You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-commits@axis.apache.org by ve...@apache.org on 2017/01/14 12:22:56 UTC
svn commit: r1778761 [1/3] - in
/axis/axis2/java/rampart/branches/RAMPART-433: ./ modules/rampart-core/
modules/rampart-core/src/main/java/org/apache/rampart/
modules/rampart-core/src/main/java/org/apache/rampart/builder/
modules/rampart-core/src/main/...
Author: veithen
Date: Sat Jan 14 12:22:55 2017
New Revision: 1778761
URL: http://svn.apache.org/viewvc?rev=1778761&view=rev
Log:
Apply patch provided by Boris Dushanov for RAMPART-433 (which incorporates the patch provided by Detelin Yordanov for RAMPART-417).
Added:
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/KerberosConfigBuilder.java (with props)
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/KerberosConfig.java (with props)
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/test/java/org/apache/rampart/policy/
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/test/java/org/apache/rampart/policy/builders/
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/test/java/org/apache/rampart/policy/builders/KerberosConfigBuilderTest.java (with props)
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/test/resources/org/apache/rampart/policy/
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/test/resources/org/apache/rampart/policy/builders/
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/test/resources/org/apache/rampart/policy/builders/kerberosConfig.policy
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/main/java/org/apache/rampart/KerberosDelegationService.java (with props)
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/main/java/org/apache/rampart/KerberosDelegationServiceValidator.java (with props)
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/test/java/org/apache/rampart/AbstractRampartTest.java (with props)
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/test/java/org/apache/rampart/RampartKerberosTest.java (with props)
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/test/java/org/apache/rampart/util/
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/test/java/org/apache/rampart/util/KerberosServer.java (with props)
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/test/java/org/apache/rampart/util/KerberosTokenDecoderImpl.java (with props)
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/test/resources/kerberos/
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/test/resources/kerberos/alice.keytab (with props)
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/test/resources/kerberos/bob.keytab (with props)
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/test/resources/kerberos/jaas.conf
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/test/resources/kerberos/krb5.conf.template
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/test/resources/kerberos/readme
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/test/resources/kerberos/users.ldif
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/test/resources/rampart/kerberos/
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/test/resources/rampart/kerberos/KerberosDelegation.xml (with props)
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/test/resources/rampart/kerberos/KerberosOverTransportKeytab.xml (with props)
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/test/resources/rampart/kerberos/KerberosOverTransportPWCB.xml (with props)
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-policy/src/main/java/org/apache/ws/secpolicy/model/KerberosToken.java (with props)
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-policy/src/main/java/org/apache/ws/secpolicy11/builders/KerberosTokenBuilder.java (with props)
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-policy/src/main/java/org/apache/ws/secpolicy12/builders/KerberosTokenBuilder.java (with props)
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-policy/src/test/
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-policy/src/test/java/
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-policy/src/test/java/org/
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-policy/src/test/java/org/apache/
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-policy/src/test/java/org/apache/ws/
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-policy/src/test/java/org/apache/ws/secpolicy/
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-policy/src/test/java/org/apache/ws/secpolicy/KerberosPolicyTest.java (with props)
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-policy/src/test/resources/
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-policy/src/test/resources/policy/
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-policy/src/test/resources/policy/kerberos-11.xml (with props)
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-policy/src/test/resources/policy/kerberos-12.xml (with props)
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-policy/src/test/resources/policy/kerberos-gss-11.xml (with props)
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-policy/src/test/resources/policy/kerberos-gss-12.xml (with props)
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-policy/src/test/resources/policy/kerberos-gss-keyref-11.xml (with props)
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-policy/src/test/resources/policy/kerberos-gss-keyref-12.xml (with props)
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-policy/src/test/resources/policy/kerberos-keyref-11.xml (with props)
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-policy/src/test/resources/policy/kerberos-keyref-12.xml (with props)
Modified:
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/pom.xml
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/builder/BindingBuilder.java
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/builder/TransportBindingBuilder.java
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/resources/META-INF/services/org.apache.neethi.builders.AssertionBuilder
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/resources/org/apache/rampart/errors.properties
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/pom.xml
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-policy/pom.xml
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-policy/src/main/java/org/apache/ws/secpolicy/Constants.java
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-policy/src/main/java/org/apache/ws/secpolicy/SP11Constants.java
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-policy/src/main/java/org/apache/ws/secpolicy/SP12Constants.java
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-policy/src/main/java/org/apache/ws/secpolicy/SPConstants.java
axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-policy/src/main/resources/META-INF/services/org.apache.neethi.builders.AssertionBuilder
axis/axis2/java/rampart/branches/RAMPART-433/pom.xml
Modified: axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/pom.xml
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/pom.xml?rev=1778761&r1=1778760&r2=1778761&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/pom.xml (original)
+++ axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/pom.xml Sat Jan 14 12:22:55 2017
@@ -85,5 +85,10 @@
<artifactId>junit</artifactId>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>xmlunit</groupId>
+ <artifactId>xmlunit</artifactId>
+ <scope>test</scope>
+ </dependency>
</dependencies>
</project>
Modified: axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java?rev=1778761&r1=1778760&r2=1778761&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java Sat Jan 14 12:22:55 2017
@@ -31,12 +31,22 @@ import org.apache.rampart.saml.SAMLAsser
import org.apache.rampart.saml.SAMLAssertionHandlerFactory;
import org.apache.rampart.util.Axis2Util;
import org.apache.rampart.util.RampartUtil;
+import org.apache.rampart.policy.model.KerberosConfig;
+import org.apache.rampart.policy.model.RampartConfig;
import org.apache.ws.secpolicy.WSSPolicyException;
import org.apache.ws.secpolicy.model.UsernameToken;
+import org.apache.ws.secpolicy.model.KerberosToken;
+import org.apache.ws.secpolicy.model.SupportingToken;
import org.apache.ws.security.*;
import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.validate.KerberosTokenDecoder;
+import org.apache.ws.security.validate.KerberosTokenValidator;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
import javax.xml.namespace.QName;
+
+import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.*;
@@ -88,6 +98,89 @@ public class RampartEngine {
//Set rampart's configuration of WSS4J
engine.setWssConfig(rmd.getConfig());
+ RampartConfig rampartConfig = rpd.getRampartConfig();
+ if (rampartConfig != null) {
+ WSSConfig config = engine.getWssConfig();
+
+ // Inbound Kerberos authentication for web services
+ // Check the service policy for Kerberos token and add KerberosTokenValidator for BINARY_TOKEN validation
+ SupportingToken endSupptokens = rpd.getEndorsingSupportingTokens();
+ if (endSupptokens != null && endSupptokens.getTokens() != null &&
+ endSupptokens.getTokens().size() > 0) {
+
+ log.debug("Processing endorsing supporting tokens");
+ List tokens = endSupptokens.getTokens();
+
+ for (Object objectToken : tokens) {
+ if (objectToken instanceof KerberosToken) {
+ log.debug("KerberosToken is found as part of the endorsing supporting tokens.Check for KerberosConfig.");
+ KerberosConfig kerberosConfig = rampartConfig.getKerberosConfig();
+
+ if (null != kerberosConfig){
+ log.debug("KerberosConfig is found.");
+ log.debug("Creating KerberosTokenValidor with the available KerberosConfig.");
+ KerberosTokenValidator kerberosValidator = new KerberosTokenValidator();
+
+ KerberosTokenDecoder kerberosTokenDecoder = RampartUtil.getKerberosTokenDecoder(msgCtx, kerberosConfig);
+ if (kerberosTokenDecoder != null) {
+ kerberosValidator.setKerberosTokenDecoder(kerberosTokenDecoder);
+ }
+ kerberosValidator.setContextName(kerberosConfig.getJaasContext());
+ kerberosValidator.setServiceName(kerberosConfig.getServicePrincipalName());
+ String serviceNameForm = kerberosConfig.getServicePrincipalNameForm();
+
+ if (KerberosConfig.USERNAME_NAME_FORM.equals(serviceNameForm)) {
+ kerberosValidator.setUsernameServiceNameForm(true);
+ }
+
+ String principalName = kerberosConfig.getPrincipalName();
+ if (null == principalName){
+ log.debug("Principal name is not available in the KerberosConfig.Using the Rampart configuration's user.");
+ principalName = rampartConfig.getUser();
+ }
+
+ String password = kerberosConfig.getPrincipalPassword();
+ if (password == null) {
+ log.debug("Principal password is not available in the KerberosConfig.Trying with the configured Rampart password callback.");
+ CallbackHandler handler = RampartUtil.getPasswordCB(rmd);
+
+ if (handler != null) {
+ WSPasswordCallback[] cb = {
+ new WSPasswordCallback(principalName, WSPasswordCallback.CUSTOM_TOKEN)
+ };
+
+ try {
+ handler.handle(cb);
+ if (cb[0].getPassword() != null && !"".equals(cb[0].getPassword())) {
+ password = cb[0].getPassword();
+ }
+ } catch (IOException e) {
+ throw new RampartException("errorInGettingPasswordForUser", new String[] { principalName }, e);
+ } catch (UnsupportedCallbackException e) {
+ throw new RampartException("errorInGettingPasswordForUser", new String[] { principalName }, e);
+ }
+ } else{
+ log.debug("No Rampart password handler is configured.");
+ }
+ }
+
+ if (principalName != null && password != null) {
+ NamePasswordCallbackHandler cb = new NamePasswordCallbackHandler(principalName, password);
+ kerberosValidator.setCallbackHandler(cb);
+ }
+
+ config.setValidator(WSSecurityEngine.BINARY_TOKEN, kerberosValidator);
+ log.debug("KerberosTokenValidator is configured and set for BINARY_TOKEN.");
+ } else {
+ log.debug("KerberosConfig is not found.Skipping configurating and setting of a Kerberos validator.");
+ }
+ }
+ }
+ }
+
+ engine.setWssConfig(config);
+ }
+
ValidatorData data = new ValidatorData(rmd);
SOAPHeader header = rmd.getMsgContext().getEnvelope().getHeader();
Modified: axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/builder/BindingBuilder.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/builder/BindingBuilder.java?rev=1778761&r1=1778760&r2=1778761&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/builder/BindingBuilder.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/builder/BindingBuilder.java Sat Jan 14 12:22:55 2017
@@ -17,7 +17,10 @@
package org.apache.rampart.builder;
import org.apache.axiom.om.OMElement;
+import org.apache.axis2.addressing.AddressingConstants;
+import org.apache.axis2.addressing.AddressingHelper;
import org.apache.axis2.client.Options;
+import org.apache.axis2.description.AxisEndpoint;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.rahas.EncryptedKeyToken;
@@ -28,6 +31,7 @@ import org.apache.rampart.RampartMessage
import org.apache.rampart.policy.RampartPolicyData;
import org.apache.rampart.policy.SupportingPolicyData;
import org.apache.rampart.policy.model.RampartConfig;
+import org.apache.rampart.policy.model.KerberosConfig;
import org.apache.rampart.util.RampartUtil;
import org.apache.ws.secpolicy.Constants;
import org.apache.ws.secpolicy.SPConstants;
@@ -38,6 +42,7 @@ import org.apache.ws.secpolicy.model.Sup
import org.apache.ws.secpolicy.model.Token;
import org.apache.ws.secpolicy.model.UsernameToken;
import org.apache.ws.secpolicy.model.X509Token;
+import org.apache.ws.security.NamePasswordCallbackHandler;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSEncryptionPart;
import org.apache.ws.security.WSPasswordCallback;
@@ -53,6 +58,7 @@ import org.apache.ws.security.message.WS
import org.apache.ws.security.message.WSSecSignatureConfirmation;
import org.apache.ws.security.message.WSSecTimestamp;
import org.apache.ws.security.message.WSSecUsernameToken;
+import org.apache.ws.security.message.token.KerberosSecurity;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Document;
@@ -846,5 +852,96 @@ public abstract class BindingBuilder {
}
}
-
+ protected KerberosSecurity addKerberosToken(RampartMessageData rmd, Token token)
+ throws RampartException {
+ RampartPolicyData rpd = rmd.getPolicyData();
+ KerberosConfig krbConfig = rpd.getRampartConfig().getKerberosConfig();
+
+ if (krbConfig == null) {
+ throw new RampartException("noKerberosConfigDefined");
+ }
+
+ log.debug("Token inclusion: " + token.getInclusion());
+
+ String user = krbConfig.getPrincipalName();
+ if (user == null) {
+ user = rpd.getRampartConfig().getUser();
+ }
+
+ String password = krbConfig.getPrincipalPassword();
+ if (password == null) {
+ CallbackHandler handler = RampartUtil.getPasswordCB(rmd);
+
+ if (handler != null) {
+ if (user == null) {
+ log.debug("Password callback is configured but no user value is specified in the configuration");
+ throw new RampartException("userMissing");
+ }
+
+ //TODO We do not have a separate usage type for Kerberos token, let's use custom token
+ WSPasswordCallback[] cb = { new WSPasswordCallback(user, WSPasswordCallback.CUSTOM_TOKEN) };
+ try {
+ handler.handle(cb);
+ if (cb[0].getPassword() != null && !"".equals(cb[0].getPassword())) {
+ password = cb[0].getPassword();
+ }
+ } catch (IOException e) {
+ throw new RampartException("errorInGettingPasswordForUser", new String[] { user }, e);
+ } catch (UnsupportedCallbackException e) {
+ throw new RampartException("errorInGettingPasswordForUser", new String[] { user }, e);
+ }
+ }
+ }
+
+ String principalName = null;
+ boolean isUsernameServiceNameForm = KerberosConfig.USERNAME_NAME_FORM.equals(krbConfig.getServicePrincipalNameForm());
+
+ AxisEndpoint endpoint = rmd.getMsgContext().findEndpoint();
+ if (endpoint != null) {
+ if (log.isDebugEnabled()) {
+ log.debug("Identified endpoint: " + endpoint.getName() + ". Looking for SPN identity claim.");
+ }
+
+ OMElement addressingIdentity = AddressingHelper.getAddressingIdentityParameterValue(endpoint);
+ if (addressingIdentity != null) {
+ OMElement spnClaim = addressingIdentity.getFirstChildWithName(AddressingConstants.QNAME_IDENTITY_SPN);
+ if (spnClaim != null) {
+ principalName = spnClaim.getText();
+ isUsernameServiceNameForm = false;
+ if (log.isDebugEnabled()) {
+ log.debug("Found SPN identity claim: " + principalName);
+ }
+ }
+ else {
+ OMElement upnClaim = addressingIdentity.getFirstChildWithName(AddressingConstants.QNAME_IDENTITY_UPN);
+ if (upnClaim != null) {
+ principalName = upnClaim.getText();
+ isUsernameServiceNameForm = true;
+ if (log.isDebugEnabled()) {
+ log.debug("Found UPN identity claim: " + principalName);
+ }
+ }
+ else if (log.isDebugEnabled()) {
+ log.debug(String.format("Neither SPN nor UPN identity claim found in %s EPR element for endpoint %s.", addressingIdentity.getQName().toString(), endpoint.getName()));
+ }
+ }
+ }
+ }
+
+ if (principalName == null) {
+ principalName = krbConfig.getServicePrincipalName();
+ }
+
+ try {
+ KerberosSecurity bst = new KerberosSecurity(rmd.getDocument());
+
+ NamePasswordCallbackHandler cb = new NamePasswordCallbackHandler(user, password);
+ bst.retrieveServiceTicket(krbConfig.getJaasContext(), cb, principalName, isUsernameServiceNameForm,
+ krbConfig.isRequstCredentialDelegation(), krbConfig.getDelegationCredential());
+
+ return bst;
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInBuildingKereberosToken", e);
+ }
+ }
}
Modified: axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/builder/TransportBindingBuilder.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/builder/TransportBindingBuilder.java?rev=1778761&r1=1778760&r2=1778761&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/builder/TransportBindingBuilder.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/builder/TransportBindingBuilder.java Sat Jan 14 12:22:55 2017
@@ -32,6 +32,7 @@ import org.apache.ws.secpolicy.SPConstan
import org.apache.ws.secpolicy.model.AlgorithmSuite;
import org.apache.ws.secpolicy.model.Header;
import org.apache.ws.secpolicy.model.IssuedToken;
+import org.apache.ws.secpolicy.model.KerberosToken;
import org.apache.ws.secpolicy.model.SecureConversationToken;
import org.apache.ws.secpolicy.model.SignedEncryptedParts;
import org.apache.ws.secpolicy.model.SupportingToken;
@@ -44,10 +45,16 @@ import org.apache.ws.security.WSSecurity
import org.apache.ws.security.conversation.ConversationException;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.message.*;
+import org.apache.ws.security.message.token.KerberosSecurity;
+import org.apache.ws.security.util.Base64;
+import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
+import javax.crypto.SecretKey;
import javax.xml.crypto.dsig.Reference;
+import javax.xml.crypto.dsig.SignatureMethod;
+
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
@@ -138,6 +145,8 @@ public class TransportBindingBuilder ext
} else if (token instanceof SecureConversationToken) {
handleSecureConversationTokens(rmd, (SecureConversationToken) token);
signatureValues.add(doSecureConversationSignature(rmd, token, signdParts));
+ } else if (token instanceof KerberosToken) {
+ signatureValues.add(doKerberosTokenSignature(rmd, (KerberosToken)token, signdParts));
}
}
}
@@ -292,6 +301,78 @@ public class TransportBindingBuilder ext
}
+ /**
+ * Generates a signature over the timestamp element (if any) using the Kerberos client/server session key.
+ *
+ * @param rmd
+ * @param token
+ * @param signdParts
+ */
+ private byte[] doKerberosTokenSignature(RampartMessageData rmd, KerberosToken token, SignedEncryptedParts signdParts) throws RampartException {
+
+ Document doc = rmd.getDocument();
+
+ List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
+
+ //TODO Shall we always include a timestamp?
+ if (this.timestampElement != null) {
+ sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
+ }
+
+ if (signdParts != null) {
+ if (signdParts.isBody()) {
+ SOAPEnvelope env = rmd.getMsgContext().getEnvelope();
+ sigParts.add(new WSEncryptionPart(RampartUtil.addWsuIdToElement(env.getBody())));
+ }
+
+ ArrayList headers = signdParts.getHeaders();
+ for (Iterator iterator = headers.iterator(); iterator.hasNext();) {
+ Header header = (Header) iterator.next();
+ WSEncryptionPart wep = new WSEncryptionPart(header.getName(),
+ header.getNamespace(),
+ "Content");
+ sigParts.add(wep);
+ }
+ }
+
+ try {
+ KerberosSecurity kerberosBst = addKerberosToken(rmd, token);
+ kerberosBst.setID("Id-" + kerberosBst.hashCode());
+
+ WSSecSignature sign = new WSSecSignature();
+ sign.setSignatureAlgorithm(SignatureMethod.HMAC_SHA1);
+
+ if (token.isRequiresKeyIdentifierReference()) {
+ sign.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+
+ byte[] digestBytes = WSSecurityUtil.generateDigest(kerberosBst.getToken());
+ sign.setCustomTokenId(Base64.encode(digestBytes));
+ sign.setCustomTokenValueType(WSConstants.WSS_KRB_KI_VALUE_TYPE);
+ }
+ else {
+ sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
+
+ sign.setCustomTokenId(kerberosBst.getID());
+ sign.setCustomTokenValueType(kerberosBst.getValueType());
+ }
+
+ SecretKey secretKey = kerberosBst.getSecretKey();
+ sign.setSecretKey(secretKey.getEncoded());
+
+ sign.prepare(doc, null, rmd.getSecHeader());
+
+ WSSecurityUtil.prependChildElement(rmd.getSecHeader().getSecurityHeader(), kerberosBst.getElement());
+
+ List<Reference> referenceList = sign.addReferencesToSign(sigParts, rmd.getSecHeader());
+
+ sign.computeSignature(referenceList, false, null);
+
+ return sign.getSignatureValue();
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInSignatureWithKerberosToken", e);
+ }
+ }
+
private void appendToHeader(WSSecHeader secHeader, Element appendingChild) {
// TODO this is bit dubious, before migration code was like "dkSig.appendSigToHeader(rmd.getSecHeader())"
Added: axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/KerberosConfigBuilder.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/KerberosConfigBuilder.java?rev=1778761&view=auto
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/KerberosConfigBuilder.java (added)
+++ axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/KerberosConfigBuilder.java Sat Jan 14 12:22:55 2017
@@ -0,0 +1,105 @@
+/*
+ * Copyright 2001-2014 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.rampart.policy.builders;
+
+import javax.xml.namespace.QName;
+
+import org.apache.axiom.om.OMElement;
+import org.apache.neethi.Assertion;
+import org.apache.neethi.AssertionBuilderFactory;
+import org.apache.neethi.builders.AssertionBuilder;
+import org.apache.rampart.policy.model.KerberosConfig;
+import org.apache.rampart.policy.model.RampartConfig;
+
+/**
+ * Builder for {@link KerberosConfig} assertion.
+ */
+public class KerberosConfigBuilder implements AssertionBuilder<OMElement> {
+
+ /* (non-Javadoc)
+ * @see org.apache.neethi.builders.AssertionBuilder#build(java.lang.Object,
+ * org.apache.neethi.AssertionBuilderFactory)
+ */
+ public Assertion build(OMElement element, AssertionBuilderFactory factory)
+ throws IllegalArgumentException {
+
+ KerberosConfig kerberosConfig = new KerberosConfig();
+
+ OMElement childElement;
+
+ childElement = element.getFirstChildWithName(
+ new QName(RampartConfig.NS, KerberosConfig.JAAS_CONTEXT_LN));
+ if (childElement != null) {
+ if (null == kerberosConfig.getJaasContext()) {
+ kerberosConfig.setJaasContext(childElement.getText().trim());
+ }
+ }
+
+ childElement = element.getFirstChildWithName(
+ new QName(RampartConfig.NS, KerberosConfig.PRINCIPAL_NAME_LN));
+ if (childElement != null) {
+ if (null == kerberosConfig.getPrincipalName()) {
+ kerberosConfig.setPrincipalName(childElement.getText().trim());
+ }
+ }
+
+ childElement = element.getFirstChildWithName(
+ new QName(RampartConfig.NS, KerberosConfig.PRINCIPAL_PASSWORD_LN));
+ if (childElement != null) {
+ if (null == kerberosConfig.getPrincipalPassword()) {
+ kerberosConfig.setPrincipalPassword(childElement.getText().trim());
+ }
+ }
+
+ childElement = element.getFirstChildWithName(new QName(RampartConfig.NS,
+ KerberosConfig.SERVICE_PRINCIPAL_NAME_LN));
+ if (childElement != null) {
+ kerberosConfig.setServicePrincipalName(childElement.getText().trim());
+ }
+
+ childElement = element.getFirstChildWithName(new QName(RampartConfig.NS,
+ KerberosConfig.SERVICE_PRINCIPAL_NAME_FORM_LN));
+ if (childElement != null) {
+ kerberosConfig.setServicePrincipalNameForm(
+ childElement.getText().trim());
+ }
+
+ childElement = element.getFirstChildWithName(new QName(RampartConfig.NS,
+ KerberosConfig.KERBEROS_TOKEN_DECODER_CLASS_LN));
+ if (childElement != null) {
+ kerberosConfig.setKerberosTokenDecoderClass(
+ childElement.getText().trim());
+ }
+
+ childElement = element.getFirstChildWithName(new QName(
+ RampartConfig.NS, KerberosConfig.REQUEST_CREDENTIAL_DELEGATION_LN));
+ if (childElement != null) {
+ kerberosConfig.setRequstCredentialDelegation(Boolean.valueOf(childElement.getText().trim()));
+ }
+
+ return kerberosConfig;
+ }
+
+ /* (non-Javadoc)
+ * @see org.apache.neethi.builders.AssertionBuilder#getKnownElements()
+ */
+ public QName[] getKnownElements() {
+ return new QName[] {
+ new QName(RampartConfig.NS, KerberosConfig.KERBEROS_LN)
+ };
+ }
+}
+
Propchange: axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/KerberosConfigBuilder.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified: axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java?rev=1778761&r1=1778760&r2=1778761&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java Sat Jan 14 12:22:55 2017
@@ -22,6 +22,7 @@ import org.apache.neethi.Assertion;
import org.apache.neethi.AssertionBuilderFactory;
import org.apache.neethi.builders.AssertionBuilder;
import org.apache.rampart.policy.model.CryptoConfig;
+import org.apache.rampart.policy.model.KerberosConfig;
import org.apache.rampart.policy.model.OptimizePartsConfig;
import org.apache.rampart.policy.model.RampartConfig;
import org.apache.rampart.policy.model.SSLConfig;
@@ -88,6 +89,16 @@ public class RampartConfigBuilder implem
}
+ childElement = element.getFirstChildWithName(new QName(
+ RampartConfig.NS, RampartConfig.KERBEROS_CONFIG));
+ if (childElement != null) {
+ KerberosConfig kerberosConfig = (KerberosConfig)new KerberosConfigBuilder().
+ build(childElement,
+ factory);
+ rampartConfig.setKerberosConfig(kerberosConfig);
+
+ }
+
childElement = element.getFirstChildWithName(new QName(
RampartConfig.NS, RampartConfig.SIG_CRYPTO_LN));
if (childElement != null) {
Added: axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/KerberosConfig.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/KerberosConfig.java?rev=1778761&view=auto
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/KerberosConfig.java (added)
+++ axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/KerberosConfig.java Sat Jan 14 12:22:55 2017
@@ -0,0 +1,356 @@
+/*
+ * Copyright 2001-2014 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.rampart.policy.model;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamWriter;
+
+import org.apache.neethi.Assertion;
+import org.apache.neethi.Constants;
+import org.apache.neethi.PolicyComponent;
+import org.apache.rampart.RampartException;
+import org.ietf.jgss.GSSCredential;
+
+/**
+ * Container for Kerberos configuration options.
+ */
+public class KerberosConfig implements Assertion {
+
+ public final static String KERBEROS_LN = RampartConfig.KERBEROS_CONFIG;
+
+ public final static String JAAS_CONTEXT_LN = "jaasContext";
+
+ public final static String PRINCIPAL_NAME_LN = "principalName";
+
+ public final static String PRINCIPAL_PASSWORD_LN = "principalPassword";
+
+ public final static String SERVICE_PRINCIPAL_NAME_LN = "servicePrincipalName";
+
+ public final static String SERVICE_PRINCIPAL_NAME_FORM_LN = "servicePrincipalNameForm";
+
+ public final static String KERBEROS_TOKEN_DECODER_CLASS_LN = "kerberosTokenDecoderClass";
+
+ public final static String REQUEST_CREDENTIAL_DELEGATION_LN = "requestCredentialDelegation";
+
+ public final static String DELEGATION_CREDENTIAL_LN = "delegationCredential";
+ /**
+ * Specifies that the service principal name should be interpreted as a
+ * "host-based" name as specified in GSS API RFC,
+ * section "4.1: Host-Based Service Name Form".
+ * See <a href="http://www.ietf.org/rfc/rfc2743.txt">rfc2743 - GSS
+ * API, Version 2</a>.
+ */
+ public final static String HOST_BASED_NAME_FORM = "hostbased";
+
+ /**
+ * Specifies that the service principal name should be interpreted as a
+ * "username" name as specified in GSS API RFC,
+ * section "4.2: User Name Form".
+ * See <a href="http://www.ietf.org/rfc/rfc2743.txt">rfc2743 - GSS API, Version
+ * 2</a>.
+ */
+ public final static String USERNAME_NAME_FORM = "username";
+
+ private String jaasContext;
+
+ private String principalName;
+
+ private String principalPassword;
+
+ private String servicePrincipalName;
+
+ private String servicePrincipalNameForm;
+
+ private String kerberosTokenDecoderClass;
+
+ private boolean requstCredentialDelegation;
+
+ private GSSCredential delegationCredential;
+
+ /**
+ * @return The JAAS context name to use to obtain a TGT (Ticket granting ticket).
+ */
+ public String getJaasContext() {
+ return jaasContext;
+ }
+ /**
+ * Sets the JAAS context name to use to obtain a TGT (Ticket granting ticket).
+ * @param jaasContext the jaasContext to set
+ */
+ public void setJaasContext(String jaasContext) {
+ this.jaasContext = jaasContext;
+ }
+
+ /**
+ * @return The principal name to use to obtain a TGT (Ticket granting ticket).
+ * This is usually the domain username.
+ * If not specified, Rampart will fall back to the Rampart configuration's
+ * {@link RampartConfig#getUser() user}.
+ * Note that the principal name specified in JAAS configuration takes precedence
+ * over any principal name configured here.
+ */
+ public String getPrincipalName() {
+ return principalName;
+ }
+
+ /**
+ * Sets the principal name to use to obtain a TGT (Ticket granting ticket).
+ * This is usually the domain username. If* not specified, Rampart will fall back
+ * to the Rampart configuration's {@link RampartConfig#getUser() user}.
+ * Note that the principal name specified in JAAS configuration takes precedence
+ * over any principal name configured via this method.
+ * @param principalName the principalName to set
+ */
+ public void setPrincipalName(String principalName) {
+ this.principalName = principalName;
+ }
+
+ /**
+ * @return Returns the principal's clear-text password. If the password is not
+ * configured (null), Rampart will try to obtain it from any configured
+ * {@link RampartConfig#getPwCbClass() password callback}. Note that any
+ * principal password configured here will be ignored if the JAAS configuration
+ * configures usage of a keytab file.
+ */
+ public String getPrincipalPassword() {
+ return principalPassword;
+ }
+
+ /**
+ * Sets the principal's clear-text password. If the password is not configured
+ * (null), Rampart will try to obtain it from any configured
+ * {@link RampartConfig#getPwCbClass() password callback}. Note that any
+ * principal password configured here will be ignored if the JAAS configuration
+ * configures usage of a keytab file.
+ */
+ public void setPrincipalPassword(String principalPassword) {
+ this.principalPassword = principalPassword;
+ }
+
+ /**
+ * @return The service principal name to use to obtain a service ticket on the
+ * client-side. Note that by default,
+ * this name is assumed to be in a {@link #HOST_BASED_NAME_FORM} unless the
+ * {@link #setServicePrincipalNameForm(String) service principal name form} is
+ * explicitly configured.
+ */
+ public String getServicePrincipalName() {
+ return servicePrincipalName;
+ }
+
+ /**
+ * Sets service principal name to use to obtain a service ticket on the
+ * client-side. Note that by default, this name is assumed to be in a
+ * {@link #HOST_BASED_NAME_FORM} unless the
+ * {@link #setServicePrincipalNameForm(String)
+ * service principal name form} is explicitly configured.
+ */
+ public void setServicePrincipalName(String servicePrincipalName) {
+ this.servicePrincipalName = servicePrincipalName;
+ }
+
+ /**
+ * Returns the service principal name form.
+ * @return Either {@value #HOST_BASED_NAME_FORM} or {@value #USERNAME_NAME_FORM}.
+ * Default is: {@value #HOST_BASED_NAME_FORM}.
+ */
+ public String getServicePrincipalNameForm() {
+ if (servicePrincipalNameForm == null) {
+ return HOST_BASED_NAME_FORM;
+ }
+ return servicePrincipalNameForm;
+ }
+
+ /**
+ * Configures a Kerberos token decoder implementation for decoding Kerberos v5 tokens on server side.
+ * The decoder will be used only if the Kerberos client/server session key cannot be obtained using Java's {@link com.sun.security.jgss.ExtendedGSSContext} API,
+ * which is normally the case when using Java version older than 1.7.0_b07,
+ * see <a href="http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6710360"> JDK-6710360 : export Kerberos session key to applications</a>.
+ * <p>
+ * The class will be loaded using current service's {@link org.apache.axis2.description.AxisService#getClassLoader() classloader}.
+ * </p>
+ *
+ * @param kerberosTokenValidatorClass A fully qualifier class name that implements {@link org.apache.ws.security.validate.KerberosTokenValidator}.
+ */
+ public void setKerberosTokenDecoderClass(String kerberosTokenDecoderClass) {
+ this.kerberosTokenDecoderClass = kerberosTokenDecoderClass;
+ }
+
+ /**
+ * Returns the Kerberos token decoder implementation for decoding Kerberos v5 tokens on server side.
+ * The decoder will be used only if the Kerberos client/server session key cannot be obtained using Java's {@link com.sun.security.jgss.ExtendedGSSContext} API,
+ * which is normally the case when using Java version older than 1.7.0_b07,
+ * see <a href="http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6710360"> JDK-6710360 : export Kerberos session key to applications</a>
+ *
+ * @return A fully qualifier class name that implements {@link org.apache.ws.security.validate.KerberosTokenValidator} or <code>null</code> if no Kerberos token decoder is configured.
+ */
+ public String getKerberosTokenDecoderClass() {
+ return this.kerberosTokenDecoderClass;
+ }
+
+ /**
+ * Sets the service principal name form.
+ * @param servicePrincipalNameForm The service principal name form to set.
+ * The given literal must be either {@value #HOST_BASED_NAME_FORM} or
+ * {@value #USERNAME_NAME_FORM}.
+ * @throws IllegalArgumentException If the given
+ * <code>servicePrincipalNameForm</code> is not one of:
+ * {@value #HOST_BASED_NAME_FORM} or {@value #USERNAME_NAME_FORM}.
+ */
+ public void setServicePrincipalNameForm(String servicePrincipalNameForm)
+ throws IllegalArgumentException {
+
+ if (!HOST_BASED_NAME_FORM.equals(servicePrincipalNameForm) &&
+ !USERNAME_NAME_FORM.equals(servicePrincipalNameForm)) {
+ throw new IllegalArgumentException(
+ new RampartException("invalidServicePrincipalNameForm",
+ new String[] {
+ servicePrincipalNameForm,
+ HOST_BASED_NAME_FORM,
+ USERNAME_NAME_FORM }));
+ }
+ this.servicePrincipalNameForm = servicePrincipalNameForm;
+ }
+
+ /**
+ * If Kerberos credential delegation is requested, the initiator's TGT (Ticket granting ticket) is propagated to the receiver
+ * along with the TGS(Ticket granting service).
+ *
+ * @return true if credential delegation is requested.
+ */
+ public boolean isRequstCredentialDelegation() {
+ return requstCredentialDelegation;
+ }
+
+ /**
+ * Enables Kerberos credential delegation. If credential delegation is requested, the initiator's TGT (Ticket
+ * granting ticket) is propagated to the receiver along with the TGS(Ticket granting service). <br/>
+ * <br/>
+ *
+ * Enabling delegation requires <b>forwardable=true</b> property to be added to the <b>[libdefaults]</b> section in
+ * the Kerberos setup configuration.KDC should also be explicitly configured to allow delegation as it is considered
+ * a security issue and is disabled by default.
+ *
+ * @param requstCredentialDelegation if true, credential delegation is requested.
+ */
+ public void setRequstCredentialDelegation(boolean requstCredentialDelegation) {
+ this.requstCredentialDelegation = requstCredentialDelegation;
+ }
+
+ /**
+ * The delegation credential is available when the initiator has explicitly requested delegation through
+ * {@link KerberosConfig#setRequstCredentialDelegation(boolean)} and the receiver has retrieved it and set it
+ * through {@link KerberosConfig#setDelegationCredential(GSSCredential)}.
+ *
+ * If available, the delegation credential is used by the receiver to obtain a service ticket for another
+ * Kerberos protected WS on behalf of the initiator. The receiver's principal must have explicit privileges to use
+ * the delegated credential(TGT) for retrieval of the service ticket.
+ *
+ * @return the client's TGT wrapped in {@link GSSCredential}
+ */
+ public GSSCredential getDelegationCredential() {
+ return delegationCredential;
+ }
+
+ /**
+ * Sets the delegation credential to be used by the receiver to obtain a service ticket for another
+ * Kerberos protected WS on behalf of the initiator. The receiver's principal must have explicit privileges to use
+ * the delegated credential(TGT) for retrieval of the service ticket.
+ *
+ * @param delegationCredential the {@link GSSCredential} to use for obtaining a TGS
+ */
+ public void setDelegationCredential(GSSCredential delegationCredential) {
+ this.delegationCredential = delegationCredential;
+ }
+
+ public PolicyComponent normalize() {
+ throw new UnsupportedOperationException();
+ }
+
+ public QName getName() {
+ return new QName(RampartConfig.NS, KERBEROS_LN);
+ }
+
+ public boolean isOptional() {
+ return true;
+ }
+
+ public boolean isIgnorable() {
+ throw new UnsupportedOperationException();
+ }
+
+ public short getType() {
+ return Constants.TYPE_ASSERTION;
+ }
+
+ public boolean equal(PolicyComponent policyComponent) {
+ throw new UnsupportedOperationException();
+ }
+
+ public void serialize(XMLStreamWriter writer) throws XMLStreamException {
+ String prefix = writer.getPrefix(RampartConfig.NS);
+
+ if (prefix == null) {
+ prefix = RampartConfig.NS;
+ writer.setPrefix(prefix, RampartConfig.NS);
+ }
+
+ if (getJaasContext() != null) {
+ writer.writeStartElement(RampartConfig.NS, JAAS_CONTEXT_LN);
+ writer.writeCharacters(getJaasContext());
+ writer.writeEndElement();
+ }
+
+ if (getPrincipalName() != null) {
+ writer.writeStartElement(RampartConfig.NS, PRINCIPAL_NAME_LN);
+ writer.writeCharacters(getPrincipalName());
+ writer.writeEndElement();
+ }
+
+ if (getPrincipalPassword() != null) {
+ writer.writeStartElement(RampartConfig.NS, PRINCIPAL_PASSWORD_LN);
+ writer.writeCharacters(getPrincipalPassword());
+ writer.writeEndElement();
+ }
+
+ if (getServicePrincipalName() != null) {
+ writer.writeStartElement(RampartConfig.NS, SERVICE_PRINCIPAL_NAME_LN);
+ writer.writeCharacters(getServicePrincipalName());
+ writer.writeEndElement();
+ }
+
+ if (this.servicePrincipalNameForm != null) {
+ writer.writeStartElement(RampartConfig.NS,
+ SERVICE_PRINCIPAL_NAME_FORM_LN);
+ writer.writeCharacters(this.servicePrincipalNameForm);
+ writer.writeEndElement();
+ }
+
+ if (this.kerberosTokenDecoderClass != null) {
+ writer.writeStartElement(RampartConfig.NS,
+ KERBEROS_TOKEN_DECODER_CLASS_LN);
+ writer.writeCharacters(this.kerberosTokenDecoderClass);
+ writer.writeEndElement();
+ }
+
+ if (this.requstCredentialDelegation) {
+ writer.writeStartElement(RampartConfig.NS, REQUEST_CREDENTIAL_DELEGATION_LN);
+ writer.writeCharacters(Boolean.toString(this.requstCredentialDelegation));
+ writer.writeEndElement();
+ }
+ }
+}
Propchange: axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/KerberosConfig.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified: axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java?rev=1778761&r1=1778760&r2=1778761&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java Sat Jan 14 12:22:55 2017
@@ -114,6 +114,8 @@ public class RampartConfig implements As
public final static String SSL_CONFIG = "sslConfig";
+ public final static String KERBEROS_CONFIG = "kerberosConfig";
+
private String user;
private String userCertAlias;
@@ -150,7 +152,17 @@ public class RampartConfig implements As
private String nonceLifeTime = Integer.toString(DEFAULT_NONCE_LIFE_TIME);
private SSLConfig sslConfig;
+
+ private KerberosConfig kerberosConfig;
+
+ public KerberosConfig getKerberosConfig() {
+ return kerberosConfig;
+ }
+ public void setKerberosConfig(KerberosConfig kerberosConfig) {
+ this.kerberosConfig = kerberosConfig;
+ }
+
/*To set timeStampStrict in WSSConfig through rampartConfig - default value is false*/
private boolean timeStampStrict = false;
@@ -392,6 +404,12 @@ public class RampartConfig implements As
writer.writeEndElement();
}
+ if (kerberosConfig != null) {
+ writer.writeStartElement(NS, KERBEROS_CONFIG);
+ kerberosConfig.serialize(writer);
+ writer.writeEndElement();
+ }
+
writer.writeEndElement();
}
Modified: axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java?rev=1778761&r1=1778760&r2=1778761&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java Sat Jan 14 12:22:55 2017
@@ -29,6 +29,7 @@ import org.apache.axis2.client.Options;
import org.apache.axis2.context.MessageContext;
import org.apache.axis2.dataretrieval.DRConstants;
import org.apache.axis2.dataretrieval.client.MexClient;
+import org.apache.axis2.description.AxisService;
import org.apache.axis2.description.Parameter;
import org.apache.axis2.mex.MexConstants;
import org.apache.axis2.mex.MexException;
@@ -55,6 +56,7 @@ import org.apache.rampart.RampartMessage
import org.apache.rampart.policy.RampartPolicyData;
import org.apache.rampart.policy.SupportingPolicyData;
import org.apache.rampart.policy.model.CryptoConfig;
+import org.apache.rampart.policy.model.KerberosConfig;
import org.apache.rampart.policy.model.RampartConfig;
import org.apache.ws.secpolicy.SPConstants;
import org.apache.ws.secpolicy.model.*;
@@ -75,6 +77,7 @@ import org.apache.ws.security.message.WS
import org.apache.ws.security.message.WSSecEncryptedKey;
import org.apache.ws.security.util.Loader;
import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.ws.security.validate.KerberosTokenDecoder;
import org.apache.xml.security.utils.Constants;
import org.jaxen.JaxenException;
import org.jaxen.XPath;
@@ -165,6 +168,64 @@ public class RampartUtil {
return cbHandler;
}
+ /**
+ * Instantiates any Kerberos token decoder implementation configured via {@link KerberosConfig#setKerberosTokenDecoderClass(String)}
+ * using the {@link AxisService#getClassLoader() class loader} of the specified message context's {@link MessageContext#getAxisService() service}.
+ *
+ * @param msgContext The current message context. Must not be null and must contain a valid service instance.
+ * @param kerberosConfig Rampart's Kerberos configuration.
+ *
+ * @return A new instance of {@link KerberosTokenDecoder} implementation configured via {@link KerberosConfig#setKerberosTokenDecoderClass(String)} or <code>null</code>
+ * if no Kerberos token decoder is configured.
+ * @throws RampartException If the class cannot be loaded or instantiated.
+ */
+ public static KerberosTokenDecoder getKerberosTokenDecoder(MessageContext msgContext, KerberosConfig kerberosConfig) throws RampartException {
+ if (kerberosConfig == null) {
+ throw new IllegalArgumentException("Kerberos config must not be null");
+ }
+ else if (msgContext == null) {
+ throw new IllegalArgumentException("Message context must not be null");
+ }
+
+ AxisService service = msgContext.getAxisService();
+ if (service == null) {
+ throw new IllegalArgumentException("No service available in message context: " + msgContext.getLogIDString());
+ }
+
+ KerberosTokenDecoder kerberosTokenDecoder;
+
+ String kerberosTokenDecoderClass = kerberosConfig.getKerberosTokenDecoderClass();
+ if (kerberosTokenDecoderClass == null) {
+ if (log.isDebugEnabled()) {
+ log.debug("No Kerberos token decoder class configured for service: " + service.getName());
+ }
+ return null;
+ }
+
+ if (log.isDebugEnabled()) {
+ log.debug(String.format("Loading Kerberos token decoder class '%s' using class loader of service '%s'", kerberosTokenDecoderClass, service.getName()));
+ }
+
+ ClassLoader classLoader = service.getClassLoader();
+ Class krbTokenDecoderClass;
+ try {
+ krbTokenDecoderClass = Loader.loadClass(classLoader, kerberosTokenDecoderClass);
+ }
+ catch (ClassNotFoundException e) {
+ throw new RampartException("cannotLoadKrbTokenDecoderClass",
+ new String[] { kerberosTokenDecoderClass }, e);
+ }
+
+ try {
+ kerberosTokenDecoder = (KerberosTokenDecoder) krbTokenDecoderClass.newInstance();
+ } catch (java.lang.Exception e) {
+ throw new RampartException("cannotCreateKrbTokenDecoderInstance",
+ new String[] { kerberosTokenDecoderClass }, e);
+ }
+
+ return kerberosTokenDecoder;
+ }
+
/**
* Returns an instance of PolicyValidatorCallbackHandler to be used to validate ws-security results.
*
Modified: axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/resources/META-INF/services/org.apache.neethi.builders.AssertionBuilder
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/resources/META-INF/services/org.apache.neethi.builders.AssertionBuilder?rev=1778761&r1=1778760&r2=1778761&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/resources/META-INF/services/org.apache.neethi.builders.AssertionBuilder (original)
+++ axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/resources/META-INF/services/org.apache.neethi.builders.AssertionBuilder Sat Jan 14 12:22:55 2017
@@ -1,3 +1,5 @@
org.apache.rampart.policy.builders.CryptoConfigBuilder
org.apache.rampart.policy.builders.RampartConfigBuilder
-org.apache.rampart.policy.builders.SSLConfigBuilder
\ No newline at end of file
+org.apache.rampart.policy.builders.SSLConfigBuilder
+org.apache.rampart.policy.builders.SSLConfigBuilder
+org.apache.rampart.policy.builders.KerberosConfigBuilder
\ No newline at end of file
Modified: axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/resources/org/apache/rampart/errors.properties
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/resources/org/apache/rampart/errors.properties?rev=1778761&r1=1778760&r2=1778761&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/resources/org/apache/rampart/errors.properties (original)
+++ axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/main/resources/org/apache/rampart/errors.properties Sat Jan 14 12:22:55 2017
@@ -47,6 +47,7 @@ errorInAddingTokenIntoStore = Error in a
errorInDerivedKeyTokenSignature = Error in DerivedKeyToken signature
errorInSignatureWithX509Token = Error in signature with X509Token
errorInSignatureWithACustomToken = Error in signature with a custom token
+errorInSignatureWithKerberosToken = Error in signature with KerberosToken
errorCreatingEncryptedKey = Error in creating an encrypted key
errorGettingSignatureValuesForSigconf = Error in getting signature values for signature confirmation
cannotLoadPWCBClass = Cannot load password callback class: {0}
@@ -105,3 +106,10 @@ invalidNonceLifeTime = Invalid value for
invalidIssuerAddress = Invalid value for Issuer
invalidSignatureAlgo=Invalid signature algorithm for Asymmetric binding
invalidUsernameTokenType = Invalid UsernameToken Type.
+
+#Rampart Kerberos-specific errors
+invalidServicePrincipalNameForm = Invalid servicePrincipalNameForm found in Rampart configuration ({0}). The supported service principal name forms are: \"{1}\", \"{2}\".
+noKerberosConfigDefined = No kerberosConfig policy assertion defined in rampart config.
+errorInBuildingKereberosToken = Error in building kereberos token.
+cannotLoadKrbTokenDecoderClass = Cannot load Kerberos token decoder class: {0}
+cannotCreateKrbTokenDecoderInstance = Cannot create instance of Kerberos token decoder : {0}
\ No newline at end of file
Added: axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/test/java/org/apache/rampart/policy/builders/KerberosConfigBuilderTest.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/test/java/org/apache/rampart/policy/builders/KerberosConfigBuilderTest.java?rev=1778761&view=auto
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/test/java/org/apache/rampart/policy/builders/KerberosConfigBuilderTest.java (added)
+++ axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/test/java/org/apache/rampart/policy/builders/KerberosConfigBuilderTest.java Sat Jan 14 12:22:55 2017
@@ -0,0 +1,130 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.rampart.policy.builders;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.StringReader;
+import java.io.StringWriter;
+import java.util.Iterator;
+import java.util.List;
+
+import javax.xml.stream.XMLOutputFactory;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamWriter;
+
+import junit.framework.TestCase;
+
+import org.apache.neethi.Assertion;
+import org.apache.neethi.Policy;
+import org.apache.neethi.PolicyBuilder;
+import org.apache.rampart.policy.RampartPolicyBuilder;
+import org.apache.rampart.policy.RampartPolicyData;
+import org.apache.rampart.policy.model.KerberosConfig;
+import org.apache.rampart.policy.model.RampartConfig;
+import org.apache.ws.secpolicy.WSSPolicyException;
+import org.custommonkey.xmlunit.XMLAssert;
+import org.custommonkey.xmlunit.XMLUnit;
+import org.custommonkey.xmlunit.exceptions.XpathException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+
+public class KerberosConfigBuilderTest extends TestCase {
+
+ public static final String KERBEROS_CONFIG_POLICY_FILE = "kerberosConfig.policy";
+
+ private static Logger log = LoggerFactory.getLogger(KerberosConfigBuilderTest.class);
+
+ public void testBuildKerberosConfig() throws WSSPolicyException {
+ Policy kerberosConfigPolicy = loadKerberosConfigPolicy();
+ assertNotNull(String.format("Failed to parse policy file: %s", KERBEROS_CONFIG_POLICY_FILE), kerberosConfigPolicy);
+
+ Iterator<List<Assertion>> iter = kerberosConfigPolicy.getAlternatives();
+
+ assertTrue(String.format("No policy alternatives found in policy file: %s", KERBEROS_CONFIG_POLICY_FILE), iter.hasNext());
+
+ //Process policy and build policy data
+ RampartPolicyData policyData = RampartPolicyBuilder.build(iter.next());
+
+ RampartConfig rampartConfig = policyData.getRampartConfig();
+ assertNotNull(String.format("No rampartConfig found in policy file: %s", KERBEROS_CONFIG_POLICY_FILE), rampartConfig);
+ KerberosConfig kerberosConfig = rampartConfig.getKerberosConfig();
+ assertNotNull(String.format("No kerberosConfig found in policy file: %s", KERBEROS_CONFIG_POLICY_FILE), kerberosConfig);
+
+ assertEquals("Kerberos jaas context name not configured as expected.", "alice", kerberosConfig.getJaasContext());
+ assertEquals("Kerberos principal name not configured as expected.", "alice", kerberosConfig.getPrincipalName());
+ assertEquals("Kerberos principal password not configured as expected.", "changeit", kerberosConfig.getPrincipalPassword());
+ assertEquals("Kerberos service principal name not configured as expected.", "bob/example.com", kerberosConfig.getServicePrincipalName());
+ assertEquals("Kerberos token decoder class not configured as expected.", "org.foo.KerberosTokenDecoderImpl", kerberosConfig.getKerberosTokenDecoderClass());
+ assertTrue("Request for Kerberos credential delegation is expected to be enabled.", kerberosConfig.isRequstCredentialDelegation());
+ }
+
+ public void testSerializeKerberosConfig() throws XMLStreamException, SAXException, IOException, XpathException {
+ Policy kerberosConfigPolicy = loadKerberosConfigPolicy();
+ assertNotNull(String.format("Failed to parse policy file: %s", KERBEROS_CONFIG_POLICY_FILE), kerberosConfigPolicy);
+
+ //serialize the kerberos config policy
+ StringWriter writer = new StringWriter();
+ XMLStreamWriter streamWriter = null;
+ try {
+ streamWriter = XMLOutputFactory.newInstance().createXMLStreamWriter(writer);
+ kerberosConfigPolicy.serialize(streamWriter);
+ }
+ finally {
+ if (streamWriter != null) {
+ streamWriter.close();
+ }
+ }
+
+ InputStream kerberosConfigStream = null;
+ try {
+ kerberosConfigStream = this.getClass().getResourceAsStream(KERBEROS_CONFIG_POLICY_FILE);
+ XMLUnit.setIgnoreWhitespace(true);
+ XMLAssert.assertXMLEqual("Serialized rampart:kerberosConfig element does not match the initial one.", new InputSource(kerberosConfigStream), new InputSource(new StringReader(writer.toString())));
+ }
+ finally {
+ closeStream(kerberosConfigStream);
+ }
+ }
+
+ private Policy loadKerberosConfigPolicy() {
+ InputStream kerberosConfigStream = null;
+ try {
+ kerberosConfigStream = this.getClass().getResourceAsStream(KERBEROS_CONFIG_POLICY_FILE);
+ PolicyBuilder builder = new PolicyBuilder();
+ return builder.getPolicy(kerberosConfigStream);
+ }
+ finally {
+ closeStream(kerberosConfigStream);
+ }
+ }
+
+ private void closeStream(InputStream in) {
+ if (in != null) {
+ try {
+ in.close();
+ }
+ catch (IOException e) {
+ log.error("Failed to close input stream.", e);
+ }
+ }
+ }
+}
\ No newline at end of file
Propchange: axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/test/java/org/apache/rampart/policy/builders/KerberosConfigBuilderTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/test/resources/org/apache/rampart/policy/builders/kerberosConfig.policy
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/test/resources/org/apache/rampart/policy/builders/kerberosConfig.policy?rev=1778761&view=auto
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/test/resources/org/apache/rampart/policy/builders/kerberosConfig.policy (added)
+++ axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-core/src/test/resources/org/apache/rampart/policy/builders/kerberosConfig.policy Sat Jan 14 12:22:55 2017
@@ -0,0 +1,22 @@
+<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
+ <rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
+ <rampart:timestampTTL>300</rampart:timestampTTL>
+ <rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
+ <rampart:timestampStrict>false</rampart:timestampStrict>
+ <rampart:nonceLifeTime>300</rampart:nonceLifeTime>
+ <rampart:kerberosConfig>
+ <rampart:jaasContext>alice</rampart:jaasContext>
+ <rampart:principalName>alice</rampart:principalName>
+ <rampart:principalPassword>changeit</rampart:principalPassword>
+ <rampart:servicePrincipalName>bob/example.com</rampart:servicePrincipalName>
+ <rampart:servicePrincipalNameForm>username</rampart:servicePrincipalNameForm>
+ <rampart:kerberosTokenDecoderClass>org.foo.KerberosTokenDecoderImpl</rampart:kerberosTokenDecoderClass>
+ <rampart:requestCredentialDelegation>true</rampart:requestCredentialDelegation>
+ </rampart:kerberosConfig>
+ </rampart:RampartConfig>
+ </wsp:All>
+ </wsp:ExactlyOne>
+</wsp:Policy>
\ No newline at end of file
Modified: axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/pom.xml
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/pom.xml?rev=1778761&r1=1778760&r2=1778761&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/pom.xml (original)
+++ axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/pom.xml Sat Jan 14 12:22:55 2017
@@ -161,6 +161,8 @@
<copy overwrite="yes" file="target/classes/org/apache/rampart/Service.class" tofile="target/temp-ramp/org/apache/rampart/Service.class" />
<copy overwrite="yes" file="target/classes/org/apache/rampart/PWCallback.class" tofile="target/temp-ramp/org/apache/rampart/PWCallback.class" />
+ <copy overwrite="yes" file="target/classes/org/apache/rampart/KerberosDelegationService.class" tofile="target/temp-ramp/org/apache/rampart/KerberosDelegationService.class" />
+ <copy overwrite="yes" file="target/classes/org/apache/rampart/KerberosDelegationServiceValidator.class" tofile="target/temp-ramp/org/apache/rampart/KerberosDelegationServiceValidator.class" />
<copy overwrite="yes" file="src/test/resources/rampart/store.jks" tofile="target/temp-ramp/store.jks" />
<!--path id="ramp.client.props" location="test-resources/rampart"/-->
<!--maven:addPath id="maven.dependency.classpath" refid="ramp.client.props" -->
@@ -311,6 +313,17 @@
<copy overwrite="yes" file="src/test/resources/rampart/issuer.properties" tofile="target/temp-ramp/issuer.properties" />
<copy overwrite="yes" file="src/test/resources/rampart/services-sc-6.xml" tofile="target/temp-ramp/META-INF/services.xml" />
<jar jarfile="target/test-resources/rampart_service_repo/services/SecureServiceSC6.aar" basedir="target/temp-ramp" />
+
+ <!-- Kerberos Services -->
+ <copy overwrite="yes" file="src/test/resources/rampart/kerberos/KerberosOverTransportKeytab.xml" tofile="target/temp-ramp/META-INF/services.xml" />
+ <jar jarfile="target/test-resources/rampart_service_repo/services/KerberosOverTransportKeytab.aar" basedir="target/temp-ramp" />
+
+ <copy overwrite="yes" file="src/test/resources/rampart/kerberos/KerberosOverTransportPWCB.xml" tofile="target/temp-ramp/META-INF/services.xml" />
+ <jar jarfile="target/test-resources/rampart_service_repo/services/KerberosOverTransportPWCB.aar" basedir="target/temp-ramp" />
+
+ <copy overwrite="yes" file="src/test/resources/rampart/kerberos/KerberosDelegation.xml" tofile="target/temp-ramp/META-INF/services.xml" />
+ <jar jarfile="target/test-resources/rampart_service_repo/services/KerberosDelegation.aar" basedir="target/temp-ramp" />
+
<!--
Set up the infra for rahas tests and the rahas client repo
@@ -478,7 +491,7 @@
</plugin>
</plugins>
</build>
-
+
<dependencies>
<dependency>
<groupId>org.apache.rampart</groupId>
@@ -558,6 +571,153 @@
<artifactId>addressing</artifactId>
<type>mar</type>
</dependency>
+ <!--dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-kerberos-shared</artifactId>
+ <version>2.0.0-M21</version>
+ <scope>test</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>bouncycastle</groupId>
+ <artifactId>bcprov-jdk15</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-i18n</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-core-jndi</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-protocol-shared</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.shared</groupId>
+ <artifactId>shared-ldap</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.shared</groupId>
+ <artifactId>shared-ldap-schema</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.shared</groupId>
+ <artifactId>shared-ldap-schema-loader</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.shared</groupId>
+ <artifactId>shared-ldap-schema-manager</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.shared</groupId>
+ <artifactId>shared-cursor</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.shared</groupId>
+ <artifactId>shared-ldap-jndi</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.shared</groupId>
+ <artifactId>shared-asn1-codec</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.shared</groupId>
+ <artifactId>shared-ldap-constants</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.shared</groupId>
+ <artifactId>shared-ldap-converter</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.shared</groupId>
+ <artifactId>shared-ldap-schema-dao</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.shared</groupId>
+ <artifactId>shared-ldif</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.shared</groupId>
+ <artifactId>shared-dsml-parser</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency-->
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-core-annotations</artifactId>
+ <version>2.0.0-M21</version>
+ <scope>test</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>bouncycastle</groupId>
+ <artifactId>bcprov-jdk15</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-protocol-shared</artifactId>
+ <version>2.0.0-M21</version>
+ <scope>test</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>bouncycastle</groupId>
+ <artifactId>bcprov-jdk15</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-protocol-kerberos</artifactId>
+ <version>2.0.0-M21</version>
+ <scope>test</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>bouncycastle</groupId>
+ <artifactId>bcprov-jdk15</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-interceptor-kerberos</artifactId>
+ <version>2.0.0-M21</version>
+ <scope>test</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>bouncycastle</groupId>
+ <artifactId>bcprov-jdk15</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.directory.api</groupId>
+ <artifactId>api-ldap-codec-standalone</artifactId>
+ <version>1.0.0-M33</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.directory.api</groupId>
+ <artifactId>api-ldap-extras-codec-api</artifactId>
+ <version>1.0.0-M33</version>
+ </dependency>
+ <dependency>
+ <groupId>commons-io</groupId>
+ <artifactId>commons-io</artifactId>
+ <version>2.4</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>commons-collections</groupId>
+ <artifactId>commons-collections</artifactId>
+ <version>3.2</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>xmlunit</groupId>
+ <artifactId>xmlunit</artifactId>
+ <scope>test</scope>
+ </dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
Added: axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/main/java/org/apache/rampart/KerberosDelegationService.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/main/java/org/apache/rampart/KerberosDelegationService.java?rev=1778761&view=auto
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/main/java/org/apache/rampart/KerberosDelegationService.java (added)
+++ axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/main/java/org/apache/rampart/KerberosDelegationService.java Sat Jan 14 12:22:55 2017
@@ -0,0 +1,86 @@
+package org.apache.rampart;
+
+import java.net.MalformedURLException;
+import java.net.URL;
+
+import javax.xml.namespace.QName;
+
+import org.apache.axiom.om.OMAbstractFactory;
+import org.apache.axiom.om.OMElement;
+import org.apache.axiom.om.OMFactory;
+import org.apache.axiom.om.OMNamespace;
+import org.apache.axis2.AxisFault;
+import org.apache.axis2.client.ServiceClient;
+import org.apache.axis2.context.ConfigurationContext;
+import org.apache.axis2.context.ConfigurationContextFactory;
+import org.apache.axis2.integration.JettyServer;
+import org.apache.axis2.transport.http.HTTPConstants;
+import org.apache.neethi.Policy;
+import org.apache.rampart.policy.model.KerberosConfig;
+import org.apache.rampart.policy.model.RampartConfig;
+
+/**
+ *
+ */
+public class KerberosDelegationService extends PolicyBasedResultsValidator{
+
+
+ public OMElement echo(OMElement elem) throws MalformedURLException, IllegalStateException, AxisFault {
+
+ final String serviceName = "KerberosOverTransportKeytab";
+ URL wsdlUrl = new URL(String.format("https://localhost:%s/axis2/services/%s?wsdl", JettyServer.getHttpsPort(), serviceName));
+
+ ConfigurationContext configContext = ConfigurationContextFactory.
+ createConfigurationContextFromFileSystem("target/test-resources/rampart_client_repo", null);
+
+ ServiceClient serviceClient = new ServiceClient(configContext, wsdlUrl, null, null);
+
+ serviceClient.getOptions().setTimeOutInMilliSeconds(200000);
+ serviceClient.getOptions().setProperty(HTTPConstants.SO_TIMEOUT, 200000);
+ serviceClient.getOptions().setProperty(HTTPConstants.CONNECTION_TIMEOUT, 200000);
+
+ serviceClient.engageModule("addressing");
+ serviceClient.engageModule("rampart");
+
+ RampartConfig rampartConfig = new RampartConfig();
+
+ KerberosConfig kerberosConfig = new KerberosConfig();
+ rampartConfig.setKerberosConfig(kerberosConfig);
+ kerberosConfig.setJaasContext("KerberosDelegation");
+ kerberosConfig.setDelegationCredential(KerberosDelegationServiceValidator.getDelegationCredential());
+
+ Policy policy = new Policy();
+ policy.addAssertion(rampartConfig);
+
+ serviceClient.getAxisService().getPolicySubject().attachPolicyComponent(policy);
+
+ //Blocking invocation
+ QName operation = new QName("http://rampart.apache.org", "echo");
+ OMElement echoElement = getEchoElement();
+ OMElement result = serviceClient.sendReceive(operation, echoElement);
+ return result;
+ }
+
+ protected OMElement getEchoElement() {
+ OMFactory fac = OMAbstractFactory.getOMFactory();
+ OMNamespace omNs = fac.createOMNamespace(
+ "http://example1.org/example1", "example1");
+ OMElement method = fac.createOMElement("echo", omNs);
+ OMElement value = fac.createOMElement("Text", omNs);
+ value.addChild(fac.createOMText(value, "Testing Rampart with WS-SecPolicy"));
+ method.addChild(value);
+
+ return method;
+ }
+
+ /**
+ * New service method for testing negative scenario where service throws an exception
+ * @param element
+ * @return
+ * @throws Exception
+ */
+ public OMElement returnError(OMElement element) throws Exception {
+ throw new Exception("Testing negative scenarios with Apache Rampart. Intentional Exception");
+ }
+
+}
Propchange: axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/main/java/org/apache/rampart/KerberosDelegationService.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/main/java/org/apache/rampart/KerberosDelegationServiceValidator.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/main/java/org/apache/rampart/KerberosDelegationServiceValidator.java?rev=1778761&view=auto
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/main/java/org/apache/rampart/KerberosDelegationServiceValidator.java (added)
+++ axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/main/java/org/apache/rampart/KerberosDelegationServiceValidator.java Sat Jan 14 12:22:55 2017
@@ -0,0 +1,36 @@
+package org.apache.rampart;
+
+import java.util.List;
+
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.ietf.jgss.GSSCredential;
+
+/**
+ *
+ */
+public class KerberosDelegationServiceValidator extends PolicyBasedResultsValidator {
+
+ private static GSSCredential delegationCredential = null;
+
+ @Override
+ public void validate(ValidatorData data, List<WSSecurityEngineResult> results) throws RampartException {
+
+ super.validate(data, results);
+
+
+ for (WSSecurityEngineResult wsSecEngineResult : results) {
+ Integer actInt = (Integer) wsSecEngineResult.get(WSSecurityEngineResult.TAG_ACTION);
+ if (actInt == WSConstants.BST) {
+ delegationCredential = (GSSCredential) wsSecEngineResult.
+ get(WSSecurityEngineResult.TAG_DELEGATION_CREDENTIAL);
+ break;
+ }
+ }
+ }
+
+ static GSSCredential getDelegationCredential(){
+ return delegationCredential;
+ }
+
+}
Propchange: axis/axis2/java/rampart/branches/RAMPART-433/modules/rampart-integration/src/main/java/org/apache/rampart/KerberosDelegationServiceValidator.java
------------------------------------------------------------------------------
svn:eol-style = native