You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by gi...@apache.org on 2012/12/03 22:26:22 UTC
svn commit: r1416670 [2/2] - in /webservices/wss4j/trunk: ./ integration/
integration/src/ integration/src/main/ integration/src/main/java/
integration/src/main/resources/ integration/src/test/
integration/src/test/java/ integration/src/test/java/org/ ...
Modified: webservices/wss4j/trunk/parent/pom.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/parent/pom.xml?rev=1416670&r1=1416669&r2=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/parent/pom.xml (original)
+++ webservices/wss4j/trunk/parent/pom.xml Mon Dec 3 21:26:13 2012
@@ -92,6 +92,11 @@
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
+ <artifactId>slf4j-api</artifactId>
+ <version>${slf4j.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>${slf4j.version}</version>
</dependency>
Modified: webservices/wss4j/trunk/pom.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/pom.xml?rev=1416670&r1=1416669&r2=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/pom.xml (original)
+++ webservices/wss4j/trunk/pom.xml Mon Dec 3 21:26:13 2012
@@ -111,6 +111,7 @@
<module>ws-security-common</module>
<module>ws-security-dom</module>
<module>ws-security-stax</module>
+ <module>integration</module>
<module>ws-security-policy-stax</module>
<module>cxf-integration</module>
</modules>
Modified: webservices/wss4j/trunk/ws-security-common/pom.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/pom.xml?rev=1416670&r1=1416669&r2=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/pom.xml (original)
+++ webservices/wss4j/trunk/ws-security-common/pom.xml Mon Dec 3 21:26:13 2012
@@ -101,6 +101,18 @@
</instructions>
</configuration>
</plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-jar-plugin</artifactId>
+ <version>2.3.1</version>
+ <executions>
+ <execution>
+ <goals>
+ <goal>test-jar</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
</plugins>
</build>
@@ -191,6 +203,77 @@
</exclusions>
</dependency>
<dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-kerberos-shared</artifactId>
+ <version>1.5.7</version>
+ <exclusions>
+ <exclusion>
+ <groupId>bouncycastle</groupId>
+ <artifactId>bcprov-jdk15</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-i18n</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-core-jndi</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-protocol-shared</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.shared</groupId>
+ <artifactId>shared-ldap</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.shared</groupId>
+ <artifactId>shared-ldap-schema</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.shared</groupId>
+ <artifactId>shared-ldap-schema-loader</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.shared</groupId>
+ <artifactId>shared-ldap-schema-manager</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.shared</groupId>
+ <artifactId>shared-cursor</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.shared</groupId>
+ <artifactId>shared-ldap-jndi</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.shared</groupId>
+ <artifactId>shared-asn1-codec</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.shared</groupId>
+ <artifactId>shared-ldap-constants</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.shared</groupId>
+ <artifactId>shared-ldap-converter</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.shared</groupId>
+ <artifactId>shared-ldap-schema-dao</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.shared</groupId>
+ <artifactId>shared-ldif</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.directory.shared</groupId>
+ <artifactId>shared-dsml-parser</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<scope>test</scope>
Copied: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosClientAction.java (from r1400458, webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/token/KerberosClientAction.java)
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosClientAction.java?p2=webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosClientAction.java&p1=webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/token/KerberosClientAction.java&r1=1400458&r2=1416670&rev=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/token/KerberosClientAction.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosClientAction.java Mon Dec 3 21:26:13 2012
@@ -17,7 +17,7 @@
* under the License.
*/
-package org.apache.ws.security.dom.message.token;
+package org.apache.ws.security.common.kerberos;
import java.security.Principal;
import java.security.PrivilegedAction;
Propchange: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosClientAction.java
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Added: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosContextAndServiceNameCallback.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosContextAndServiceNameCallback.java?rev=1416670&view=auto
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosContextAndServiceNameCallback.java (added)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosContextAndServiceNameCallback.java Mon Dec 3 21:26:13 2012
@@ -0,0 +1,47 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ws.security.common.kerberos;
+
+import javax.security.auth.callback.Callback;
+
+/**
+ * @author $Author$
+ * @version $Revision$ $Date$
+ */
+public class KerberosContextAndServiceNameCallback implements Callback {
+
+ private String contextName;
+ private String serviceName;
+
+ public String getContextName() {
+ return contextName;
+ }
+
+ public void setContextName(String contextName) {
+ this.contextName = contextName;
+ }
+
+ public String getServiceName() {
+ return serviceName;
+ }
+
+ public void setServiceName(String serviceName) {
+ this.serviceName = serviceName;
+ }
+}
Propchange: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosContextAndServiceNameCallback.java
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Copied: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosServiceAction.java (from r1400458, webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/token/KerberosServiceAction.java)
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosServiceAction.java?p2=webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosServiceAction.java&p1=webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/token/KerberosServiceAction.java&r1=1400458&r2=1416670&rev=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/token/KerberosServiceAction.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosServiceAction.java Mon Dec 3 21:26:13 2012
@@ -17,7 +17,7 @@
* under the License.
*/
-package org.apache.ws.security.dom.message.token;
+package org.apache.ws.security.common.kerberos;
import java.security.Principal;
import java.security.PrivilegedAction;
Propchange: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosServiceAction.java
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Copied: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosTokenDecoder.java (from r1400458, webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/KerberosTokenDecoder.java)
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosTokenDecoder.java?p2=webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosTokenDecoder.java&p1=webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/KerberosTokenDecoder.java&r1=1400458&r2=1416670&rev=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/KerberosTokenDecoder.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosTokenDecoder.java Mon Dec 3 21:26:13 2012
@@ -17,7 +17,7 @@
* under the License.
*/
-package org.apache.ws.security.dom.validate;
+package org.apache.ws.security.common.kerberos;
import javax.security.auth.Subject;
Propchange: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosTokenDecoder.java
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Added: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosTokenDecoderImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosTokenDecoderImpl.java?rev=1416670&view=auto
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosTokenDecoderImpl.java (added)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosTokenDecoderImpl.java Mon Dec 3 21:26:13 2012
@@ -0,0 +1,159 @@
+package org.apache.ws.security.common.kerberos;
+
+import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
+import org.apache.directory.server.kerberos.shared.io.decoder.ApplicationRequestDecoder;
+import org.apache.directory.server.kerberos.shared.messages.ApplicationRequest;
+import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPart;
+import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
+
+import javax.security.auth.Subject;
+import javax.security.auth.kerberos.KerberosKey;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Iterator;
+import java.util.Set;
+
+public class KerberosTokenDecoderImpl implements KerberosTokenDecoder {
+
+ private static final String KERBEROS_OID = "1.2.840.113554.1.2.2";
+
+ private byte[] serviceTicket;
+ private Subject subject;
+
+ private boolean decoded = false;
+ private EncTicketPart encTicketPart;
+
+ /**
+ * Clear all internal information
+ */
+ public void clear() {
+ serviceTicket = null;
+ subject = null;
+ decoded = false;
+ encTicketPart = null;
+ }
+
+ /**
+ * Set the AP-REQ Kerberos Token
+ *
+ * @param token the AP-REQ Kerberos Token
+ */
+ public void setToken(byte[] token) {
+ serviceTicket = token;
+ }
+
+ /**
+ * Set the Subject
+ *
+ * @param subject the Subject
+ */
+ public void setSubject(Subject subject) {
+ this.subject = subject;
+ }
+
+ /**
+ * Get the session key from the token
+ *
+ * @return the session key from the token
+ */
+ public byte[] getSessionKey() {
+ if (!decoded) {
+ decodeServiceTicket();
+ }
+ return encTicketPart.getSessionKey().getKeyValue();
+ }
+
+ /**
+ * Get the client principal name from the decoded service ticket.
+ *
+ * @return the client principal name
+ */
+ public String getClientPrincipalName() {
+ if (!decoded) {
+ decodeServiceTicket();
+ }
+ return encTicketPart.getClientPrincipal().toString();
+ }
+
+ // Decode the service ticket.
+ private synchronized void decodeServiceTicket() {
+ try {
+ parseServiceTicket(serviceTicket);
+ decoded = true;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ }
+
+ // Parses the service ticket (GSS AP-REQ token)
+ private void parseServiceTicket(byte[] ticket) throws Exception {
+
+ // I didn't find a better way how to parse this Kerberos Message...
+
+ org.bouncycastle.asn1.ASN1InputStream asn1InputStream =
+ new org.bouncycastle.asn1.ASN1InputStream(new ByteArrayInputStream(ticket));
+ org.bouncycastle.asn1.DERApplicationSpecific derToken =
+ (org.bouncycastle.asn1.DERApplicationSpecific) asn1InputStream.readObject();
+ if (derToken == null || !derToken.isConstructed()) {
+ asn1InputStream.close();
+ throw new IllegalArgumentException("invalid kerberos token");
+ }
+ asn1InputStream.close();
+
+ asn1InputStream = new org.bouncycastle.asn1.ASN1InputStream(new ByteArrayInputStream(derToken.getContents()));
+ org.bouncycastle.asn1.DERObjectIdentifier kerberosOid =
+ (org.bouncycastle.asn1.DERObjectIdentifier) asn1InputStream.readObject();
+ if (!kerberosOid.getId().equals(KERBEROS_OID)) {
+ asn1InputStream.close();
+ throw new IllegalArgumentException("invalid kerberos token");
+ }
+
+ int readLowByte = asn1InputStream.read() & 0xff;
+ int readHighByte = asn1InputStream.read() & 0xff;
+ int read = (readHighByte << 8) + readLowByte;
+ if (read != 0x01) {
+ throw new IllegalArgumentException("invalid kerberos token");
+ }
+
+ ApplicationRequestDecoder applicationRequestDecoder = new ApplicationRequestDecoder();
+ ApplicationRequest applicationRequest = applicationRequestDecoder.decode(toByteArray(asn1InputStream));
+
+ final int encryptionType = applicationRequest.getTicket().getEncPart().getEType().getOrdinal();
+ KerberosKey kerberosKey = getKrbKey(subject, encryptionType);
+
+ EncryptionKey encryptionKey =
+ new EncryptionKey(EncryptionType.getTypeByOrdinal(encryptionType), kerberosKey.getEncoded());
+
+ CipherTextHandler cipherTextHandler = new CipherTextHandler();
+ this.encTicketPart = (EncTicketPart) cipherTextHandler.unseal(
+ EncTicketPart.class, encryptionKey, applicationRequest.getTicket().getEncPart(), KeyUsage.NUMBER2);
+ }
+
+ private KerberosKey getKrbKey(Subject sub, int keyType) throws Exception {
+ Set<Object> creds = sub.getPrivateCredentials(Object.class);
+ for (Iterator<Object> i = creds.iterator(); i.hasNext(); ) {
+ Object cred = i.next();
+ if (cred instanceof KerberosKey) {
+ KerberosKey key = (KerberosKey) cred;
+ if (key.getKeyType() == keyType) {
+ return (KerberosKey) cred;
+ }
+ }
+ }
+ return null;
+ }
+
+ private static byte[] toByteArray(InputStream inputStream) throws IOException {
+ ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
+ int read;
+ byte[] buf = new byte[1024];
+ while ((read = inputStream.read(buf)) != -1) {
+ byteArrayOutputStream.write(buf, 0, read);
+ }
+ return byteArrayOutputStream.toByteArray();
+ }
+}
Propchange: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosTokenDecoderImpl.java
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Modified: webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties?rev=1416670&r1=1416669&r2=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties Mon Dec 3 21:26:13 2012
@@ -36,6 +36,8 @@ ioError00 = Failed to load credentials.
kerberosLoginError = An error occurred in trying to obtain a TGT: {0}
kerberosServiceTicketError = An error occurred in trying to obtain a service ticket
kerberosTicketValidationError = An error occurred in trying to validate a ticket
+kerberosCallbackContextNameNotSupplied = Callback supplied no context name
+kerberosCallbackServiceNameNotSupplied = Callback supplied no service name
keystore = Cannot access/read keystore data
missingCreated = Created time is missing
missingSecurityHeader = Security header is missing
@@ -90,3 +92,4 @@ unsupportedCertType = Certificate type n
unsupportedKeyId = Unsupported key identification: {0}
unsupportedKeyInfo = Unsupported KeyInfo type
unsupportedKeyTransp = unsupported key transport encryption algorithm: {0}
+unsupportedSecurityToken = Unsupported SecurityToken {0}
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/WSSecEncrypt.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/WSSecEncrypt.java?rev=1416670&r1=1416669&r2=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/WSSecEncrypt.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/WSSecEncrypt.java Mon Dec 3 21:26:13 2012
@@ -42,6 +42,7 @@ import org.w3c.dom.Node;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
@@ -286,9 +287,13 @@ public class WSSecEncrypt extends WSSecE
) throws WSSecurityException {
KeyInfo keyInfo = createKeyInfo();
+ //the sun ähm oracle jce provider doesn't like a foreign SecretKey impl.
+ //this occurs e.g. with a kerberos session-key. It doesn't matter for the bouncy-castle provider
+ //so create a new secretKeySpec to make everybody happy.
+ SecretKeySpec secretKeySpec = new SecretKeySpec(symmetricKey.getEncoded(), symmetricKey.getAlgorithm());
List<String> encDataRefs =
doEncryption(
- document, getWsConfig(), keyInfo, symmetricKey, symEncAlgo, references, callbackLookup
+ document, getWsConfig(), keyInfo, secretKeySpec, symEncAlgo, references, callbackLookup
);
if (dataRef == null) {
dataRef =
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/token/KerberosSecurity.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/token/KerberosSecurity.java?rev=1416670&r1=1416669&r2=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/token/KerberosSecurity.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/token/KerberosSecurity.java Mon Dec 3 21:26:13 2012
@@ -29,6 +29,7 @@ import javax.security.auth.kerberos.Kerb
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
+import org.apache.ws.security.common.kerberos.KerberosClientAction;
import org.apache.ws.security.dom.WSConstants;
import org.apache.ws.security.dom.bsp.BSPEnforcer;
import org.apache.ws.security.common.bsp.BSPRule;
@@ -146,7 +147,7 @@ public class KerberosSecurity extends Bi
KerberosTicket tgt = getKerberosTicket(clientSubject, null);
// Get the service ticket
- KerberosClientAction action =
+ KerberosClientAction action =
new KerberosClientAction(clientPrincipals.iterator().next(), serviceName);
byte[] ticket = (byte[])Subject.doAs(clientSubject, action);
if (ticket == null) {
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/KerberosTokenValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/KerberosTokenValidator.java?rev=1416670&r1=1416669&r2=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/KerberosTokenValidator.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/KerberosTokenValidator.java Mon Dec 3 21:26:13 2012
@@ -28,10 +28,12 @@ import javax.security.auth.login.LoginCo
import javax.security.auth.login.LoginException;
import org.apache.ws.security.common.ext.WSSecurityException;
+import org.apache.ws.security.common.kerberos.KerberosTokenDecoder;
+import org.apache.ws.security.common.kerberos.KerberosTokenDecoderImpl;
import org.apache.ws.security.dom.handler.RequestData;
import org.apache.ws.security.dom.message.token.BinarySecurity;
import org.apache.ws.security.dom.message.token.KerberosSecurity;
-import org.apache.ws.security.dom.message.token.KerberosServiceAction;
+import org.apache.ws.security.common.kerberos.KerberosServiceAction;
/**
*/
@@ -162,10 +164,12 @@ public class KerberosTokenValidator impl
// Get a TGT from the KDC using JAAS
LoginContext loginContext = null;
try {
- if (callbackHandler == null) {
- loginContext = new LoginContext(getContextName());
- } else {
+ if (callbackHandler != null) {
loginContext = new LoginContext(getContextName(), callbackHandler);
+ } else if (data.getCallbackHandler() != null) {
+ loginContext = new LoginContext(getContextName(), data.getCallbackHandler());
+ } else {
+ loginContext = new LoginContext(getContextName());
}
loginContext.login();
} catch (LoginException ex) {
@@ -202,7 +206,7 @@ public class KerberosTokenValidator impl
// Validate the ticket
KerberosServiceAction action = new KerberosServiceAction(token, service);
- Principal principal = (Principal)Subject.doAs(subject, action);
+ Principal principal = Subject.doAs(subject, action);
if (principal == null) {
throw new WSSecurityException(
WSSecurityException.ErrorCode.FAILURE, "kerberosTicketValidationError"
@@ -211,21 +215,21 @@ public class KerberosTokenValidator impl
credential.setPrincipal(principal);
credential.setSubject(subject);
- // Try to extract the session key from the token if a KerberosTokenDecoder implementation is
- // available
- if (kerberosTokenDecoder != null) {
- kerberosTokenDecoder.clear();
- kerberosTokenDecoder.setToken(token);
- kerberosTokenDecoder.setSubject(subject);
- byte[] sessionKey = kerberosTokenDecoder.getSessionKey();
- credential.setSecretKey(sessionKey);
+ KerberosTokenDecoder kerberosTokenDecoder = this.kerberosTokenDecoder;
+ if (kerberosTokenDecoder == null) {
+ kerberosTokenDecoder = new KerberosTokenDecoderImpl();
}
-
+
+ kerberosTokenDecoder.clear();
+ kerberosTokenDecoder.setToken(token);
+ kerberosTokenDecoder.setSubject(subject);
+ byte[] sessionKey = kerberosTokenDecoder.getSessionKey();
+ credential.setSecretKey(sessionKey);
+
if (log.isDebugEnabled()) {
log.debug("Successfully validated a ticket");
}
return credential;
}
-
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/WSSec.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/WSSec.java?rev=1416670&r1=1416669&r2=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/WSSec.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/WSSec.java Mon Dec 3 21:26:13 2012
@@ -292,6 +292,32 @@ public class WSSec {
} else if (action.equals(WSSConstants.SAML_TOKEN_UNSIGNED) &&
(securityProperties.getCallbackHandler() == null)) {
throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noCallback");
+ } else if (action.equals(WSSConstants.SIGNATURE_WITH_KERBEROS_TOKEN)) {
+ if (securityProperties.getCallbackHandler() == null) {
+ throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noCallback");
+ }
+ if (securityProperties.getSignatureAlgorithm() == null) {
+ securityProperties.setSignatureAlgorithm("http://www.w3.org/2000/09/xmldsig#hmac-sha1");
+ }
+ if (securityProperties.getSignatureDigestAlgorithm() == null) {
+ securityProperties.setSignatureDigestAlgorithm("http://www.w3.org/2000/09/xmldsig#sha1");
+ }
+ if (securityProperties.getSignatureCanonicalizationAlgorithm() == null) {
+ securityProperties.setSignatureCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
+ }
+ if (securityProperties.getSignatureKeyIdentifierType() == null) {
+ securityProperties.setSignatureKeyIdentifierType(WSSConstants.WSSKeyIdentifierType.SECURITY_TOKEN_DIRECT_REFERENCE);
+ }
+ } else if (action.equals(WSSConstants.ENCRYPT_WITH_KERBEROS_TOKEN)) {
+ if (securityProperties.getCallbackHandler() == null) {
+ throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noCallback");
+ }
+ if (securityProperties.getEncryptionSymAlgorithm() == null) {
+ securityProperties.setEncryptionSymAlgorithm("http://www.w3.org/2001/04/xmlenc#aes256-cbc");
+ }
+ if (securityProperties.getSignatureKeyIdentifierType() == null) {
+ securityProperties.setSignatureKeyIdentifierType(WSSConstants.WSSKeyIdentifierType.SECURITY_TOKEN_DIRECT_REFERENCE);
+ }
}
}
return new WSSSecurityProperties(securityProperties);
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/OutboundWSSec.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/OutboundWSSec.java?rev=1416670&r1=1416669&r2=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/OutboundWSSec.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/OutboundWSSec.java Mon Dec 3 21:26:13 2012
@@ -133,7 +133,7 @@ public class OutboundWSSec {
new BinarySecurityTokenOutputProcessor();
initializeOutputProcessor(outputProcessorChain, binarySecurityTokenOutputProcessor, action);
- WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
+ final WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
initializeOutputProcessor(outputProcessorChain, signatureOutputProcessor, action);
} else if (action.equals(WSSConstants.ENCRYPT)) {
@@ -148,23 +148,23 @@ public class OutboundWSSec {
initializeOutputProcessor(outputProcessorChain, encryptOutputProcessor, action);
} else if (action.equals(WSSConstants.USERNAMETOKEN)) {
- UsernameTokenOutputProcessor usernameTokenOutputProcessor = new UsernameTokenOutputProcessor();
+ final UsernameTokenOutputProcessor usernameTokenOutputProcessor = new UsernameTokenOutputProcessor();
initializeOutputProcessor(outputProcessorChain, usernameTokenOutputProcessor, action);
} else if (action.equals(WSSConstants.USERNAMETOKEN_SIGNED)) {
final UsernameTokenOutputProcessor usernameTokenOutputProcessor = new UsernameTokenOutputProcessor();
initializeOutputProcessor(outputProcessorChain, usernameTokenOutputProcessor, action);
- WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
+ final WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
initializeOutputProcessor(outputProcessorChain, signatureOutputProcessor, action);
} else if (action.equals(WSSConstants.SIGNATURE_CONFIRMATION)) {
- SignatureConfirmationOutputProcessor signatureConfirmationOutputProcessor =
+ final SignatureConfirmationOutputProcessor signatureConfirmationOutputProcessor =
new SignatureConfirmationOutputProcessor();
initializeOutputProcessor(outputProcessorChain, signatureConfirmationOutputProcessor, action);
} else if (action.equals(WSSConstants.SIGNATURE_WITH_DERIVED_KEY)) {
- BinarySecurityTokenOutputProcessor binarySecurityTokenOutputProcessor =
+ final BinarySecurityTokenOutputProcessor binarySecurityTokenOutputProcessor =
new BinarySecurityTokenOutputProcessor();
initializeOutputProcessor(outputProcessorChain, binarySecurityTokenOutputProcessor, action);
@@ -181,7 +181,7 @@ public class OutboundWSSec {
final DerivedKeyTokenOutputProcessor derivedKeyTokenOutputProcessor = new DerivedKeyTokenOutputProcessor();
initializeOutputProcessor(outputProcessorChain, derivedKeyTokenOutputProcessor, action);
- WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
+ final WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
initializeOutputProcessor(outputProcessorChain, signatureOutputProcessor, action);
} else if (action.equals(WSSConstants.ENCRYPT_WITH_DERIVED_KEY)) {
@@ -209,12 +209,26 @@ public class OutboundWSSec {
final SAMLTokenOutputProcessor samlTokenOutputProcessor = new SAMLTokenOutputProcessor();
initializeOutputProcessor(outputProcessorChain, samlTokenOutputProcessor, action);
- WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
+ final WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
initializeOutputProcessor(outputProcessorChain, signatureOutputProcessor, action);
} else if (action.equals(WSSConstants.SAML_TOKEN_UNSIGNED)) {
final SAMLTokenOutputProcessor samlTokenOutputProcessor = new SAMLTokenOutputProcessor();
initializeOutputProcessor(outputProcessorChain, samlTokenOutputProcessor, action);
+ } else if (action.equals(WSSConstants.SIGNATURE_WITH_KERBEROS_TOKEN)) {
+ final KerberosSecurityTokenOutputProcessor kerberosTokenOutputProcessor =
+ new KerberosSecurityTokenOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, kerberosTokenOutputProcessor, action);
+
+ final WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, signatureOutputProcessor, action);
+ } else if (action.equals(WSSConstants.ENCRYPT_WITH_KERBEROS_TOKEN)) {
+ final KerberosSecurityTokenOutputProcessor kerberosTokenOutputProcessor =
+ new KerberosSecurityTokenOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, kerberosTokenOutputProcessor, action);
+
+ final EncryptOutputProcessor encryptOutputProcessor = new EncryptOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, encryptOutputProcessor, action);
}
}
if (output instanceof OutputStream) {
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java?rev=1416670&r1=1416669&r2=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java Mon Dec 3 21:26:13 2012
@@ -217,6 +217,10 @@ public class WSSConstants extends XMLSec
public static final String NS_SAML11_TOKEN_PROFILE_TYPE = NS_SAML11_TOKEN_PROFILE + "#SAMLV1.1";
public static final String NS_SAML20_TOKEN_PROFILE_TYPE = NS_SAML11_TOKEN_PROFILE + "#SAMLV2.0";
+ public static final String NS_KERBEROS11_TOKEN_PROFILE = "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#";
+ public static final String NS_GSS_Kerberos5_AP_REQ = NS_KERBEROS11_TOKEN_PROFILE + "GSS_Kerberosv5_AP_REQ";
+ public static final String NS_Kerberos5_AP_REQ_SHA1 = NS_KERBEROS11_TOKEN_PROFILE + "Kerberosv5APREQSHA1";
+
public static final QName ATT_NULL_AssertionID = new QName(null, "AssertionID");
public static final QName ATT_NULL_ID = new QName(null, "ID");
@@ -272,6 +276,8 @@ public class WSSConstants extends XMLSec
public static final Action ENCRYPT_WITH_DERIVED_KEY = new Action("ENCRYPT_WITH_DERIVED_KEY");
public static final Action SAML_TOKEN_SIGNED = new Action("SAML_TOKEN_SIGNED");
public static final Action SAML_TOKEN_UNSIGNED = new Action("SAML_TOKEN_UNSIGNED");
+ public static final Action SIGNATURE_WITH_KERBEROS_TOKEN = new Action("SIGNATURE_WITH_KERBEROS_TOKEN");
+ public static final Action ENCRYPT_WITH_KERBEROS_TOKEN = new Action("ENCRYPT_WITH_KERBEROS_TOKEN");
public static class Action extends XMLSecurityConstants.Action {
protected Action(String name) {
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/BinarySecurityTokenInputHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/BinarySecurityTokenInputHandler.java?rev=1416670&r1=1416669&r2=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/BinarySecurityTokenInputHandler.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/BinarySecurityTokenInputHandler.java Mon Dec 3 21:26:13 2012
@@ -29,12 +29,13 @@ import org.apache.ws.security.stax.ext.W
import org.apache.ws.security.stax.ext.WSSConstants;
import org.apache.ws.security.stax.ext.WSSSecurityProperties;
import org.apache.ws.security.stax.ext.WSSecurityContext;
+import org.apache.ws.security.stax.impl.securityToken.KerberosServiceSecurityToken;
import org.apache.ws.security.stax.impl.securityToken.X509PKIPathv1SecurityToken;
-import org.apache.ws.security.stax.impl.securityToken.X509SecurityToken;
import org.apache.ws.security.stax.impl.securityToken.X509_V3SecurityToken;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.ext.*;
import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
+import org.apache.xml.security.stax.impl.securityToken.AbstractInboundSecurityToken;
import org.apache.xml.security.stax.impl.util.IDGenerator;
import org.apache.xml.security.stax.securityEvent.X509TokenSecurityEvent;
@@ -72,23 +73,13 @@ public class BinarySecurityTokenInputHan
final SecurityTokenProvider securityTokenProvider = new SecurityTokenProvider() {
- private X509SecurityToken binarySecurityToken = null;
+ private AbstractInboundSecurityToken securityToken = null;
@SuppressWarnings("unchecked")
@Override
public SecurityToken getSecurityToken() throws XMLSecurityException {
- if (this.binarySecurityToken != null) {
- return this.binarySecurityToken;
- }
- Crypto crypto = null;
- try {
- crypto = ((WSSSecurityProperties) securityProperties).getSignatureVerificationCrypto();
- } catch (WSSConfigurationException e) {
- log.debug(e.getMessage(), e);
- //ignore
- }
- if (crypto == null) {
- crypto = ((WSSSecurityProperties) securityProperties).getDecryptionCrypto();
+ if (this.securityToken != null) {
+ return this.securityToken;
}
//only Base64Encoding is supported
@@ -100,23 +91,30 @@ public class BinarySecurityTokenInputHan
byte[] securityTokenData = Base64.decodeBase64(binarySecurityTokenType.getValue());
if (WSSConstants.NS_X509_V3_TYPE.equals(binarySecurityTokenType.getValueType())) {
- this.binarySecurityToken = new X509_V3SecurityToken(
+ Crypto crypto = getCrypto((WSSSecurityProperties) securityProperties);
+ this.securityToken = new X509_V3SecurityToken(
(WSSecurityContext) securityContext, crypto, ((WSSSecurityProperties)securityProperties).getCallbackHandler(),
securityTokenData, binarySecurityTokenType.getId(), WSSConstants.WSSKeyIdentifierType.SECURITY_TOKEN_DIRECT_REFERENCE
);
} else if (WSSConstants.NS_X509PKIPathv1.equals(binarySecurityTokenType.getValueType())) {
- this.binarySecurityToken = new X509PKIPathv1SecurityToken(
+ Crypto crypto = getCrypto((WSSSecurityProperties) securityProperties);
+ this.securityToken = new X509PKIPathv1SecurityToken(
(WSSecurityContext) securityContext, crypto, ((WSSSecurityProperties)securityProperties).getCallbackHandler(),
securityTokenData, binarySecurityTokenType.getId(), WSSConstants.WSSKeyIdentifierType.SECURITY_TOKEN_DIRECT_REFERENCE
);
+ } else if (WSSConstants.NS_GSS_Kerberos5_AP_REQ.equals(binarySecurityTokenType.getValueType())) {
+ this.securityToken = new KerberosServiceSecurityToken(
+ (WSSecurityContext) securityContext, ((WSSSecurityProperties)securityProperties).getCallbackHandler(),
+ securityTokenData, binarySecurityTokenType.getId(), WSSConstants.WSSKeyIdentifierType.SECURITY_TOKEN_DIRECT_REFERENCE
+ );
} else {
throw new WSSecurityException(
WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "invalidValueType", binarySecurityTokenType.getValueType());
}
- this.binarySecurityToken.setElementPath(elementPath);
- this.binarySecurityToken.setXMLSecEvent(responsibleXMLSecStartXMLEvent);
- return this.binarySecurityToken;
+ this.securityToken.setElementPath(elementPath);
+ this.securityToken.setXMLSecEvent(responsibleXMLSecStartXMLEvent);
+ return this.securityToken;
}
@Override
@@ -127,6 +125,7 @@ public class BinarySecurityTokenInputHan
securityContext.registerSecurityTokenProvider(binarySecurityTokenType.getId(), securityTokenProvider);
+ //todo most probably wrong in case of a kerberos token
//fire a tokenSecurityEvent
X509TokenSecurityEvent x509TokenSecurityEvent = new X509TokenSecurityEvent();
x509TokenSecurityEvent.setSecurityToken((SecurityToken) securityTokenProvider.getSecurityToken());
@@ -134,6 +133,20 @@ public class BinarySecurityTokenInputHan
securityContext.registerSecurityEvent(x509TokenSecurityEvent);
}
+ private Crypto getCrypto(WSSSecurityProperties securityProperties) throws WSSConfigurationException {
+ Crypto crypto = null;
+ try {
+ crypto = securityProperties.getSignatureVerificationCrypto();
+ } catch (WSSConfigurationException e) {
+ log.debug(e.getMessage(), e);
+ //ignore
+ }
+ if (crypto == null) {
+ crypto = securityProperties.getDecryptionCrypto();
+ }
+ return crypto;
+ }
+
private void checkBSPCompliance(InputProcessorChain inputProcessorChain, BinarySecurityTokenType binarySecurityTokenType)
throws WSSecurityException {
final WSSecurityContext securityContext = (WSSecurityContext) inputProcessorChain.getSecurityContext();
Copied: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/KerberosSecurityTokenOutputProcessor.java (from r1400458, webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/BinarySecurityTokenOutputProcessor.java)
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/KerberosSecurityTokenOutputProcessor.java?p2=webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/KerberosSecurityTokenOutputProcessor.java&p1=webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/BinarySecurityTokenOutputProcessor.java&r1=1400458&r2=1416670&rev=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/BinarySecurityTokenOutputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/KerberosSecurityTokenOutputProcessor.java Mon Dec 3 21:26:13 2012
@@ -18,35 +18,35 @@
*/
package org.apache.ws.security.stax.impl.processor.output;
-import org.apache.ws.security.common.crypto.CryptoType;
-import org.apache.ws.security.common.ext.WSPasswordCallback;
+import org.apache.commons.codec.binary.Base64;
import org.apache.ws.security.common.ext.WSSecurityException;
import org.apache.ws.security.stax.ext.WSSConstants;
import org.apache.ws.security.stax.ext.WSSSecurityProperties;
import org.apache.ws.security.stax.ext.WSSUtils;
+import org.apache.ws.security.stax.impl.securityToken.KerberosClientSecurityToken;
import org.apache.xml.security.exceptions.XMLSecurityException;
-import org.apache.xml.security.stax.ext.*;
+import org.apache.xml.security.stax.ext.AbstractOutputProcessor;
+import org.apache.xml.security.stax.ext.OutputProcessorChain;
+import org.apache.xml.security.stax.ext.SecurityTokenProvider;
+import org.apache.xml.security.stax.ext.XMLSecurityConstants;
+import org.apache.xml.security.stax.ext.stax.XMLSecAttribute;
import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
import org.apache.xml.security.stax.ext.stax.XMLSecStartElement;
-import org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken;
import org.apache.xml.security.stax.impl.securityToken.OutboundSecurityToken;
import org.apache.xml.security.stax.impl.util.IDGenerator;
-import org.apache.xml.security.stax.securityEvent.SecurityEvent;
-import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
import javax.xml.stream.XMLStreamConstants;
import javax.xml.stream.XMLStreamException;
-import java.security.Key;
-import java.security.cert.X509Certificate;
+import java.util.ArrayList;
import java.util.List;
/**
* @author $Author$
* @version $Revision$ $Date$
*/
-public class BinarySecurityTokenOutputProcessor extends AbstractOutputProcessor {
+public class KerberosSecurityTokenOutputProcessor extends AbstractOutputProcessor {
- public BinarySecurityTokenOutputProcessor() throws XMLSecurityException {
+ public KerberosSecurityTokenOutputProcessor() throws XMLSecurityException {
super();
}
@@ -54,64 +54,22 @@ public class BinarySecurityTokenOutputPr
public void processEvent(XMLSecEvent xmlSecEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
try {
final String bstId = IDGenerator.generateID(null);
- final X509Certificate[] x509Certificates;
- final Key key;
XMLSecurityConstants.Action action = getAction();
- if (action.equals(WSSConstants.SIGNATURE)
- || action.equals(WSSConstants.SAML_TOKEN_SIGNED)
- || action.equals(WSSConstants.SIGNATURE_WITH_DERIVED_KEY)) {
-
- String alias = ((WSSSecurityProperties) getSecurityProperties()).getSignatureUser();
- WSPasswordCallback pwCb = new WSPasswordCallback(alias, WSPasswordCallback.Usage.SIGNATURE);
- WSSUtils.doPasswordCallback(((WSSSecurityProperties)getSecurityProperties()).getCallbackHandler(), pwCb);
- String password = pwCb.getPassword();
- if (password == null) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, "noPassword", alias);
- }
- key = ((WSSSecurityProperties) getSecurityProperties()).getSignatureCrypto().getPrivateKey(alias, password);
- CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
- cryptoType.setAlias(alias);
- x509Certificates = ((WSSSecurityProperties) getSecurityProperties()).getSignatureCrypto().getX509Certificates(cryptoType);
- if (x509Certificates == null || x509Certificates.length == 0) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, "noUserCertsFound", alias);
- }
- } else if (action.equals(WSSConstants.ENCRYPT) ||
- action.equals(WSSConstants.ENCRYPT_WITH_DERIVED_KEY)) {
- X509Certificate x509Certificate = getReqSigCert(outputProcessorChain.getSecurityContext());
- if (((WSSSecurityProperties) getSecurityProperties()).isUseReqSigCertForEncryption()) {
- if (x509Certificate == null) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_ENCRYPTION, "noCert");
- }
- x509Certificates = new X509Certificate[1];
- x509Certificates[0] = x509Certificate;
- } else if (getSecurityProperties().getEncryptionUseThisCertificate() != null) {
- x509Certificate = getSecurityProperties().getEncryptionUseThisCertificate();
- x509Certificates = new X509Certificate[1];
- x509Certificates[0] = x509Certificate;
- } else {
- CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
- cryptoType.setAlias(((WSSSecurityProperties) getSecurityProperties()).getEncryptionUser());
- x509Certificates = ((WSSSecurityProperties) getSecurityProperties()).getEncryptionCrypto().getX509Certificates(cryptoType);
- if (x509Certificates == null || x509Certificates.length == 0) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_ENCRYPTION, "noUserCertsFound",
- ((WSSSecurityProperties) getSecurityProperties()).getEncryptionUser());
- }
- }
- key = null;
- } else {
- x509Certificates = null;
- key = null;
- }
- final GenericOutboundSecurityToken binarySecurityToken =
- new GenericOutboundSecurityToken(bstId, WSSConstants.X509V3Token, key, x509Certificates);
- final SecurityTokenProvider binarySecurityTokenProvider = new SecurityTokenProvider() {
+ final KerberosClientSecurityToken kerberosClientSecurityToken =
+ new KerberosClientSecurityToken(
+ ((WSSSecurityProperties) getSecurityProperties()).getCallbackHandler(),
+ bstId
+ );
+
+
+ final SecurityTokenProvider kerberosSecurityTokenProvider = new SecurityTokenProvider() {
@SuppressWarnings("unchecked")
@Override
public OutboundSecurityToken getSecurityToken() throws WSSecurityException {
- return binarySecurityToken;
+ return kerberosClientSecurityToken;
}
@Override
@@ -120,47 +78,28 @@ public class BinarySecurityTokenOutputPr
}
};
- if (action.equals(WSSConstants.SIGNATURE)
- || action.equals(WSSConstants.SAML_TOKEN_SIGNED)) {
+ if (action.equals(WSSConstants.SIGNATURE_WITH_KERBEROS_TOKEN)) {
outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, bstId);
- if (getSecurityProperties().getSignatureKeyIdentifierType() == WSSConstants.WSSKeyIdentifierType.SECURITY_TOKEN_DIRECT_REFERENCE) {
- outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_APPEND_SIGNATURE_ON_THIS_ID, bstId);
- FinalBinarySecurityTokenOutputProcessor finalBinarySecurityTokenOutputProcessor = new FinalBinarySecurityTokenOutputProcessor(binarySecurityToken);
- finalBinarySecurityTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
- finalBinarySecurityTokenOutputProcessor.setAction(getAction());
- finalBinarySecurityTokenOutputProcessor.addBeforeProcessor(WSSSignatureOutputProcessor.class.getName());
- finalBinarySecurityTokenOutputProcessor.init(outputProcessorChain);
- binarySecurityToken.setProcessor(finalBinarySecurityTokenOutputProcessor);
- }
- } else if (action.equals(WSSConstants.ENCRYPT)) {
- outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTED_KEY, bstId);
- if (((WSSSecurityProperties) getSecurityProperties()).getEncryptionKeyIdentifierType() == WSSConstants.WSSKeyIdentifierType.SECURITY_TOKEN_DIRECT_REFERENCE) {
- FinalBinarySecurityTokenOutputProcessor finalBinarySecurityTokenOutputProcessor = new FinalBinarySecurityTokenOutputProcessor(binarySecurityToken);
- finalBinarySecurityTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
- finalBinarySecurityTokenOutputProcessor.setAction(getAction());
- finalBinarySecurityTokenOutputProcessor.addAfterProcessor(EncryptEndingOutputProcessor.class.getName());
- finalBinarySecurityTokenOutputProcessor.init(outputProcessorChain);
- binarySecurityToken.setProcessor(finalBinarySecurityTokenOutputProcessor);
- }
- } else if (action.equals(WSSConstants.SIGNATURE_WITH_DERIVED_KEY)
- || action.equals(WSSConstants.ENCRYPT_WITH_DERIVED_KEY)) {
-
- WSSConstants.DerivedKeyTokenReference derivedKeyTokenReference = ((WSSSecurityProperties) getSecurityProperties()).getDerivedKeyTokenReference();
- switch (derivedKeyTokenReference) {
-
- case DirectReference:
- outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_DERIVED_KEY, bstId);
- break;
- case EncryptedKey:
- outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTED_KEY, bstId);
- break;
- case SecurityContextToken:
- outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SECURITYCONTEXTTOKEN, bstId);
- break;
- }
+ outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_APPEND_SIGNATURE_ON_THIS_ID, bstId);
+ FinalKerberosSecurityTokenOutputProcessor finalKerberosSecurityTokenOutputProcessor =
+ new FinalKerberosSecurityTokenOutputProcessor(kerberosClientSecurityToken);
+ finalKerberosSecurityTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
+ finalKerberosSecurityTokenOutputProcessor.setAction(getAction());
+ finalKerberosSecurityTokenOutputProcessor.addBeforeProcessor(WSSSignatureOutputProcessor.class.getName());
+ finalKerberosSecurityTokenOutputProcessor.init(outputProcessorChain);
+ kerberosClientSecurityToken.setProcessor(finalKerberosSecurityTokenOutputProcessor);
+ } else if (action.equals(WSSConstants.ENCRYPT_WITH_KERBEROS_TOKEN)) {
+ outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION, bstId);
+ FinalKerberosSecurityTokenOutputProcessor finalKerberosSecurityTokenOutputProcessor =
+ new FinalKerberosSecurityTokenOutputProcessor(kerberosClientSecurityToken);
+ finalKerberosSecurityTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
+ finalKerberosSecurityTokenOutputProcessor.setAction(getAction());
+ finalKerberosSecurityTokenOutputProcessor.addAfterProcessor(EncryptEndingOutputProcessor.class.getName());
+ finalKerberosSecurityTokenOutputProcessor.init(outputProcessorChain);
+ kerberosClientSecurityToken.setProcessor(finalKerberosSecurityTokenOutputProcessor);
}
- outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(bstId, binarySecurityTokenProvider);
+ outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(bstId, kerberosSecurityTokenProvider);
} finally {
outputProcessorChain.removeProcessor(this);
@@ -168,33 +107,13 @@ public class BinarySecurityTokenOutputPr
outputProcessorChain.processEvent(xmlSecEvent);
}
- private X509Certificate getReqSigCert(SecurityContext securityContext) throws XMLSecurityException {
- List<SecurityEvent> securityEventList = securityContext.getAsList(SecurityEvent.class);
- if (securityEventList != null) {
- for (int i = 0; i < securityEventList.size(); i++) {
- SecurityEvent securityEvent = securityEventList.get(i);
- if (securityEvent instanceof TokenSecurityEvent) {
- TokenSecurityEvent tokenSecurityEvent = (TokenSecurityEvent) securityEvent;
- if (!tokenSecurityEvent.getSecurityToken().getTokenUsages().contains(SecurityToken.TokenUsage.MainSignature)) {
- continue;
- }
- X509Certificate[] x509Certificates = tokenSecurityEvent.getSecurityToken().getX509Certificates();
- if (x509Certificates != null && x509Certificates.length > 0) {
- return x509Certificates[0];
- }
- }
- }
- }
- return null;
- }
-
- class FinalBinarySecurityTokenOutputProcessor extends AbstractOutputProcessor {
+ class FinalKerberosSecurityTokenOutputProcessor extends AbstractOutputProcessor {
- private final OutboundSecurityToken securityToken;
+ private final KerberosClientSecurityToken securityToken;
- FinalBinarySecurityTokenOutputProcessor(OutboundSecurityToken securityToken) throws XMLSecurityException {
+ FinalKerberosSecurityTokenOutputProcessor(KerberosClientSecurityToken securityToken) throws XMLSecurityException {
super();
- this.addAfterProcessor(BinarySecurityTokenOutputProcessor.class.getName());
+ this.addAfterProcessor(KerberosSecurityTokenOutputProcessor.class.getName());
this.securityToken = securityToken;
}
@@ -207,9 +126,18 @@ public class BinarySecurityTokenOutputPr
&& WSSUtils.isInSecurityHeader(xmlSecStartElement, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
- boolean useSingleCertificate = getSecurityProperties().isUseSingleCert();
- WSSUtils.createBinarySecurityTokenStructure(this, subOutputProcessorChain, securityToken.getId(), securityToken.getX509Certificates(), useSingleCertificate);
-
+ List<XMLSecAttribute> attributes = new ArrayList<XMLSecAttribute>(3);
+ attributes.add(createAttribute(WSSConstants.ATT_NULL_EncodingType, WSSConstants.SOAPMESSAGE_NS10_BASE64_ENCODING));
+ attributes.add(createAttribute(WSSConstants.ATT_NULL_ValueType, WSSConstants.NS_GSS_Kerberos5_AP_REQ));
+ attributes.add(createAttribute(WSSConstants.ATT_wsu_Id, securityToken.getId()));
+ createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsse_BinarySecurityToken, false, attributes);
+ createCharactersAndOutputAsEvent(subOutputProcessorChain,
+ new Base64(76, new byte[]{'\n'}).encodeToString(securityToken.getTicket())
+ );
+ createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsse_BinarySecurityToken);
+ if (getAction() == WSSConstants.ENCRYPT_WITH_KERBEROS_TOKEN) {
+ WSSUtils.createReferenceListStructureForEncryption(this, subOutputProcessorChain);
+ }
outputProcessorChain.removeProcessor(this);
}
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/WSSSignatureEndingOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/WSSSignatureEndingOutputProcessor.java?rev=1416670&r1=1416669&r2=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/WSSSignatureEndingOutputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/WSSSignatureEndingOutputProcessor.java Mon Dec 3 21:26:13 2012
@@ -116,6 +116,8 @@ public class WSSSignatureEndingOutputPro
attributes.add(createAttribute(WSSConstants.ATT_wsse11_TokenType, WSSConstants.NS_SAML11_TOKEN_PROFILE_TYPE));
} else if (WSSConstants.Saml20Token.equals(securityToken.getTokenType())) {
attributes.add(createAttribute(WSSConstants.ATT_wsse11_TokenType, WSSConstants.NS_SAML20_TOKEN_PROFILE_TYPE));
+ } else if (WSSConstants.KerberosToken.equals(securityToken.getTokenType())) {
+ attributes.add(createAttribute(WSSConstants.ATT_wsse11_TokenType, WSSConstants.NS_GSS_Kerberos5_AP_REQ));
}
createStartElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_SecurityTokenReference, false, attributes);
@@ -131,13 +133,16 @@ public class WSSSignatureEndingOutputPro
WSSUtils.createThumbprintKeyIdentifierStructure(this, outputProcessorChain, x509Certificates);
} else if (keyIdentifierType == WSSConstants.WSSKeyIdentifierType.SECURITY_TOKEN_DIRECT_REFERENCE) {
String valueType;
- if (useSingleCertificate) {
- valueType = WSSConstants.NS_X509_V3_TYPE;
- } else {
- valueType = WSSConstants.NS_X509PKIPathv1;
- }
if (WSSConstants.Saml20Token.equals(securityToken.getTokenType())) {
valueType = null;
+ } else if (WSSConstants.KerberosToken.equals(securityToken.getTokenType())) {
+ valueType = WSSConstants.NS_GSS_Kerberos5_AP_REQ;
+ } else {
+ if (useSingleCertificate) {
+ valueType = WSSConstants.NS_X509_V3_TYPE;
+ } else {
+ valueType = WSSConstants.NS_X509PKIPathv1;
+ }
}
WSSUtils.createBSTReferenceStructure(this, outputProcessorChain, tokenId, valueType);
} else if (keyIdentifierType == WSSConstants.WSSKeyIdentifierType.EMBEDDED_KEYIDENTIFIER_REF) {
@@ -145,7 +150,7 @@ public class WSSSignatureEndingOutputPro
} else if (keyIdentifierType == WSSConstants.WSSKeyIdentifierType.USERNAMETOKEN_REFERENCE) {
WSSUtils.createUsernameTokenReferenceStructure(this, outputProcessorChain, tokenId);
} else {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, "unsupportedSecurityToken");
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, "unsupportedSecurityToken", keyIdentifierType);
}
createEndElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_SecurityTokenReference);
}
Added: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/KerberosClientSecurityToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/KerberosClientSecurityToken.java?rev=1416670&view=auto
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/KerberosClientSecurityToken.java (added)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/KerberosClientSecurityToken.java Mon Dec 3 21:26:13 2012
@@ -0,0 +1,151 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ws.security.stax.impl.securityToken;
+
+import org.apache.ws.security.common.ext.WSSecurityException;
+import org.apache.ws.security.common.kerberos.KerberosClientAction;
+import org.apache.ws.security.common.kerberos.KerberosContextAndServiceNameCallback;
+import org.apache.ws.security.stax.ext.WSSConstants;
+import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.config.JCEAlgorithmMapper;
+import org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken;
+
+import javax.crypto.spec.SecretKeySpec;
+import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.kerberos.KerberosTicket;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+import java.io.IOException;
+import java.security.Key;
+import java.security.Principal;
+import java.util.Set;
+
+/**
+ * @author $Author$
+ * @version $Revision$ $Date$
+ */
+public class KerberosClientSecurityToken extends GenericOutboundSecurityToken {
+
+ private CallbackHandler callbackHandler;
+ private Key secretKey;
+ private byte[] ticket;
+
+ public KerberosClientSecurityToken(CallbackHandler callbackHandler, String id) throws XMLSecurityException {
+ super(id, WSSConstants.KerberosToken);
+ this.callbackHandler = callbackHandler;
+ }
+
+ private void getTGT() throws WSSecurityException {
+ try {
+ KerberosContextAndServiceNameCallback contextAndServiceNameCallback = new KerberosContextAndServiceNameCallback();
+ callbackHandler.handle(new Callback[]{contextAndServiceNameCallback});
+
+ if (contextAndServiceNameCallback.getContextName() == null) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "kerberosCallbackContextNameNotSupplied");
+ }
+ if (contextAndServiceNameCallback.getServiceName() == null) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "kerberosCallbackServiceNameNotSupplied");
+ }
+
+ LoginContext loginContext = new LoginContext(contextAndServiceNameCallback.getContextName(), callbackHandler);
+ loginContext.login();
+
+ Subject clientSubject = loginContext.getSubject();
+ Set<Principal> clientPrincipals = clientSubject.getPrincipals();
+ if (clientPrincipals.isEmpty()) {
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.FAILURE,
+ "kerberosLoginError", "No Client principals found after login"
+ );
+ }
+ // Store the TGT
+ KerberosTicket tgt = getKerberosTicket(clientSubject, null);
+
+ // Get the service ticket
+ KerberosClientAction action =
+ new KerberosClientAction(
+ clientPrincipals.iterator().next(), contextAndServiceNameCallback.getServiceName()
+ );
+ byte[] ticket = Subject.doAs(clientSubject, action);
+ if (ticket == null) {
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.FAILURE, "kerberosServiceTicketError"
+ );
+ }
+
+ // Get the Service Ticket (private credential)
+ KerberosTicket serviceTicket = getKerberosTicket(clientSubject, tgt);
+ if (serviceTicket != null) {
+ this.secretKey = serviceTicket.getSessionKey();
+ }
+
+ this.ticket = ticket;
+
+ } catch (LoginException e) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+ } catch (UnsupportedCallbackException e) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+ } catch (IOException e) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+ }
+ }
+
+ /**
+ * Get a KerberosTicket from the clientSubject parameter, that is not equal to the supplied KerberosTicket
+ * parameter (can be null)
+ */
+ private KerberosTicket getKerberosTicket(Subject clientSubject, KerberosTicket previousTicket) {
+ Set<KerberosTicket> privateCredentials = clientSubject.getPrivateCredentials(KerberosTicket.class);
+ if (privateCredentials == null || privateCredentials.isEmpty()) {
+ return null;
+ }
+
+ for (KerberosTicket privateCredential : privateCredentials) {
+ if (!privateCredential.equals(previousTicket)) {
+ return privateCredential;
+ }
+ }
+ return null;
+ }
+
+ @Override
+ public Key getSecretKey(String algorithmURI) throws XMLSecurityException {
+ Key key = super.getSecretKey(algorithmURI);
+ if (key != null) {
+ return key;
+ }
+ if (this.secretKey == null) {
+ getTGT();
+ }
+ String algoFamily = JCEAlgorithmMapper.getJCERequiredKeyFromURI(algorithmURI);
+ key = new SecretKeySpec(this.secretKey.getEncoded(), algoFamily);
+ setSecretKey(algorithmURI, key);
+ return key;
+ }
+
+ public byte[] getTicket() throws XMLSecurityException {
+ if (this.ticket == null) {
+ getTGT();
+ }
+ return ticket;
+ }
+}
Propchange: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/KerberosClientSecurityToken.java
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Added: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/KerberosServiceSecurityToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/KerberosServiceSecurityToken.java?rev=1416670&view=auto
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/KerberosServiceSecurityToken.java (added)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/KerberosServiceSecurityToken.java Mon Dec 3 21:26:13 2012
@@ -0,0 +1,150 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ws.security.stax.impl.securityToken;
+
+import org.apache.ws.security.common.ext.WSSecurityException;
+import org.apache.ws.security.common.kerberos.KerberosContextAndServiceNameCallback;
+import org.apache.ws.security.common.kerberos.KerberosServiceAction;
+import org.apache.ws.security.common.kerberos.KerberosTokenDecoder;
+import org.apache.ws.security.common.kerberos.KerberosTokenDecoderImpl;
+import org.apache.ws.security.stax.ext.WSSConstants;
+import org.apache.ws.security.stax.ext.WSSecurityContext;
+import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.config.JCEAlgorithmMapper;
+import org.apache.xml.security.stax.ext.XMLSecurityConstants;
+import org.apache.xml.security.stax.impl.securityToken.AbstractInboundSecurityToken;
+
+import javax.crypto.spec.SecretKeySpec;
+import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+import java.io.IOException;
+import java.security.Key;
+import java.security.Principal;
+import java.util.Set;
+
+/**
+ * @author $Author$
+ * @version $Revision$ $Date$
+ */
+public class KerberosServiceSecurityToken extends AbstractInboundSecurityToken {
+
+ private CallbackHandler callbackHandler;
+ private byte[] binaryContent;
+
+ private KerberosTokenDecoder kerberosTokenDecoder;
+
+ public KerberosServiceSecurityToken(WSSecurityContext wsSecurityContext, CallbackHandler callbackHandler,
+ byte[] binaryContent, String id, WSSConstants.KeyIdentifierType keyIdentifierType)
+ throws XMLSecurityException {
+ super(wsSecurityContext, id, keyIdentifierType);
+ this.callbackHandler = callbackHandler;
+ this.binaryContent = binaryContent;
+ }
+
+ @Override
+ public boolean isAsymmetric() throws XMLSecurityException {
+ return false;
+ }
+
+ @Override
+ public XMLSecurityConstants.TokenType getTokenType() {
+ return WSSConstants.KerberosToken;
+ }
+
+ private KerberosTokenDecoder getTGT() throws WSSecurityException {
+ try {
+ KerberosContextAndServiceNameCallback contextAndServiceNameCallback = new KerberosContextAndServiceNameCallback();
+ callbackHandler.handle(new Callback[]{contextAndServiceNameCallback});
+
+ if (contextAndServiceNameCallback.getContextName() == null) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "kerberosCallbackContextNameNotSupplied");
+ }
+ if (contextAndServiceNameCallback.getServiceName() == null) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "kerberosCallbackServiceNameNotSupplied");
+ }
+
+ LoginContext loginContext = new LoginContext(contextAndServiceNameCallback.getContextName(), callbackHandler);
+ loginContext.login();
+
+ // Get the service name to use - fall back on the principal
+ Subject subject = loginContext.getSubject();
+ String service = contextAndServiceNameCallback.getServiceName();
+ if (service == null) {
+ Set<Principal> principals = subject.getPrincipals();
+ if (principals.isEmpty()) {
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.FAILURE,
+ "kerberosLoginError",
+ "No Client principals found after login"
+ );
+ }
+ service = principals.iterator().next().getName();
+ }
+
+ // Validate the ticket
+ KerberosServiceAction action = new KerberosServiceAction(binaryContent, service);
+ Principal principal = Subject.doAs(subject, action);
+ if (principal == null) {
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.FAILURE, "kerberosTicketValidationError"
+ );
+ }
+
+ KerberosTokenDecoder kerberosTokenDecoder = new KerberosTokenDecoderImpl();
+ kerberosTokenDecoder.setToken(binaryContent);
+ kerberosTokenDecoder.setSubject(subject);
+ return kerberosTokenDecoder;
+
+ } catch (LoginException e) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+ } catch (UnsupportedCallbackException e) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+ } catch (IOException e) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+ }
+ }
+
+ @Override
+ protected Key getKey(String algorithmURI, XMLSecurityConstants.KeyUsage keyUsage,
+ String correlationID) throws XMLSecurityException {
+
+ Key key = getSecretKey().get(algorithmURI);
+ if (key != null) {
+ return key;
+ }
+
+ if (this.kerberosTokenDecoder == null) {
+ this.kerberosTokenDecoder = getTGT();
+ }
+
+ byte[] secretToken = this.kerberosTokenDecoder.getSessionKey();
+ String algoFamily = JCEAlgorithmMapper.getJCERequiredKeyFromURI(algorithmURI);
+ key = new SecretKeySpec(secretToken, algoFamily);
+ setSecretKey(algorithmURI, key);
+ return key;
+ }
+
+ public byte[] getBinaryContent() {
+ return binaryContent;
+ }
+}
Propchange: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/KerberosServiceSecurityToken.java
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/SecurityTokenFactoryImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/SecurityTokenFactoryImpl.java?rev=1416670&r1=1416669&r2=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/SecurityTokenFactoryImpl.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/SecurityTokenFactoryImpl.java Mon Dec 3 21:26:13 2012
@@ -39,6 +39,10 @@ import org.apache.xml.security.stax.impl
import org.opensaml.common.SAMLVersion;
import javax.security.auth.callback.CallbackHandler;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Arrays;
+import java.util.List;
/**
* Factory to create SecurityToken Objects from keys in XML
@@ -162,6 +166,34 @@ public class SecurityTokenFactoryImpl ex
WSSecurityException.ErrorCode.SECURITY_TOKEN_UNAVAILABLE, "noToken", keyIdentifierType.getValue());
}
return securityTokenProvider.getSecurityToken();
+ } else if (WSSConstants.NS_Kerberos5_AP_REQ_SHA1.equals(valueType)) {
+ SecurityTokenProvider securityTokenProvider = securityContext.getSecurityTokenProvider(keyIdentifierType.getValue());
+ if (securityTokenProvider != null) {
+ return securityTokenProvider.getSecurityToken();
+ }
+
+ MessageDigest messageDigest = null;
+ try {
+ messageDigest = MessageDigest.getInstance("SHA-1");
+ } catch (NoSuchAlgorithmException e) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+ }
+
+ //ok we have to find the token via digesting...
+ List<SecurityTokenProvider> securityTokenProviders = securityContext.getRegisteredSecurityTokenProviders();
+ for (int i = 0; i < securityTokenProviders.size(); i++) {
+ SecurityTokenProvider tokenProvider = securityTokenProviders.get(i);
+ SecurityToken securityToken = tokenProvider.getSecurityToken();
+ if (securityToken instanceof KerberosServiceSecurityToken) {
+ KerberosServiceSecurityToken kerberosSecurityToken = (KerberosServiceSecurityToken)securityToken;
+ byte[] tokenDigest = messageDigest.digest(kerberosSecurityToken.getBinaryContent());
+ if (Arrays.equals(tokenDigest, binaryContent)) {
+ return securityToken;
+ }
+ }
+ }
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.SECURITY_TOKEN_UNAVAILABLE, "noToken", keyIdentifierType.getValue());
} else {
//we do enforce BSP compliance here but will fail anyway since we cannot identify the referenced token
((WSSecurityContext) securityContext).handleBSPRule(BSPRule.R3063);