()) - log.trace("Decoded Message:\n" + DOMWriter.printNode(message.getSOAPPart(), true)); - - List<RequireOperation> operations = buildRequireOperations(config); - - decoder.verify(operations); - if(log.isDebugEnabled()) log.debug("Verification is successful"); - - decoder.complete(); + authorize(config); } catch (WSSecurityException e) { if (e.isInternalError()) log.error("Internal error occured handling inbound message:", e); - else if(log.isDebugEnabled()) log.debug("Returning error to sender: " + e.getMessage()); + else if (log.isDebugEnabled()) + log.debug("Returning error to sender: " + e.getMessage()); throw convertToFault(e); } - + } + private void decodeHeader(WSSecurityConfiguration configuration, Config config, SOAPMessage message, Element secHeaderElement) throws WSSecurityException + { + SecurityStore securityStore = new SecurityStore(configuration.getKeyStoreURL(), configuration.getKeyStoreType(), configuration.getKeyStorePassword(), + configuration.getKeyPasswords(), configuration.getTrustStoreURL(), configuration.getTrustStoreType(), configuration.getTrustStorePassword()); + NonceFactory factory = Util.loadFactory(NonceFactory.class, configuration.getNonceFactory(), DefaultNonceFactory.class); + + Authenticate authenticate = null; + + if (config != null) + { + authenticate = config.getAuthenticate(); + } + + SecurityDecoder decoder = new SecurityDecoder(securityStore, factory, configuration.getTimestampVerification(), authenticate); + + decoder.decode(message.getSOAPPart(), secHeaderElement); + + if (log.isTraceEnabled()) + log.trace("Decoded Message:\n" + DOMWriter.printNode(message.getSOAPPart(), true)); + + List<RequireOperation> operations = buildRequireOperations(config); + + decoder.verify(operations); + if (log.isDebugEnabled()) + log.debug("Verification is successful"); + + decoder.complete(); + } + + private void authorize(Config config) throws WSSecurityException + { + if (config != null) + { + Authorize authorize = config.getAuthorize(); + if (authorize != null) + { + AuthorizeOperation authorizeOp = new AuthorizeOperation(authorize); + authorizeOp.process(); + } + } + } + public void encodeMessage(WSSecurityConfiguration configuration, SOAPMessage message, Config operationConfig, String user, String password) throws SOAPException { Config config = getActualConfig(configuration, operationConfig); log.debug("WS-Security config: " + config); - + // Nothing to process if (config == null) return; @@ -183,12 +206,13 @@ if (operations.size() == 0) return; - if(log.isDebugEnabled()) log.debug("Encoding Message:\n" + DOMWriter.printNode(message.getSOAPPart(), true)); + if (log.isDebugEnabled()) + log.debug("Encoding Message:\n" + DOMWriter.printNode(message.getSOAPPart(), true)); try { SecurityStore securityStore = new SecurityStore(configuration.getKeyStoreURL(), configuration.getKeyStoreType(), configuration.getKeyStorePassword(), - configuration.getKeyPasswords() , configuration.getTrustStoreURL(), configuration.getTrustStoreType(), configuration.getTrustStorePassword()); + configuration.getKeyPasswords(), configuration.getTrustStoreURL(), configuration.getTrustStoreType(), configuration.getTrustStorePassword()); SecurityEncoder encoder = new SecurityEncoder(operations, securityStore); encoder.encode(message.getSOAPPart()); } @@ -196,7 +220,8 @@ { if (e.isInternalError()) log.error("Internal error occured handling outbound message:", e); - else if(log.isDebugEnabled()) log.debug("Returning error to sender: " + e.getMessage()); + else if (log.isDebugEnabled()) + log.debug("Returning error to sender: " + e.getMessage()); throw convertToFault(e); } @@ -210,7 +235,7 @@ securityAdaptor.setPrincipal(null); securityAdaptor.setCredential(null); } - + private List<Target> convertTargets(List<org.jboss.ws.metadata.wsse.Target> targets) { if (targets == null) @@ -243,7 +268,7 @@ { if (operationConfig == null) return null; - + Requires requires = operationConfig.getRequires(); if (requires == null) return null; @@ -281,7 +306,7 @@ { EndpointMetaData epMetaData = ctx.getEndpointMetaData(); QName port = epMetaData.getPortName(); - + OperationMetaData opMetaData = ctx.getOperationMetaData(); if (opMetaData == null) { @@ -304,7 +329,7 @@ //null operationConfig means default behavior return operationConfig != null ? operationConfig : configuration.getDefaultConfig(); } - + private Config selectOperationConfig(WSSecurityConfiguration configuration, QName portName, QName opName) { Port port = configuration.getPorts().get(portName != null ? portName.getLocalPart() : null); @@ -322,8 +347,7 @@ } return operation.getConfig(); } - - + private boolean hasRequirements(Config config) { return config != null && config.getRequires() != null; Modified: stack/native/branches/dlofthouse/JBWS-1999/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/AuthorizeOperation.java =================================================================== --- stack/native/branches/dlofthouse/JBWS-1999/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/AuthorizeOperation.java 2009-01-09 17:12:10 UTC (rev 9005) +++ stack/native/branches/dlofthouse/JBWS-1999/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/AuthorizeOperation.java 2009-01-09 17:56:34 UTC (rev 9006) @@ -145,7 +145,6 @@ { List<Role> roles = authorize.getRoles(); int rolesCount = (roles != null) ? roles.size() : 0; - log.info(rolesCount); Set<Principal> expectedRoles = new HashSet<Principal>(rolesCount); if (roles != null)