You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2011/07/25 17:13:12 UTC
svn commit: r1150742 -
/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
Author: coheigea
Date: Mon Jul 25 15:13:11 2011
New Revision: 1150742
URL: http://svn.apache.org/viewvc?rev=1150742&view=rev
Log:
Store TLS Peer Certificate principal on the message context in the WS-Security layer
- Also fixing some failing system tests following an update to WSS4J.
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java?rev=1150742&r1=1150741&r2=1150742&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java Mon Jul 25 15:13:11 2011
@@ -20,6 +20,8 @@
package org.apache.cxf.ws.security.policy.interceptors;
import java.net.HttpURLConnection;
+import java.security.Principal;
+import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
@@ -33,6 +35,7 @@ import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
+import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.transport.http.MessageTrustDecider;
import org.apache.cxf.transport.http.URLConnectionInfo;
@@ -164,6 +167,21 @@ public class HttpsTokenInterceptorProvid
}
if (!isRequestor(message)) {
assertHttps(ais, message);
+ // Store the TLS principal on the message context
+ SecurityContext sc = message.get(SecurityContext.class);
+ if (sc == null || sc.getUserPrincipal() == null) {
+ TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
+ if (tlsInfo != null && tlsInfo.getPeerCertificates() != null
+ && tlsInfo.getPeerCertificates().length > 0
+ && (tlsInfo.getPeerCertificates()[0] instanceof X509Certificate)
+ ) {
+ X509Certificate cert = (X509Certificate)tlsInfo.getPeerCertificates()[0];
+ message.put(
+ SecurityContext.class, createSecurityContext(cert.getSubjectX500Principal())
+ );
+ }
+ }
+
} else {
//client side should be checked on the way out
for (AssertionInfo ai : ais) {
@@ -172,6 +190,7 @@ public class HttpsTokenInterceptorProvid
}
}
}
+
private void assertHttps(Collection<AssertionInfo> ais, Message message) {
for (AssertionInfo ai : ais) {
boolean asserted = true;
@@ -207,5 +226,16 @@ public class HttpsTokenInterceptorProvid
ai.setAsserted(asserted);
}
}
+
+ private SecurityContext createSecurityContext(final Principal p) {
+ return new SecurityContext() {
+ public Principal getUserPrincipal() {
+ return p;
+ }
+ public boolean isUserInRole(String role) {
+ return false;
+ }
+ };
+ }
}
}