Author: alessio.soldano(a)jboss.com Date: 2008-03-11 20:35:29 -0400 (Tue, 11 Mar 2008) New Revision: 5925 Added: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/auth/ stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/auth/callback/ stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/auth/callback/UsernameTokenCallback.java stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/auth/callback/UsernameTokenCallbackHandler.java Modified: stack/native/trunk/src/main/java/org/jboss/ws/core/utils/ThreadLocalAssociation.java stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/Constants.java stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/Util.java stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/element/UsernameToken.java stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/operation/ReceiveUsernameOperation.java stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/operation/SendUsernameOperation.java Log: [JBWS-1988] Adding support for digest and nonce (still without nonce and created timestamp cache) Modified: stack/native/trunk/src/main/java/org/jboss/ws/core/utils/ThreadLocalAssociation.java =================================================================== --- stack/native/trunk/src/main/java/org/jboss/ws/core/utils/ThreadLocalAssociation.java 2008-03-12 00:33:29 UTC (rev 5924) +++ stack/native/trunk/src/main/java/org/jboss/ws/core/utils/ThreadLocalAssociation.java 2008-03-12 00:35:29 UTC (rev 5925) @@ -27,6 +27,7 @@ import java.util.List; import java.util.Stack; +import org.jboss.security.auth.callback.CallbackHandlerPolicyContextHandler; import org.jboss.ws.core.CommonMessageContext; import org.jboss.ws.extensions.security.SecurityStore; @@ -54,7 +55,7 @@ * Public keys used to sign incoming message */ private static ThreadLocal<List<PublicKey>> signatureKeysAssoc = new ThreadLocal<List<PublicKey>>(); - + public static ThreadLocal<Stack<CommonMessageContext>> localMsgContextAssoc() { return msgContextAssoc; @@ -69,11 +70,16 @@ { return signatureKeysAssoc; } - + public static void clear() { msgContextAssoc.remove(); strTransformAssoc.remove(); signatureKeysAssoc.remove(); + //This removes a custom callback security handler that might have + //been set if using UsernameTokenProfile with digest; doing this + //here won't be required anymore once our custom security manager + //will be used in our wsse implementation. + CallbackHandlerPolicyContextHandler.setCallbackHandler(null); } } Modified: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/Constants.java =================================================================== --- stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/Constants.java 2008-03-12 00:33:29 UTC (rev 5924) +++ stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/Constants.java 2008-03-12 00:35:29 UTC (rev 5925) @@ -57,6 +57,10 @@ public static final String WSU_ID = WSU_PREFIX + ":" + ID; public static final String BASE64_ENCODING_TYPE = WSS_SOAP_NS + "#Base64Binary"; + + public static final String PASSWORD_TEXT_TYPE = WSSE_NS + "#PasswordText"; + + public static final String PASSWORD_DIGEST_TYPE = WSSE_NS + "#PasswordDigest"; public static final String WSSE_HEADER = WSSE_PREFIX + ":Security"; Modified: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/Util.java =================================================================== --- stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/Util.java 2008-03-12 00:33:29 UTC (rev 5924) +++ stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/Util.java 2008-03-12 00:35:29 UTC (rev 5925) @@ -21,11 +21,16 @@ */ package org.jboss.ws.extensions.security; +//$Id$ + +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; import java.util.ArrayList; import java.util.List; import javax.xml.namespace.QName; +import org.jboss.util.Base64; import org.w3c.dom.Element; import org.w3c.dom.Node; @@ -36,7 +41,20 @@ public class Util { public static int count = 0; - + private static SecureRandom pseudoRng; + + static + { + try + { + pseudoRng = SecureRandom.getInstance("SHA1PRNG"); + pseudoRng.setSeed(System.currentTimeMillis()); + } + catch (NoSuchAlgorithmException e) + { + } + } + public static String assignWsuId(Element element) { String id = element.getAttributeNS(Constants.WSU_NS, Constants.ID); @@ -214,4 +232,11 @@ return id.toString(); } + + public static String generateNonce() + { + byte[] bytes = new byte[32]; + pseudoRng.nextBytes(bytes); + return Base64.encodeBytes(bytes); + } } Modified: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java =================================================================== --- stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java 2008-03-12 00:33:29 UTC (rev 5924) +++ stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java 2008-03-12 00:35:29 UTC (rev 5925) @@ -53,6 +53,7 @@ import org.jboss.ws.metadata.wsse.Requires; import org.jboss.ws.metadata.wsse.Sign; import org.jboss.ws.metadata.wsse.Timestamp; +import org.jboss.ws.metadata.wsse.Username; import org.jboss.ws.metadata.wsse.WSSecurityConfiguration; import org.jboss.wsf.common.DOMWriter; import org.w3c.dom.Element; @@ -196,9 +197,10 @@ operations.add(new TimestampOperation(timestamp.getTtl())); } - if (config.getUsername() != null && user != null && password != null) + Username username = config.getUsername(); + if (username != null && user != null && password != null) { - operations.add(new SendUsernameOperation(user, password)); + operations.add(new SendUsernameOperation(user, password, username.isDigestPassword(), username.isUseNonce(), username.isUseCreated())); } Sign sign = config.getSign(); @@ -208,7 +210,7 @@ if (sign.isIncludeTimestamp()) { if (timestamp == null) - operations.add(new TimestampOperation(null)); //TODO!! check this null + operations.add(new TimestampOperation(null)); if (targets != null && targets.size() > 0) targets.add(new WsuIdTarget("timestamp")); Added: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/auth/callback/UsernameTokenCallback.java =================================================================== --- stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/auth/callback/UsernameTokenCallback.java (rev 0) +++ stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/auth/callback/UsernameTokenCallback.java 2008-03-12 00:35:29 UTC (rev 5925) @@ -0,0 +1,113 @@ +/* + * JBoss, Home of Professional Open Source + * Copyright 2005, JBoss Inc., and individual contributors as indicated + * by the @authors tag. See the copyright.txt in the distribution for a + * full listing of individual contributors. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ +package org.jboss.ws.extensions.security.auth.callback; + +//$Id$ + +import java.io.UnsupportedEncodingException; +import java.security.MessageDigest; +import java.util.HashMap; +import java.util.Map; + +import javax.security.auth.callback.Callback; +import javax.security.auth.callback.CallbackHandler; + +import org.jboss.crypto.digest.DigestCallback; +import org.jboss.security.Base64Encoder; +import org.jboss.security.auth.callback.MapCallback; +import org.jboss.ws.WSException; + +/** + * An implementation of DigestCallback that generates password + * digests according to the UsernameTokenProfile 1.0 specification. + * + * @author alessio.soldano(a)jboss.com + * @since 12-Mar-2008 + * + */ +public class UsernameTokenCallback implements DigestCallback +{ + public static final String NONCE = "nonce"; + public static final String CREATED = "created"; + + private MapCallback info; + + @SuppressWarnings("unchecked") + public void init(Map options) + { + //System.out.println("Chiamato init!!!"); + // Ask for MapCallback to obtain the digest parameters + info = new MapCallback(); + Callback[] callbacks = { info }; + options.put("callbacks", callbacks); + } + + public void preDigest(MessageDigest digest) + { + //System.out.println("Chiamato pre!!!"); + try + { + String nonce = (String)info.getInfo(NONCE); + if (nonce != null) + digest.update(nonce.getBytes("UTF-8")); + String created = (String)info.getInfo(CREATED); + if (created != null) + digest.update(created.getBytes("UTF-8")); + } + catch (UnsupportedEncodingException e) + { + throw new WSException(e); + } + } + + public void postDigest(MessageDigest digest) + { +// System.out.println("Chiamato post!!!"); + } + + @SuppressWarnings("unchecked") + public static void main(String[] args) throws Exception + { + if (args.length != 3) + { + System.err.println("Usage: UsernameTokenCallback nonce created password"); + System.err.println(" - nonce : the nonce"); + System.err.println(" - created : the creation timestamp"); + System.err.println(" - password : the plain text password"); + System.exit(1); + } + String nonce = args[0]; + String created = args[1]; + String password = args[2]; + + MessageDigest digest = MessageDigest.getInstance("SHA"); + UsernameTokenCallback utc = new UsernameTokenCallback(); + Map options = new HashMap(); + utc.init(options); + CallbackHandler cbh = new UsernameTokenCallbackHandler(nonce, created); + cbh.handle((Callback[])options.get("callbacks")); + utc.preDigest(digest); + byte[] result = digest.digest(password.getBytes("UTF-8")); + System.out.println("UsernameToken password digest: " + Base64Encoder.encode(result)); + } + +} Property changes on: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/auth/callback/UsernameTokenCallback.java ___________________________________________________________________ Name: svn:keywords + Id Revision Name: svn:eol-style + LF Added: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/auth/callback/UsernameTokenCallbackHandler.java =================================================================== --- stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/auth/callback/UsernameTokenCallbackHandler.java (rev 0) +++ stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/auth/callback/UsernameTokenCallbackHandler.java 2008-03-12 00:35:29 UTC (rev 5925) @@ -0,0 +1,79 @@ +/* + * JBoss, Home of Professional Open Source + * Copyright 2005, JBoss Inc., and individual contributors as indicated + * by the @authors tag. See the copyright.txt in the distribution for a + * full listing of individual contributors. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ +package org.jboss.ws.extensions.security.auth.callback; + +//$Id$ + +import java.io.IOException; + +import javax.security.auth.callback.Callback; +import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.callback.UnsupportedCallbackException; + +import org.jboss.security.auth.callback.MapCallback; + +/** + * A callback handler to be used to pass parameters to the + * UsernameTokenCallback. + * + * @author alessio.soldano(a)jboss.com + * @since 12-Mar-2008 + * + */ +public class UsernameTokenCallbackHandler implements CallbackHandler +{ + private String nonce; + private String created; + + public UsernameTokenCallbackHandler(String nonce, String created) + { + this.created = created; + this.nonce = nonce; + } + + public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException + { + boolean foundCallback = false; + Callback firstUnknown = null; + int count = callbacks != null ? callbacks.length : 0; + for(int n = 0; n < count; n ++) + { + Callback c = callbacks[n]; + if( c instanceof MapCallback ) + { + //set parameters to the MapCallback the UsernameTokenCallback + //created and set up in the init method + MapCallback mc = (MapCallback) c; + mc.setInfo(UsernameTokenCallback.NONCE, nonce); + mc.setInfo(UsernameTokenCallback.CREATED, created); + foundCallback = true; + } + else if( firstUnknown == null ) + { + firstUnknown = c; + } + } + if( foundCallback == false ) + throw new UnsupportedCallbackException(firstUnknown, "Unrecognized Callback"); + } + +} Property changes on: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/auth/callback/UsernameTokenCallbackHandler.java ___________________________________________________________________ Name: svn:keywords + Id Revision Name: svn:eol-style + LF Modified: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/element/UsernameToken.java =================================================================== --- stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/element/UsernameToken.java 2008-03-12 00:33:29 UTC (rev 5924) +++ stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/element/UsernameToken.java 2008-03-12 00:35:29 UTC (rev 5925) @@ -21,10 +21,15 @@ */ package org.jboss.ws.extensions.security.element; +import java.util.Iterator; + +import javax.xml.namespace.QName; + import org.apache.xml.security.utils.XMLUtils; import org.jboss.ws.extensions.security.Constants; import org.jboss.ws.extensions.security.Util; import org.jboss.ws.extensions.security.exception.WSSecurityException; +import org.jboss.wsf.common.DOMUtils; import org.w3c.dom.Document; import org.w3c.dom.Element; @@ -38,6 +43,12 @@ private String username; private String password; + + private boolean digest; + + private String nonce; + + private String created; private Document doc; @@ -45,13 +56,17 @@ private Element cachedElement; - public UsernameToken(String username, String password, Document doc) + public UsernameToken(String username, String password, Document doc, boolean digest, String nonce, String created) { this.username = username; this.password = password; this.doc = doc; + this.digest = digest; + this.nonce = nonce; + this.created = created; } + @SuppressWarnings("unchecked") public UsernameToken(Element element) throws WSSecurityException { this.doc = element.getOwnerDocument(); @@ -72,6 +87,24 @@ throw new WSSecurityException("Password child expected in UsernameToken element"); this.password = XMLUtils.getFullTextChildrenFromElement(child); + String passwordType = child.getAttribute("Type"); + this.digest = Constants.PASSWORD_DIGEST_TYPE.equals(passwordType); + + Iterator<Element> itNonce = DOMUtils.getChildElements(element, new QName(Constants.WSSE_NS, "Nonce")); + if (itNonce != null && itNonce.hasNext()) + { + Element elem = itNonce.next(); + String encodingType = elem.getAttribute("EncodingType"); + if (encodingType != null && !Constants.BASE64_ENCODING_TYPE.equalsIgnoreCase(encodingType)) + throw new WSSecurityException("Unsupported nonce encoding type: " + encodingType); + this.nonce = XMLUtils.getFullTextChildrenFromElement(elem); + } + + Iterator<Element> itCreated = DOMUtils.getChildElements(element, new QName(Constants.WSSE_NS, "Created")); + if (itCreated != null && itCreated.hasNext()) + { + this.created = XMLUtils.getFullTextChildrenFromElement(itCreated.next()); + } } public String getId() @@ -121,8 +154,24 @@ element.appendChild(child); child = doc.createElementNS(Constants.WSSE_NS, Constants.WSSE_PREFIX + ":" + "Password"); child.appendChild(doc.createTextNode(password)); + child.setAttribute("Type", digest ? Constants.PASSWORD_DIGEST_TYPE : Constants.PASSWORD_TEXT_TYPE); element.appendChild(child); - + if (digest) + { + if (nonce != null) + { + child = doc.createElementNS(Constants.WSSE_NS, Constants.WSSE_PREFIX + ":" + "Nonce"); + child.appendChild(doc.createTextNode(nonce)); + child.setAttribute("EncodingType", Constants.BASE64_ENCODING_TYPE); + element.appendChild(child); + } + if (created != null) + { + child = doc.createElementNS(Constants.WSSE_NS, Constants.WSSE_PREFIX + ":" + "Created"); + child.appendChild(doc.createTextNode(created)); + element.appendChild(child); + } + } cachedElement = element; return cachedElement; } @@ -131,4 +180,19 @@ { return null; } + + public boolean isDigest() + { + return digest; + } + + public String getNonce() + { + return nonce; + } + + public String getCreated() + { + return created; + } } Modified: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/operation/ReceiveUsernameOperation.java =================================================================== --- stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/operation/ReceiveUsernameOperation.java 2008-03-12 00:33:29 UTC (rev 5924) +++ stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/operation/ReceiveUsernameOperation.java 2008-03-12 00:35:29 UTC (rev 5925) @@ -23,9 +23,13 @@ // $Id$ +import javax.security.auth.callback.CallbackHandler; + import org.jboss.logging.Logger; +import org.jboss.security.auth.callback.CallbackHandlerPolicyContextHandler; import org.jboss.ws.extensions.security.SecurityStore; import org.jboss.ws.extensions.security.SimplePrincipal; +import org.jboss.ws.extensions.security.auth.callback.UsernameTokenCallbackHandler; import org.jboss.ws.extensions.security.element.SecurityHeader; import org.jboss.ws.extensions.security.element.Token; import org.jboss.ws.extensions.security.element.UsernameToken; @@ -58,6 +62,11 @@ SecurityAdaptor securityAdaptor = secAdapterfactory.newSecurityAdapter(); Logger.getLogger(this.getClass()).info("Username: " + user.getUsername()); Logger.getLogger(this.getClass()).info("Password: " + user.getPassword()); + if (user.isDigest()) + { + CallbackHandler handler = new UsernameTokenCallbackHandler(user.getNonce(), user.getCreated()); + CallbackHandlerPolicyContextHandler.setCallbackHandler(handler); + } securityAdaptor.setPrincipal(new SimplePrincipal(user.getUsername())); securityAdaptor.setCredential(user.getPassword()); } Modified: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/operation/SendUsernameOperation.java =================================================================== --- stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/operation/SendUsernameOperation.java 2008-03-12 00:33:29 UTC (rev 5924) +++ stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/operation/SendUsernameOperation.java 2008-03-12 00:35:29 UTC (rev 5925) @@ -21,25 +21,94 @@ */ package org.jboss.ws.extensions.security.operation; +//$Id$ + +import java.security.MessageDigest; +import java.util.Calendar; +import java.util.GregorianCalendar; +import java.util.HashMap; +import java.util.Map; +import java.util.TimeZone; + +import javax.security.auth.callback.Callback; +import javax.security.auth.callback.CallbackHandler; + +import org.jboss.logging.Logger; +import org.jboss.security.Base64Encoder; import org.jboss.ws.extensions.security.SecurityStore; +import org.jboss.ws.extensions.security.Util; +import org.jboss.ws.extensions.security.auth.callback.UsernameTokenCallback; +import org.jboss.ws.extensions.security.auth.callback.UsernameTokenCallbackHandler; import org.jboss.ws.extensions.security.element.SecurityHeader; import org.jboss.ws.extensions.security.element.UsernameToken; import org.jboss.ws.extensions.security.exception.WSSecurityException; +import org.jboss.xb.binding.SimpleTypeBindings; import org.w3c.dom.Document; public class SendUsernameOperation implements EncodingOperation { + private static Logger log = Logger.getLogger(SendUsernameOperation.class); + private String username; private String credential; + private boolean digestPassword; + private boolean useNonce; + private boolean useCreated; - public SendUsernameOperation(String username, String credential) + public SendUsernameOperation(String username, String credential, boolean digestPassword, boolean useNonce, boolean useCreated) { this.username = username; this.credential = credential; + this.digestPassword = digestPassword; + this.useNonce = useNonce; + this.useCreated = useCreated; } public void process(Document message, SecurityHeader header, SecurityStore store) throws WSSecurityException { - header.addToken(new UsernameToken(username, credential, message)); + String created = useCreated ? getCurrentTimestampAsString() : null; + String nonce = useNonce ? Util.generateNonce() : null; + String password = digestPassword ? createPasswordDigest(nonce, created, credential) : credential; + header.addToken(new UsernameToken(username, password, message, digestPassword, nonce, created)); } + + + private static String getCurrentTimestampAsString() + { + Calendar timestamp = new GregorianCalendar(TimeZone.getTimeZone("UTC")); + return SimpleTypeBindings.marshalDateTime(timestamp); + } + + /** + * Calculate the password digest using a MessageDigest and the UsernameTokenCallback/CallbackHandler + */ + @SuppressWarnings("unchecked") + public static String createPasswordDigest(String nonce, String created, String password) + { + String passwordHash = null; + try + { + // convert password to byte data + byte[] passBytes = password.getBytes("UTF-8"); + // prepare the username token digest callback + UsernameTokenCallback callback = new UsernameTokenCallback(); + Map options = new HashMap(); + callback.init(options); + // add the username token callback handler to provide the parameters + CallbackHandler handler = new UsernameTokenCallbackHandler(nonce, created); + handler.handle((Callback[])options.get("callbacks")); + // calculate the hash and apply the encoding. + MessageDigest md = MessageDigest.getInstance("SHA"); + callback.preDigest(md); + md.update(passBytes); + callback.postDigest(md); + byte[] hash = md.digest(); + passwordHash = Base64Encoder.encode(hash); + } + catch(Exception e) + { + log.error("Password hash calculation failed ", e); + } + return passwordHash; + } }