You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by as...@apache.org on 2010/11/03 16:58:36 UTC
svn commit: r1030508 - in /cxf/branches/2.3.x-fixes: ./
common/common/src/main/java/org/apache/cxf/common/security/
rt/core/src/main/java/org/apache/cxf/interceptor/security/
rt/core/src/test/java/org/apache/cxf/interceptor/security/
rt/ws/security/src...
Author: asoldano
Date: Wed Nov 3 15:58:35 2010
New Revision: 1030508
URL: http://svn.apache.org/viewvc?rev=1030508&view=rev
Log:
Merged revisions 1022599,1022866,1022884 via svnmerge from
https://svn.apache.org/repos/asf/cxf/trunk
........
r1022599 | sergeyb | 2010-10-14 18:22:13 +0200 (Thu, 14 Oct 2010) | 1 line
[CXF-3063] : Initial code for using WSSE tokens for authorization decisions without extending WSS4JInInterceptor
........
r1022866 | sergeyb | 2010-10-15 11:29:50 +0200 (Fri, 15 Oct 2010) | 1 line
[CXF-3063] : fixing unit tests
........
r1022884 | sergeyb | 2010-10-15 13:04:01 +0200 (Fri, 15 Oct 2010) | 1 line
[CXF-3063] : Support for existing custom AbstractUsernameTokenAuthenticating subclasses
........
Added:
cxf/branches/2.3.x-fixes/common/common/src/main/java/org/apache/cxf/common/security/SecurityToken.java
- copied unchanged from r1022884, cxf/trunk/common/common/src/main/java/org/apache/cxf/common/security/SecurityToken.java
cxf/branches/2.3.x-fixes/common/common/src/main/java/org/apache/cxf/common/security/TokenType.java
- copied unchanged from r1022884, cxf/trunk/common/common/src/main/java/org/apache/cxf/common/security/TokenType.java
cxf/branches/2.3.x-fixes/common/common/src/main/java/org/apache/cxf/common/security/UsernameToken.java
- copied unchanged from r1022884, cxf/trunk/common/common/src/main/java/org/apache/cxf/common/security/UsernameToken.java
cxf/branches/2.3.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractSecurityContextInInterceptor.java
- copied unchanged from r1022884, cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractSecurityContextInInterceptor.java
cxf/branches/2.3.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractUsernameTokenInInterceptor.java
- copied unchanged from r1022884, cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractUsernameTokenInInterceptor.java
cxf/branches/2.3.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/security/DefaultSecurityContext.java
- copied unchanged from r1022884, cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/DefaultSecurityContext.java
cxf/branches/2.3.x-fixes/rt/core/src/test/java/org/apache/cxf/interceptor/security/DefaultSecurityContextTest.java
- copied unchanged from r1022884, cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/DefaultSecurityContextTest.java
cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DelegatingCallbackHandler.java
- copied unchanged from r1022884, cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DelegatingCallbackHandler.java
cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenProcessorWithoutCallbacks.java
- copied unchanged from r1022884, cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenProcessorWithoutCallbacks.java
cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10UsernameAuthorizationLegacyTest.java
- copied unchanged from r1022884, cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10UsernameAuthorizationLegacyTest.java
cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/AuthorizedServer2.java
- copied unchanged from r1022884, cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/AuthorizedServer2.java
cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/SimpleSubjectCreatingInterceptor.java
- copied unchanged from r1022884, cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/SimpleSubjectCreatingInterceptor.java
cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/SimpleUsernameTokenInterceptor.java
- copied unchanged from r1022884, cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/SimpleUsernameTokenInterceptor.java
cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server_restricted_authorized_2.xml
- copied unchanged from r1022884, cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server_restricted_authorized_2.xml
Removed:
cxf/branches/2.3.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/DefaultSecurityContextTest.java
Modified:
cxf/branches/2.3.x-fixes/ (props changed)
cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java
cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10Test.java
cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10UsernameAuthorizationTest.java
cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client_restricted_unauthorized.xml
cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server_restricted_authorized.xml
Propchange: cxf/branches/2.3.x-fixes/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Nov 3 15:58:35 2010
@@ -1 +1 @@
-/cxf/trunk:1027274,1027462,1027509,1027553,1027599,1030053,1030189
+/cxf/trunk:1022599-1022884,1027274,1027462,1027509,1027553,1027599,1030053,1030189
Propchange: cxf/branches/2.3.x-fixes/
------------------------------------------------------------------------------
--- svnmerge-integrated (original)
+++ svnmerge-integrated Wed Nov 3 15:58:35 2010
@@ -1 +1 @@
-/cxf/trunk:1-1022129,1022154,1022194,1022401-1022402,1022911,1023068,1023121,1023597-1026352,1026549,1026551,1027244,1027269,1027274,1027462,1027509,1027553,1027599,1028170,1029943,1030053,1030189
+/cxf/trunk:1-1022129,1022154,1022194,1022401-1022402,1022599-1022884,1022911,1023068,1023121,1023597-1026352,1026549,1026551,1027244,1027269,1027274,1027462,1027509,1027553,1027599,1028170,1029943,1030053,1030189
Modified: cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?rev=1030508&r1=1030507&r2=1030508&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java (original)
+++ cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java Wed Nov 3 15:58:35 2010
@@ -31,6 +31,7 @@ public final class SecurityConstants {
public static final String USERNAME = "ws-security.username";
public static final String PASSWORD = "ws-security.password";
public static final String VALIDATE_PASSWORD = "ws-security.validate.password";
+ public static final String USERNAME_TOKEN_NO_CALLBACKS = "ws-security.ut.no-callbacks";
public static final String CALLBACK_HANDLER = "ws-security.callback-handler";
Modified: cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java?rev=1030508&r1=1030507&r2=1030508&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java (original)
+++ cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java Wed Nov 3 15:58:35 2010
@@ -22,33 +22,28 @@ import java.io.IOException;
import java.security.Principal;
import java.util.HashMap;
import java.util.Map;
-import java.util.Vector;
-import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.UnsupportedCallbackException;
import javax.xml.namespace.QName;
-import org.w3c.dom.Element;
-
+import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.common.security.SecurityToken;
+import org.apache.cxf.common.security.UsernameToken;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.interceptor.security.DefaultSecurityContext;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.PhaseInterceptorChain;
import org.apache.cxf.security.SecurityContext;
import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSPasswordCallback;
-import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngine;
-import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.WSUsernameTokenPrincipal;
-import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.handler.RequestData;
-import org.apache.ws.security.message.token.UsernameToken;
import org.apache.ws.security.processor.Processor;
@@ -69,8 +64,7 @@ import org.apache.ws.security.processor.
* an application is expected to provide a password callback handler for decrypting the token only.
*
*/
-public abstract class AbstractUsernameTokenAuthenticatingInterceptor extends WSS4JInInterceptor
- implements Processor {
+public abstract class AbstractUsernameTokenAuthenticatingInterceptor extends WSS4JInInterceptor {
private static final Logger LOG =
LogUtils.getL7dLogger(AbstractUsernameTokenAuthenticatingInterceptor.class);
@@ -78,11 +72,12 @@ public abstract class AbstractUsernameTo
private boolean supportDigestPasswords;
public AbstractUsernameTokenAuthenticatingInterceptor() {
- super();
+ this(new HashMap<String, Object>());
}
public AbstractUsernameTokenAuthenticatingInterceptor(Map<String, Object> properties) {
super(properties);
+ getAfter().add(PolicyBasedWSS4JInInterceptor.class.getName());
}
public void setSupportDigestPasswords(boolean support) {
@@ -94,6 +89,23 @@ public abstract class AbstractUsernameTo
}
@Override
+ public void handleMessage(SoapMessage msg) throws Fault {
+ SecurityToken token = msg.get(SecurityToken.class);
+ SecurityContext context = msg.get(SecurityContext.class);
+ if (token == null || context == null || context.getUserPrincipal() == null) {
+ super.handleMessage(msg);
+ return;
+ }
+ UsernameToken ut = (UsernameToken)token;
+
+ Subject subject = createSubject(ut.getName(), ut.getPassword(), ut.isHashed(),
+ ut.getNonce(), ut.getCreatedTime());
+
+ SecurityContext sc = doCreateSecurityContext(context.getUserPrincipal(), subject);
+ msg.put(SecurityContext.class, sc);
+ }
+
+ @Override
protected SecurityContext createSecurityContext(final Principal p) {
Message msg = PhaseInterceptorChain.getCurrentMessage();
if (msg == null) {
@@ -130,11 +142,15 @@ public abstract class AbstractUsernameTo
try {
subject = createSubject(name, password, isDigest, nonce, created);
} catch (Exception ex) {
- throw new WSSecurityException("Failed Authentication : Subject has not been created", ex);
+ String errorMessage = "Failed Authentication : Subject has not been created";
+ LOG.severe(errorMessage);
+ throw new WSSecurityException(errorMessage, ex);
}
if (subject == null || subject.getPrincipals().size() == 0
|| !subject.getPrincipals().iterator().next().getName().equals(name)) {
- throw new WSSecurityException("Failed Authentication : Invalid Subject");
+ String errorMessage = "Failed Authentication : Invalid Subject";
+ LOG.severe(errorMessage);
+ throw new WSSecurityException(errorMessage);
}
msg.put(Subject.class, subject);
}
@@ -164,7 +180,7 @@ public abstract class AbstractUsernameTo
*
*/
@Override
- protected CallbackHandler getCallback(RequestData reqData, int doAction)
+ protected CallbackHandler getCallback(RequestData reqData, int doAction, boolean utNoCallbacks)
throws WSSecurityException {
// Given that a custom UT processor is used for dealing with digests
@@ -174,63 +190,46 @@ public abstract class AbstractUsernameTo
if ((doAction & WSConstants.UT) != 0) {
CallbackHandler pwdCallback = null;
try {
- pwdCallback = super.getCallback(reqData, doAction);
+ pwdCallback = super.getCallback(reqData, doAction, false);
} catch (Exception ex) {
// ignore
}
- return new DelegatingCallbackHandler(pwdCallback);
+ return new SubjectCreatingCallbackHandler(pwdCallback);
}
- return super.getCallback(reqData, doAction);
+ return super.getCallback(reqData, doAction, false);
}
@Override
- protected WSSecurityEngine getSecurityEngine() {
+ protected WSSecurityEngine getSecurityEngine(boolean utNoCallbacks) {
if (!supportDigestPasswords) {
- return super.getSecurityEngine();
+ return super.getSecurityEngine(true);
}
Map<QName, Object> profiles = new HashMap<QName, Object>(3);
- profiles.put(new QName(WSConstants.WSSE_NS, WSConstants.USERNAME_TOKEN_LN), this);
- profiles.put(new QName(WSConstants.WSSE11_NS, WSConstants.USERNAME_TOKEN_LN), this);
+
+ Processor processor = new CustomUsernameTokenProcessor();
+ profiles.put(new QName(WSConstants.WSSE_NS, WSConstants.USERNAME_TOKEN_LN), processor);
+ profiles.put(new QName(WSConstants.WSSE11_NS, WSConstants.USERNAME_TOKEN_LN), processor);
return createSecurityEngine(profiles);
}
- public void handleToken(Element elem,
- Crypto crypto,
- Crypto decCrypto,
- CallbackHandler cb,
- WSDocInfo wsDocInfo,
- Vector returnResults,
- WSSConfig config) throws WSSecurityException {
- new CustomUsernameTokenProcessor().handleToken(elem, crypto, decCrypto, cb, wsDocInfo,
- returnResults, config);
- }
-
-
- protected class DelegatingCallbackHandler implements CallbackHandler {
+ protected class SubjectCreatingCallbackHandler extends DelegatingCallbackHandler {
- private CallbackHandler pwdHandler;
-
- public DelegatingCallbackHandler(CallbackHandler pwdHandler) {
- this.pwdHandler = pwdHandler;
+ public SubjectCreatingCallbackHandler(CallbackHandler pwdHandler) {
+ super(pwdHandler);
}
- public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
- for (Callback c : callbacks) {
- if (c instanceof WSPasswordCallback) {
- WSPasswordCallback pc = (WSPasswordCallback)c;
- if (WSConstants.PASSWORD_TEXT.equals(pc.getPasswordType())
- && pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN) {
- AbstractUsernameTokenAuthenticatingInterceptor.this.setSubject(
- pc.getIdentifier(), pc.getPassword(), false, null, null);
- } else if (pwdHandler != null) {
- pwdHandler.handle(callbacks);
- }
- }
+ @Override
+ protected void handleCallback(Callback c) throws IOException {
+ if (c instanceof WSPasswordCallback) {
+ WSPasswordCallback pc = (WSPasswordCallback)c;
+ if (WSConstants.PASSWORD_TEXT.equals(pc.getPasswordType())
+ && pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN) {
+ AbstractUsernameTokenAuthenticatingInterceptor.this.setSubject(
+ pc.getIdentifier(), pc.getPassword(), false, null, null);
+ }
}
-
}
-
}
/**
@@ -239,56 +238,18 @@ public abstract class AbstractUsernameTo
* override its handleUsernameToken only.
*
*/
- private class CustomUsernameTokenProcessor implements Processor {
-
- private String utId;
- private UsernameToken ut;
-
- @SuppressWarnings("unchecked")
- public void handleToken(Element elem, Crypto crypto, Crypto decCrypto, CallbackHandler cb,
- WSDocInfo wsDocInfo, Vector returnResults, WSSConfig wsc) throws WSSecurityException {
- if (LOG.isLoggable(Level.FINE)) {
- LOG.fine("Found UsernameToken list element");
- }
-
- Principal principal = handleUsernameToken((Element) elem, cb);
- returnResults.add(
- 0,
- new WSSecurityEngineResult(WSConstants.UT, principal, null, null, null)
- );
- utId = ut.getID();
- }
+ protected class CustomUsernameTokenProcessor extends UsernameTokenProcessorWithoutCallbacks {
- private WSUsernameTokenPrincipal handleUsernameToken(
- Element token, CallbackHandler cb) throws WSSecurityException {
- //
- // Parse the UsernameToken element
- //
- ut = new UsernameToken(token, false);
- String user = ut.getName();
- String password = ut.getPassword();
- String nonce = ut.getNonce();
- String createdTime = ut.getCreated();
- String pwType = ut.getPasswordType();
- if (LOG.isLoggable(Level.FINE)) {
- LOG.fine("UsernameToken user " + user);
- LOG.fine("UsernameToken password " + password);
- }
-
+ @Override
+ protected WSUsernameTokenPrincipal createPrincipal(String user,
+ String password,
+ boolean isHashed,
+ String nonce,
+ String createdTime,
+ String pwType) throws WSSecurityException {
AbstractUsernameTokenAuthenticatingInterceptor.this.setSubject(
- user, password, ut.isHashed(), nonce, createdTime);
-
- WSUsernameTokenPrincipal principal = new WSUsernameTokenPrincipal(user, ut.isHashed());
- principal.setNonce(nonce);
- principal.setPassword(password);
- principal.setCreatedTime(createdTime);
- principal.setPasswordType(pwType);
-
- return principal;
- }
-
- public String getId() {
- return utId;
+ user, password, isHashed, nonce, createdTime);
+ return super.createPrincipal(user, password, isHashed, nonce, createdTime, pwType);
}
}
Modified: cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1030508&r1=1030507&r2=1030508&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (original)
+++ cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Wed Nov 3 15:58:35 2010
@@ -455,7 +455,7 @@ public class PolicyBasedWSS4JInIntercept
}
protected void doResults(SoapMessage msg, String actor,
- SOAPMessage doc, Vector results)
+ SOAPMessage doc, Vector results, boolean utWithCallbacks)
throws SOAPException, XMLStreamException, WSSecurityException {
AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
@@ -502,12 +502,15 @@ public class PolicyBasedWSS4JInIntercept
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
- WSUsernameTokenPrincipal princ
- = (WSUsernameTokenPrincipal)wser.get(WSSecurityEngineResult.TAG_PRINCIPAL);
- for (AssertionInfo ai : ais) {
- UsernameToken tok = (UsernameToken)ai.getAssertion();
- if (tok.isHashPassword() != princ.isPasswordDigest()) {
- ai.setNotAsserted("Password hashing policy not enforced");
+
+ if (utWithCallbacks) {
+ WSUsernameTokenPrincipal princ
+ = (WSUsernameTokenPrincipal)wser.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+ for (AssertionInfo ai : ais) {
+ UsernameToken tok = (UsernameToken)ai.getAssertion();
+ if (tok.isHashPassword() != princ.isPasswordDigest()) {
+ ai.setNotAsserted("Password hashing policy not enforced");
+ }
}
}
}
@@ -557,7 +560,7 @@ public class PolicyBasedWSS4JInIntercept
assertPolicy(aim, SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
}
- super.doResults(msg, actor, doc, results);
+ super.doResults(msg, actor, doc, results, utWithCallbacks);
}
private void assertHeadersExists(AssertionInfoMap aim, SoapMessage msg, SOAPMessage doc)
throws SOAPException {
Modified: cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java?rev=1030508&r1=1030507&r2=1030508&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java (original)
+++ cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java Wed Nov 3 15:58:35 2010
@@ -45,6 +45,7 @@ import org.apache.cxf.headers.Header;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.interceptor.security.DefaultSecurityContext;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.security.SecurityContext;
Modified: cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1030508&r1=1030507&r2=1030508&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java (original)
+++ cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java Wed Nov 3 15:58:35 2010
@@ -21,6 +21,7 @@ package org.apache.cxf.ws.security.wss4j
import java.io.IOException;
import java.security.Principal;
import java.security.cert.X509Certificate;
+import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Vector;
@@ -46,9 +47,11 @@ import org.apache.cxf.binding.soap.saaj.
import org.apache.cxf.common.classloader.ClassLoaderUtils;
import org.apache.cxf.common.i18n.Message;
import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.common.security.UsernameToken;
import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.staxutils.StaxUtils;
@@ -149,13 +152,17 @@ public class WSS4JInInterceptor extends
return;
}
msg.put(SECURITY_PROCESSED, Boolean.TRUE);
+
+ boolean utWithCallbacks =
+ !MessageUtils.getContextualBoolean(msg, SecurityConstants.USERNAME_TOKEN_NO_CALLBACKS, false);
+
WSSConfig config = (WSSConfig)msg.getContextualProperty(WSSConfig.class.getName());
WSSecurityEngine engine;
if (config != null) {
engine = new WSSecurityEngine();
engine.setWssConfig(config);
} else {
- engine = getSecurityEngine();
+ engine = getSecurityEngine(utWithCallbacks);
}
SOAPMessage doc = getSOAPMessage(msg);
@@ -192,7 +199,7 @@ public class WSS4JInInterceptor extends
String actor = (String)getOption(WSHandlerConstants.ACTOR);
- CallbackHandler cbHandler = getCallback(reqData, doAction);
+ CallbackHandler cbHandler = getCallback(reqData, doAction, utWithCallbacks);
/*
* Get and check the Signature specific parameters first because
@@ -225,7 +232,7 @@ public class WSS4JInInterceptor extends
checkSignatures(msg, reqData, wsResult);
checkTimestamps(msg, reqData, wsResult);
checkActions(msg, reqData, wsResult, actions);
- doResults(msg, actor, doc, wsResult);
+ doResults(msg, actor, doc, wsResult, utWithCallbacks);
} else { // no security header found
// Create an empty result vector to pass into the required validation
// methods.
@@ -360,8 +367,14 @@ public class WSS4JInInterceptor extends
protected void computeAction(SoapMessage msg, RequestData reqData) {
}
+
protected void doResults(SoapMessage msg, String actor, SOAPMessage doc, Vector wsResult)
throws SOAPException, XMLStreamException, WSSecurityException {
+ doResults(msg, actor, doc, wsResult, false);
+ }
+
+ protected void doResults(SoapMessage msg, String actor, SOAPMessage doc, Vector wsResult,
+ boolean utWithCallbacks) throws SOAPException, XMLStreamException, WSSecurityException {
/*
* All ok up to this point. Now construct and setup the security result
* structure. The service may fetch this and check it.
@@ -405,7 +418,18 @@ public class WSS4JInInterceptor extends
for (WSSecurityEngineResult o : CastUtils.cast(wsResult, WSSecurityEngineResult.class)) {
final Principal p = (Principal)o.get(WSSecurityEngineResult.TAG_PRINCIPAL);
if (p != null) {
- msg.put(PRINCIPAL_RESULT, p);
+ msg.put(PRINCIPAL_RESULT, p);
+ if (!utWithCallbacks && p instanceof WSUsernameTokenPrincipal) {
+ WSUsernameTokenPrincipal utp = (WSUsernameTokenPrincipal)p;
+ msg.put(org.apache.cxf.common.security.SecurityToken.class,
+ new UsernameToken(utp.getName(),
+ utp.getPassword(),
+ utp.getPasswordType(),
+ utp.isPasswordDigest(),
+ utp.getNonce(),
+ utp.getCreatedTime()));
+
+ }
SecurityContext sc = msg.get(SecurityContext.class);
if (sc == null || sc.getUserPrincipal() == null) {
msg.put(SecurityContext.class, createSecurityContext(p));
@@ -477,6 +501,21 @@ public class WSS4JInInterceptor extends
}
+ protected CallbackHandler getCallback(RequestData reqData, int doAction, boolean utWithCallbacks)
+ throws WSSecurityException {
+ if (!utWithCallbacks && (doAction & WSConstants.UT) != 0) {
+ CallbackHandler pwdCallback = null;
+ try {
+ pwdCallback = getCallback(reqData, doAction);
+ } catch (Exception ex) {
+ // ignore
+ }
+ return new DelegatingCallbackHandler(pwdCallback);
+ } else {
+ return getCallback(reqData, doAction);
+ }
+ }
+
protected CallbackHandler getCallback(RequestData reqData, int doAction) throws WSSecurityException {
/*
* To check a UsernameToken or to decrypt an encrypted message we need a
@@ -535,11 +574,19 @@ public class WSS4JInInterceptor extends
* TODO the WSHandler base class defines secEngine to be static, which
* is really bad, because the engine has mutable state on it.
*/
- protected WSSecurityEngine
- getSecurityEngine() {
+ protected WSSecurityEngine getSecurityEngine(boolean utWithCallbacks) {
if (secEngineOverride != null) {
return secEngineOverride;
}
+
+ if (!utWithCallbacks) {
+ Map<QName, Object> profiles = new HashMap<QName, Object>(3);
+ Processor processor = new UsernameTokenProcessorWithoutCallbacks();
+ profiles.put(new QName(WSConstants.WSSE_NS, WSConstants.USERNAME_TOKEN_LN), processor);
+ profiles.put(new QName(WSConstants.WSSE11_NS, WSConstants.USERNAME_TOKEN_LN), processor);
+ return createSecurityEngine(profiles);
+ }
+
return secEngine;
}
Modified: cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10Test.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10Test.java?rev=1030508&r1=1030507&r2=1030508&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10Test.java (original)
+++ cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10Test.java Wed Nov 3 15:58:35 2010
@@ -28,9 +28,14 @@ import javax.xml.namespace.QName;
import org.apache.cxf.Bus;
import org.apache.cxf.BusFactory;
import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.frontend.ClientProxy;
import org.apache.cxf.systest.ws.wssec10.server.Server;
import org.apache.cxf.systest.ws.wssec11.WSSecurity11Common;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.cxf.transport.http.HTTPConduit;
+import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
+
import org.junit.BeforeClass;
import org.junit.Test;
@@ -95,7 +100,16 @@ public class WSSecurity10Test extends Ab
),
IPingService.class
);
+
+ Client cl = ClientProxy.getClient(port);
+ HTTPConduit http = (HTTPConduit) cl.getConduit();
+
+ HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
+ httpClientPolicy.setConnectionTimeout(0);
+ httpClientPolicy.setReceiveTimeout(0);
+
+ http.setClient(httpClientPolicy);
final String output = port.echo(INPUT);
assertEquals(INPUT, output);
}
Modified: cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10UsernameAuthorizationTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10UsernameAuthorizationTest.java?rev=1030508&r1=1030507&r2=1030508&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10UsernameAuthorizationTest.java (original)
+++ cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10UsernameAuthorizationTest.java Wed Nov 3 15:58:35 2010
@@ -42,6 +42,7 @@ import wssec.wssec10.PingService;
*
*/
public class WSSecurity10UsernameAuthorizationTest extends AbstractBusClientServerTestBase {
+ static final String SSL_PORT = allocatePort(AuthorizedServer.class, 1);
static final String PORT = allocatePort(AuthorizedServer.class);
private static final String INPUT = "foo";
@@ -58,9 +59,9 @@ public class WSSecurity10UsernameAuthori
}
@Test
- public void testClientServerAuthorized() {
+ public void testClientServerUTOnlyAuthorized() {
- IPingService port = getPort(
+ IPingService port = getUTOnlyPort(
"org/apache/cxf/systest/ws/wssec10/client/client_restricted.xml", false);
final String output = port.echo(INPUT);
@@ -68,9 +69,9 @@ public class WSSecurity10UsernameAuthori
}
@Test
- public void testClientServerUnauthorized() {
+ public void testClientServerUTOnlyUnauthorized() {
- IPingService port = getPort(
+ IPingService port = getUTOnlyPort(
"org/apache/cxf/systest/ws/wssec10/client/client_restricted_unauthorized.xml", true);
try {
@@ -81,7 +82,48 @@ public class WSSecurity10UsernameAuthori
}
}
- private static IPingService getPort(String configName, boolean hashed) {
+ @Test
+ public void testClientServerComplexPolicyAuthorized() {
+
+ IPingService port = getComplexPolicyPort(
+ "org/apache/cxf/systest/ws/wssec10/client/client_restricted.xml");
+
+ final String output = port.echo(INPUT);
+ assertEquals(INPUT, output);
+ }
+
+ @Test
+ public void testClientServerComplexPolicyUnauthorized() {
+
+ IPingService port = getComplexPolicyPort(
+ "org/apache/cxf/systest/ws/wssec10/client/client_restricted_unauthorized.xml");
+
+ try {
+ port.echo(INPUT);
+ fail("Frank is unauthorized");
+ } catch (Exception ex) {
+ assertEquals("Unauthorized", ex.getMessage());
+ }
+ }
+
+ private static IPingService getComplexPolicyPort(String configName) {
+ Bus bus = new SpringBusFactory().createBus(configName);
+
+ BusFactory.setDefaultBus(bus);
+ BusFactory.setThreadDefaultBus(bus);
+ PingService svc = new PingService(getWsdlLocation("UserNameOverTransport"));
+ final IPingService port =
+ svc.getPort(
+ new QName(
+ "http://WSSec/wssec10",
+ "UserNameOverTransport" + "_IPingService"
+ ),
+ IPingService.class
+ );
+ return port;
+ }
+
+ private static IPingService getUTOnlyPort(String configName, boolean hashed) {
Bus bus = new SpringBusFactory().createBus(configName);
BusFactory.setDefaultBus(bus);
@@ -109,4 +151,19 @@ public class WSSecurity10UsernameAuthori
}
+ private static URL getWsdlLocation(String portPrefix) {
+ try {
+ if ("UserNameOverTransport".equals(portPrefix)) {
+ return new URL("https://localhost:" + SSL_PORT + "/" + portPrefix + "?wsdl");
+ } else if ("MutualCertificate10SignEncrypt".equals(portPrefix)) {
+ return new URL("http://localhost:" + PORT + "/" + portPrefix + "?wsdl");
+ } else if ("MutualCertificate10SignEncryptRsa15TripleDes".equals(portPrefix)) {
+ return new URL("http://localhost:" + PORT + "/" + portPrefix + "?wsdl");
+ }
+ } catch (MalformedURLException mue) {
+ return null;
+ }
+ return null;
+ }
+
}
Modified: cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client_restricted_unauthorized.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client_restricted_unauthorized.xml?rev=1030508&r1=1030507&r2=1030508&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client_restricted_unauthorized.xml (original)
+++ cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client_restricted_unauthorized.xml Wed Nov 3 15:58:35 2010
@@ -47,4 +47,21 @@
</jaxws:properties>
</jaxws:client>
+ <jaxws:client name="{http://WSSec/wssec10}UserNameOverTransport_IPingService" createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.username" value="Frank"/>
+ <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
+ </jaxws:properties>
+ </jaxws:client>
+
+ <http:conduit name="https://.*/UserNameOverTransport.*">
+ <http:tlsClientParameters disableCNCheck="true">
+ <sec:keyManagers keyPassword="password">
+ <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/wssec10/certs/restricted/alice.jks"/>
+ </sec:keyManagers>
+ <sec:trustManagers>
+ <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/wssec10/certs/restricted/bob.jks"/>
+ </sec:trustManagers>
+ </http:tlsClientParameters>
+ </http:conduit>
</beans>
Modified: cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server_restricted_authorized.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server_restricted_authorized.xml?rev=1030508&r1=1030507&r2=1030508&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server_restricted_authorized.xml (original)
+++ cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server_restricted_authorized.xml Wed Nov 3 15:58:35 2010
@@ -39,6 +39,34 @@
">
<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+ <!-- -->
+ <!-- Any services listening on port 9001 must use the following -->
+ <!-- Transport Layer Security (TLS) settings -->
+ <!-- -->
+ <httpj:engine-factory id="tls-settings">
+ <httpj:engine port="${testutil.ports.AuthorizedServer.1}">
+ <httpj:tlsServerParameters>
+ <sec:keyManagers keyPassword="password">
+ <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/wssec10/certs/restricted/bob.jks"/>
+ </sec:keyManagers>
+ <sec:trustManagers>
+ <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/wssec10/certs/restricted/alice.jks"/>
+ </sec:trustManagers>
+
+ <!--
+ <sec:cipherSuitesFilter>
+ <sec:include>.*_EXPORT_.*</sec:include>
+ <sec:include>.*_EXPORT1024_.*</sec:include>
+ <sec:include>.*_WITH_DES_.*</sec:include>
+ <sec:include>.*_WITH_NULL_.*</sec:include>
+ <sec:exclude>.*_DH_anon_.*</sec:exclude>
+ </sec:cipherSuitesFilter>
+ <sec:clientAuthentication want="true" required="true"/>
+ -->
+ </httpj:tlsServerParameters>
+ </httpj:engine>
+ </httpj:engine-factory>
+
<cxf:bus>
<cxf:features>
<p:policies/>
@@ -53,7 +81,7 @@
<bean id="customUTInterceptor" class="org.apache.cxf.systest.ws.wssec10.server.CustomUsernameTokenInterceptor"/>
-
+ <bean id="simpleUTInterceptor" class="org.apache.cxf.systest.ws.wssec10.server.SimpleUsernameTokenInterceptor"/>
<bean id="authorizationInterceptor" class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor">
<property name="methodRolesMap">
<map>
@@ -90,4 +118,30 @@
</jaxws:endpoint>
+ <!-- -->
+ <!-- Scenario 3.1 -->
+ <!-- -->
+ <jaxws:endpoint
+ id="UserNameOverTransport"
+ address="https://localhost:${testutil.ports.AuthorizedServer.1}/UserNameOverTransport"
+ serviceName="interop:PingService"
+ endpointName="interop:UserNameOverTransport_IPingService"
+ implementor="org.apache.cxf.systest.ws.wssec10.server.UserNameOverTransportRestricted"
+ depends-on="tls-settings">
+
+ <jaxws:properties>
+ <entry key="ws-security.username" value="Alice"/>
+ <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.wssec10.server.UTPasswordCallback"/>
+
+ <!-- new property -->
+ <entry key="ws-security.ut.no-callbacks" value="true"/>
+ </jaxws:properties>
+
+ <jaxws:inInterceptors>
+ <ref bean="simpleUTInterceptor"/>
+ <ref bean="authorizationInterceptor"/>
+ </jaxws:inInterceptors>
+
+ </jaxws:endpoint>
+
</beans>