You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2017/09/08 14:42:32 UTC
cxf git commit: Add some hooks to either set or get some information
relating to the kerberos authentication process
Repository: cxf
Updated Branches:
refs/heads/master 4080fbafc -> ec7a52968
Add some hooks to either set or get some information relating to the kerberos authentication process
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/ec7a5296
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/ec7a5296
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/ec7a5296
Branch: refs/heads/master
Commit: ec7a52968e8e4d9e7727a7798b293389c1a3dd29
Parents: 4080fba
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Sep 8 15:42:03 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Sep 8 15:42:03 2017 +0100
----------------------------------------------------------------------
.../jaxrs/security/KerberosAuthenticationFilter.java | 13 ++++++++-----
.../http/auth/AbstractSpnegoAuthSupplier.java | 7 +++++++
.../cxf/ws/security/kerberos/KerberosClient.java | 6 +++++-
3 files changed, 20 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/ec7a5296/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java
index 0111022..924057a 100644
--- a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java
+++ b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java
@@ -105,15 +105,13 @@ public class KerberosAuthenticationFilter implements ContainerRequestFilter {
if (index > 0) {
simpleUserName = simpleUserName.substring(0, index);
}
+ Message m = JAXRSUtils.getCurrentMessage();
+ m.put(SecurityContext.class, createSecurityContext(simpleUserName, complexUserName, gssContext));
+
if (!gssContext.getCredDelegState()) {
gssContext.dispose();
gssContext = null;
}
- Message m = JAXRSUtils.getCurrentMessage();
- m.put(SecurityContext.class,
- new KerberosSecurityContext(new KerberosPrincipal(simpleUserName,
- complexUserName),
- gssContext));
} catch (LoginException e) {
LOG.fine("Unsuccessful JAAS login for the service principal: " + e.getMessage());
@@ -127,6 +125,11 @@ public class KerberosAuthenticationFilter implements ContainerRequestFilter {
}
}
+ protected SecurityContext createSecurityContext(String simpleUserName, String complexUserName,
+ GSSContext gssContext) {
+ return new KerberosSecurityContext(new KerberosPrincipal(simpleUserName, complexUserName), gssContext);
+ }
+
protected GSSContext createGSSContext() throws GSSException {
boolean useKerberosOid = PropertyUtils.isTrue(
messageContext.getContextualProperty(PROPERTY_USE_KERBEROS_OID));
http://git-wip-us.apache.org/repos/asf/cxf/blob/ec7a5296/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java
----------------------------------------------------------------------
diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java
index 464610f..2129e29 100644
--- a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java
+++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java
@@ -138,6 +138,8 @@ public abstract class AbstractSpnegoAuthSupplier {
return context.initSecContext(token, 0, token.length);
}
+ decorateSubject(subject);
+
try {
return Subject.doAs(subject, new CreateServiceTicketAction(context, token));
} catch (PrivilegedActionException e) {
@@ -149,6 +151,11 @@ public abstract class AbstractSpnegoAuthSupplier {
}
}
+ // Allow subclasses to decorate the Subject if required.
+ protected void decorateSubject(Subject subject) {
+
+ }
+
protected boolean isCredDelegationRequired(Message message) {
return MessageUtils.getContextualBoolean(message, PROPERTY_REQUIRE_CRED_DELEGATION, credDelegation);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/ec7a5296/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java
index 9d8d420..e6061b7 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java
@@ -147,7 +147,7 @@ public class KerberosClient implements Configurable {
LOG.fine("Requesting Kerberos ticket for " + serviceName
+ " using JAAS Login Module: " + getContextName());
}
- KerberosSecurity bst = new KerberosSecurity(DOMUtils.createDocument());
+ KerberosSecurity bst = createKerberosSecurity();
bst.retrieveServiceTicket(getContextName(), callbackHandler, serviceName,
isUsernameServiceNameForm, requestCredentialDelegation,
delegatedCredential);
@@ -170,6 +170,10 @@ public class KerberosClient implements Configurable {
return token;
}
+ protected KerberosSecurity createKerberosSecurity() {
+ return new KerberosSecurity(DOMUtils.createDocument());
+ }
+
public boolean isUsernameServiceNameForm() {
return isUsernameServiceNameForm;
}