Search in sources :

Example 1 with XMLSecurityStreamReader

use of org.apache.xml.security.stax.impl.XMLSecurityStreamReader in project santuario-java by apache.

the class InboundXMLSec method processInMessage.

/**
 * Warning:
 * configure your xmlStreamReader correctly. Otherwise you can create a security hole.
 * At minimum configure the following properties:
 * xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
 * xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
 * xmlInputFactory.setProperty(XMLInputFactory.IS_COALESCING, false);
 * xmlInputFactory.setProperty(WstxInputProperties.P_MIN_TEXT_SEGMENT, new Integer(8192));
 * <p></p>
 * This method is the entry point for the incoming security-engine.
 * Hand over the original XMLStreamReader and use the returned one for further processing
 *
 * @param xmlStreamReader The original XMLStreamReader
 * @param requestSecurityEvents A List of requested SecurityEvents
 * @param securityEventListener A SecurityEventListener to receive security-relevant events.
 * @return A new XMLStreamReader which does transparently the security processing.
 * @throws XMLStreamException  thrown when a streaming error occurs
 */
public XMLStreamReader processInMessage(XMLStreamReader xmlStreamReader, List<SecurityEvent> requestSecurityEvents, SecurityEventListener securityEventListener) throws XMLStreamException {
    if (requestSecurityEvents == null) {
        requestSecurityEvents = Collections.emptyList();
    }
    final InboundSecurityContextImpl inboundSecurityContext = new InboundSecurityContextImpl();
    inboundSecurityContext.putList(SecurityEvent.class, requestSecurityEvents);
    inboundSecurityContext.addSecurityEventListener(securityEventListener);
    inboundSecurityContext.put(XMLSecurityConstants.XMLINPUTFACTORY, xmlInputFactory);
    DocumentContextImpl documentContext = new DocumentContextImpl();
    documentContext.setEncoding(xmlStreamReader.getEncoding() != null ? xmlStreamReader.getEncoding() : java.nio.charset.StandardCharsets.UTF_8.name());
    // woodstox 3.2.9 returns null when used with a DOMSource
    Location location = xmlStreamReader.getLocation();
    if (location != null) {
        documentContext.setBaseURI(location.getSystemId());
    }
    InputProcessorChainImpl inputProcessorChain = new InputProcessorChainImpl(inboundSecurityContext, documentContext);
    inputProcessorChain.addProcessor(new XMLEventReaderInputProcessor(securityProperties, xmlStreamReader));
    List<InputProcessor> additionalInputProcessors = securityProperties.getInputProcessorList();
    if (!additionalInputProcessors.isEmpty()) {
        Iterator<InputProcessor> inputProcessorIterator = additionalInputProcessors.iterator();
        while (inputProcessorIterator.hasNext()) {
            InputProcessor inputProcessor = inputProcessorIterator.next();
            inputProcessorChain.addProcessor(inputProcessor);
        }
    }
    inputProcessorChain.addProcessor(new XMLSecurityInputProcessor(securityProperties));
    if (LOG.isTraceEnabled()) {
        LogInputProcessor LOGInputProcessor = new LogInputProcessor(securityProperties);
        LOGInputProcessor.addAfterProcessor(XMLSecurityInputProcessor.class.getName());
        inputProcessorChain.addProcessor(LOGInputProcessor);
    }
    return new XMLSecurityStreamReader(inputProcessorChain, securityProperties);
}
Also used : InputProcessorChainImpl(org.apache.xml.security.stax.impl.InputProcessorChainImpl) XMLSecurityStreamReader(org.apache.xml.security.stax.impl.XMLSecurityStreamReader) InboundSecurityContextImpl(org.apache.xml.security.stax.impl.InboundSecurityContextImpl) XMLEventReaderInputProcessor(org.apache.xml.security.stax.impl.processor.input.XMLEventReaderInputProcessor) XMLSecurityInputProcessor(org.apache.xml.security.stax.impl.processor.input.XMLSecurityInputProcessor) LogInputProcessor(org.apache.xml.security.stax.impl.processor.input.LogInputProcessor) XMLEventReaderInputProcessor(org.apache.xml.security.stax.impl.processor.input.XMLEventReaderInputProcessor) XMLSecurityInputProcessor(org.apache.xml.security.stax.impl.processor.input.XMLSecurityInputProcessor) LogInputProcessor(org.apache.xml.security.stax.impl.processor.input.LogInputProcessor) DocumentContextImpl(org.apache.xml.security.stax.impl.DocumentContextImpl) Location(javax.xml.stream.Location)

Example 2 with XMLSecurityStreamReader

use of org.apache.xml.security.stax.impl.XMLSecurityStreamReader in project santuario-java by apache.

the class XMLSecurityStreamReaderTest method testCorrectness.

@Test
public void testCorrectness() throws Exception {
    XMLSecurityProperties securityProperties = new XMLSecurityProperties();
    InboundSecurityContextImpl securityContext = new InboundSecurityContextImpl();
    DocumentContextImpl documentContext = new DocumentContextImpl();
    documentContext.setEncoding(StandardCharsets.UTF_8.name());
    InputProcessorChainImpl inputProcessorChain = new InputProcessorChainImpl(securityContext, documentContext);
    inputProcessorChain.addProcessor(new EventReaderProcessor());
    XMLSecurityStreamReader xmlSecurityStreamReader = new XMLSecurityStreamReader(inputProcessorChain, securityProperties);
    XMLInputFactory xmlInputFactory = XMLInputFactory.newInstance();
    xmlInputFactory.setProperty(XMLInputFactory.IS_COALESCING, true);
    xmlInputFactory.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, true);
    XMLStreamReader stdXmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("org/apache/xml/security/c14n/inExcl/plain-soap-1.1.xml"));
    // hmm why does a streamreader return a DOCUMENT_EVENT before we did call next() ??
    int stdXMLEventType = stdXmlStreamReader.getEventType();
    int secXMLEventType = xmlSecurityStreamReader.getEventType();
    do {
        switch(stdXMLEventType) {
            case XMLStreamConstants.START_ELEMENT:
                Assert.assertTrue(xmlSecurityStreamReader.isStartElement());
                Assert.assertFalse(xmlSecurityStreamReader.isEndElement());
                Assert.assertEquals(stdXmlStreamReader.getLocalName(), xmlSecurityStreamReader.getLocalName());
                Assert.assertEquals(stdXmlStreamReader.getName(), xmlSecurityStreamReader.getName());
                Assert.assertEquals(stdXmlStreamReader.getNamespaceURI(), xmlSecurityStreamReader.getNamespaceURI());
                if (stdXmlStreamReader.getPrefix() == null) {
                    Assert.assertEquals("", xmlSecurityStreamReader.getPrefix());
                } else {
                    Assert.assertEquals(stdXmlStreamReader.getPrefix(), xmlSecurityStreamReader.getPrefix());
                }
                Assert.assertEquals(stdXmlStreamReader.hasName(), xmlSecurityStreamReader.hasName());
                Assert.assertEquals(stdXmlStreamReader.hasText(), xmlSecurityStreamReader.hasText());
                Assert.assertEquals(stdXmlStreamReader.getAttributeCount(), xmlSecurityStreamReader.getAttributeCount());
                Assert.assertEquals(stdXmlStreamReader.getNamespaceCount(), xmlSecurityStreamReader.getNamespaceCount());
                for (int i = 0; i < stdXmlStreamReader.getAttributeCount(); i++) {
                    Assert.assertEquals(stdXmlStreamReader.getAttributeLocalName(i), xmlSecurityStreamReader.getAttributeLocalName(i));
                    Assert.assertEquals(stdXmlStreamReader.getAttributeName(i), xmlSecurityStreamReader.getAttributeName(i));
                    if (stdXmlStreamReader.getAttributeNamespace(i) == null) {
                        Assert.assertEquals("", xmlSecurityStreamReader.getAttributeNamespace(i));
                    } else {
                        Assert.assertEquals(stdXmlStreamReader.getAttributeNamespace(i), xmlSecurityStreamReader.getAttributeNamespace(i));
                    }
                    if (stdXmlStreamReader.getAttributePrefix(i) == null) {
                        Assert.assertEquals("", xmlSecurityStreamReader.getAttributePrefix(i));
                    } else {
                        Assert.assertEquals(stdXmlStreamReader.getAttributePrefix(i), xmlSecurityStreamReader.getAttributePrefix(i));
                    }
                    Assert.assertEquals(stdXmlStreamReader.getAttributeType(i), xmlSecurityStreamReader.getAttributeType(i));
                    Assert.assertEquals(stdXmlStreamReader.getAttributeValue(i), xmlSecurityStreamReader.getAttributeValue(i));
                }
                for (int i = 0; i < stdXmlStreamReader.getNamespaceCount(); i++) {
                    if (stdXmlStreamReader.getNamespacePrefix(i) == null) {
                        Assert.assertEquals("", xmlSecurityStreamReader.getNamespacePrefix(i));
                    } else {
                        Assert.assertEquals(stdXmlStreamReader.getNamespacePrefix(i), xmlSecurityStreamReader.getNamespacePrefix(i));
                    }
                    Assert.assertEquals(stdXmlStreamReader.getNamespaceURI(i), xmlSecurityStreamReader.getNamespaceURI(i));
                }
                break;
            case XMLStreamConstants.END_ELEMENT:
                Assert.assertFalse(xmlSecurityStreamReader.isStartElement());
                Assert.assertTrue(xmlSecurityStreamReader.isEndElement());
                Assert.assertEquals(stdXmlStreamReader.getLocalName(), xmlSecurityStreamReader.getLocalName());
                Assert.assertEquals(stdXmlStreamReader.getName(), xmlSecurityStreamReader.getName());
                Assert.assertEquals(stdXmlStreamReader.getNamespaceURI(), xmlSecurityStreamReader.getNamespaceURI());
                if (stdXmlStreamReader.getPrefix() == null) {
                    Assert.assertEquals("", xmlSecurityStreamReader.getPrefix());
                } else {
                    Assert.assertEquals(stdXmlStreamReader.getPrefix(), xmlSecurityStreamReader.getPrefix());
                }
                Assert.assertEquals(stdXmlStreamReader.hasName(), xmlSecurityStreamReader.hasName());
                Assert.assertEquals(stdXmlStreamReader.hasText(), xmlSecurityStreamReader.hasText());
                break;
            case XMLStreamConstants.PROCESSING_INSTRUCTION:
                Assert.assertEquals(stdXmlStreamReader.isCharacters(), xmlSecurityStreamReader.isCharacters());
                Assert.assertEquals(stdXmlStreamReader.getPITarget(), xmlSecurityStreamReader.getPITarget());
                Assert.assertEquals(stdXmlStreamReader.getPIData(), xmlSecurityStreamReader.getPIData());
                break;
            case XMLStreamConstants.CHARACTERS:
                Assert.assertEquals(stdXmlStreamReader.isCharacters(), xmlSecurityStreamReader.isCharacters());
                Assert.assertEquals(stdXmlStreamReader.isWhiteSpace(), xmlSecurityStreamReader.isWhiteSpace());
                Assert.assertEquals(stdXmlStreamReader.getText(), xmlSecurityStreamReader.getText());
                Assert.assertEquals(new String(stdXmlStreamReader.getTextCharacters(), stdXmlStreamReader.getTextStart(), stdXmlStreamReader.getTextLength()), new String(xmlSecurityStreamReader.getTextCharacters(), xmlSecurityStreamReader.getTextStart(), xmlSecurityStreamReader.getTextLength()));
                Assert.assertEquals(stdXmlStreamReader.getTextLength(), xmlSecurityStreamReader.getTextLength());
                break;
            case XMLStreamConstants.COMMENT:
                Assert.assertEquals(stdXmlStreamReader.isCharacters(), xmlSecurityStreamReader.isCharacters());
                Assert.assertEquals(stdXmlStreamReader.isWhiteSpace(), xmlSecurityStreamReader.isWhiteSpace());
                Assert.assertEquals(stdXmlStreamReader.getText(), xmlSecurityStreamReader.getText());
                Assert.assertEquals(new String(stdXmlStreamReader.getTextCharacters(), stdXmlStreamReader.getTextStart(), stdXmlStreamReader.getTextLength()), new String(xmlSecurityStreamReader.getTextCharacters(), xmlSecurityStreamReader.getTextStart(), xmlSecurityStreamReader.getTextLength()));
                Assert.assertEquals(stdXmlStreamReader.getTextLength(), xmlSecurityStreamReader.getTextLength());
                break;
            case XMLStreamConstants.SPACE:
                Assert.assertEquals(stdXmlStreamReader.isWhiteSpace(), xmlSecurityStreamReader.isWhiteSpace());
                Assert.assertEquals(stdXmlStreamReader.getText(), xmlSecurityStreamReader.getText());
                Assert.assertEquals(new String(stdXmlStreamReader.getTextCharacters(), stdXmlStreamReader.getTextStart(), stdXmlStreamReader.getTextLength()), new String(xmlSecurityStreamReader.getTextCharacters(), xmlSecurityStreamReader.getTextStart(), xmlSecurityStreamReader.getTextLength()));
                Assert.assertEquals(stdXmlStreamReader.getTextLength(), xmlSecurityStreamReader.getTextLength());
                break;
            case XMLStreamConstants.START_DOCUMENT:
                Assert.assertEquals(stdXmlStreamReader.getCharacterEncodingScheme(), xmlSecurityStreamReader.getCharacterEncodingScheme());
                Assert.assertEquals(stdXmlStreamReader.getEncoding(), xmlSecurityStreamReader.getEncoding());
                // Assert.assertEquals(stdXmlStreamReader.getVersion(), xmlSecurityStreamReader.getVersion());
                break;
            case XMLStreamConstants.END_DOCUMENT:
                break;
            case XMLStreamConstants.ENTITY_REFERENCE:
                Assert.assertEquals(stdXmlStreamReader.isCharacters(), xmlSecurityStreamReader.isCharacters());
                Assert.assertEquals(stdXmlStreamReader.getText(), xmlSecurityStreamReader.getText());
                break;
            case XMLStreamConstants.ATTRIBUTE:
                break;
            case XMLStreamConstants.DTD:
                Assert.assertEquals(stdXmlStreamReader.isCharacters(), xmlSecurityStreamReader.isCharacters());
                break;
            case XMLStreamConstants.CDATA:
                Assert.assertEquals(stdXmlStreamReader.isCharacters(), xmlSecurityStreamReader.isCharacters());
                break;
            case XMLStreamConstants.NAMESPACE:
                break;
            case XMLStreamConstants.NOTATION_DECLARATION:
                break;
            case XMLStreamConstants.ENTITY_DECLARATION:
                Assert.assertEquals(stdXmlStreamReader.isCharacters(), xmlSecurityStreamReader.isCharacters());
                break;
        }
        // hmm2 an eventreader returns a CHARACTER EVENT for an ignorable whitespace whereby a streamReader returns it as SPACE
        if (stdXMLEventType == XMLStreamConstants.SPACE && secXMLEventType == XMLStreamConstants.CHARACTERS) {
            secXMLEventType = XMLStreamConstants.SPACE;
        }
        Assert.assertEquals(stdXMLEventType, secXMLEventType);
        if (stdXmlStreamReader.hasNext()) {
            Assert.assertTrue(xmlSecurityStreamReader.hasNext());
            stdXMLEventType = stdXmlStreamReader.next();
            secXMLEventType = xmlSecurityStreamReader.next();
        } else {
            Assert.assertFalse(xmlSecurityStreamReader.hasNext());
            break;
        }
    } while (true);
}
Also used : InputProcessorChainImpl(org.apache.xml.security.stax.impl.InputProcessorChainImpl) XMLStreamReader(javax.xml.stream.XMLStreamReader) XMLSecurityStreamReader(org.apache.xml.security.stax.impl.XMLSecurityStreamReader) InboundSecurityContextImpl(org.apache.xml.security.stax.impl.InboundSecurityContextImpl) DocumentContextImpl(org.apache.xml.security.stax.impl.DocumentContextImpl) XMLInputFactory(javax.xml.stream.XMLInputFactory) Test(org.junit.Test)

Example 3 with XMLSecurityStreamReader

use of org.apache.xml.security.stax.impl.XMLSecurityStreamReader in project santuario-java by apache.

the class XMLSecurityStreamReaderTest method testIdentityTransformSource.

@Test
public void testIdentityTransformSource() throws Exception {
    XMLSecurityProperties securityProperties = new XMLSecurityProperties();
    InboundSecurityContextImpl securityContext = new InboundSecurityContextImpl();
    InputProcessorChainImpl inputProcessorChain = new InputProcessorChainImpl(securityContext);
    inputProcessorChain.addProcessor(new EventReaderProcessor());
    XMLSecurityStreamReader xmlSecurityStreamReader = new XMLSecurityStreamReader(inputProcessorChain, securityProperties);
    // use the sun internal TransformerFactory since the current xalan version don't know how to handle StaxSources:
    TransformerFactory transformerFactory = TransformerFactory.newInstance("com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl", this.getClass().getClassLoader());
    javax.xml.transform.Transformer transformer = transformerFactory.newTransformer();
    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    transformer.transform(new StAXSource(xmlSecurityStreamReader), new StreamResult(baos));
    XMLAssert.assertXMLEqual(readTestFile(), baos.toString(StandardCharsets.UTF_8.name()));
}
Also used : InputProcessorChainImpl(org.apache.xml.security.stax.impl.InputProcessorChainImpl) TransformerFactory(javax.xml.transform.TransformerFactory) XMLSecurityStreamReader(org.apache.xml.security.stax.impl.XMLSecurityStreamReader) StreamResult(javax.xml.transform.stream.StreamResult) InboundSecurityContextImpl(org.apache.xml.security.stax.impl.InboundSecurityContextImpl) ByteArrayOutputStream(java.io.ByteArrayOutputStream) StAXSource(javax.xml.transform.stax.StAXSource) Test(org.junit.Test)

Example 4 with XMLSecurityStreamReader

use of org.apache.xml.security.stax.impl.XMLSecurityStreamReader in project santuario-java by apache.

the class XMLSecurityStreamReaderTest method testPassThroughDocumentEvents.

@Test
public void testPassThroughDocumentEvents() throws Exception {
    XMLSecurityProperties securityProperties = new XMLSecurityProperties();
    securityProperties.setSkipDocumentEvents(false);
    InboundSecurityContextImpl securityContext = new InboundSecurityContextImpl();
    InputProcessorChainImpl inputProcessorChain = new InputProcessorChainImpl(securityContext);
    inputProcessorChain.addProcessor(new EventReaderProcessor());
    XMLSecurityStreamReader xmlSecurityStreamReader = new XMLSecurityStreamReader(inputProcessorChain, securityProperties);
    int event = xmlSecurityStreamReader.next();
    Assert.assertEquals(XMLStreamConstants.START_DOCUMENT, event);
}
Also used : InputProcessorChainImpl(org.apache.xml.security.stax.impl.InputProcessorChainImpl) XMLSecurityStreamReader(org.apache.xml.security.stax.impl.XMLSecurityStreamReader) InboundSecurityContextImpl(org.apache.xml.security.stax.impl.InboundSecurityContextImpl) Test(org.junit.Test)

Example 5 with XMLSecurityStreamReader

use of org.apache.xml.security.stax.impl.XMLSecurityStreamReader in project santuario-java by apache.

the class XMLSecurityStreamReaderTest method testSkipThroughDocumentEvents.

@Test
public void testSkipThroughDocumentEvents() throws Exception {
    XMLSecurityProperties securityProperties = new XMLSecurityProperties();
    securityProperties.setSkipDocumentEvents(true);
    InboundSecurityContextImpl securityContext = new InboundSecurityContextImpl();
    InputProcessorChainImpl inputProcessorChain = new InputProcessorChainImpl(securityContext);
    inputProcessorChain.addProcessor(new EventReaderProcessor());
    XMLSecurityStreamReader xmlSecurityStreamReader = new XMLSecurityStreamReader(inputProcessorChain, securityProperties);
    int event = xmlSecurityStreamReader.next();
    Assert.assertEquals(XMLStreamConstants.START_ELEMENT, event);
}
Also used : InputProcessorChainImpl(org.apache.xml.security.stax.impl.InputProcessorChainImpl) XMLSecurityStreamReader(org.apache.xml.security.stax.impl.XMLSecurityStreamReader) InboundSecurityContextImpl(org.apache.xml.security.stax.impl.InboundSecurityContextImpl) Test(org.junit.Test)

Aggregations

InboundSecurityContextImpl (org.apache.xml.security.stax.impl.InboundSecurityContextImpl)5 InputProcessorChainImpl (org.apache.xml.security.stax.impl.InputProcessorChainImpl)5 XMLSecurityStreamReader (org.apache.xml.security.stax.impl.XMLSecurityStreamReader)5 Test (org.junit.Test)4 DocumentContextImpl (org.apache.xml.security.stax.impl.DocumentContextImpl)2 ByteArrayOutputStream (java.io.ByteArrayOutputStream)1 Location (javax.xml.stream.Location)1 XMLInputFactory (javax.xml.stream.XMLInputFactory)1 XMLStreamReader (javax.xml.stream.XMLStreamReader)1 TransformerFactory (javax.xml.transform.TransformerFactory)1 StAXSource (javax.xml.transform.stax.StAXSource)1 StreamResult (javax.xml.transform.stream.StreamResult)1 LogInputProcessor (org.apache.xml.security.stax.impl.processor.input.LogInputProcessor)1 XMLEventReaderInputProcessor (org.apache.xml.security.stax.impl.processor.input.XMLEventReaderInputProcessor)1 XMLSecurityInputProcessor (org.apache.xml.security.stax.impl.processor.input.XMLSecurityInputProcessor)1