You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2014/10/15 15:27:07 UTC

git commit: Adding a new JAX-RS property to control Kerberos request delegation

Repository: cxf
Updated Branches:
  refs/heads/master 30e3c5b04 -> 1496fd48c


Adding a new JAX-RS property to control Kerberos request delegation


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/1496fd48
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/1496fd48
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/1496fd48

Branch: refs/heads/master
Commit: 1496fd48c8e08edc8a3948e4f37eb594972dbe91
Parents: 30e3c5b
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Oct 15 14:24:27 2014 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Oct 15 14:24:59 2014 +0100

----------------------------------------------------------------------
 .../org/apache/cxf/ws/security/SecurityConstants.java    | 11 ++++++++++-
 .../apache/cxf/ws/security/kerberos/KerberosUtils.java   |  6 ++++++
 2 files changed, 16 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/1496fd48/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
index bc286b6..96165bd 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
@@ -558,6 +558,14 @@ public final class SecurityConstants {
     //
     
     /**
+     * Whether to request credential delegation or not in the KerberosClient. If this is set to "true",
+     * then it tries to get a kerberos service ticket that can be used for delegation. The default
+     * is "false".
+     */
+    public static final String KERBEROS_REQUEST_CREDENTIAL_DELEGATION = 
+        "ws-security.kerberos.request.credential.delegation";
+    
+    /**
      * Whether to use credential delegation or not in the KerberosClient. If this is set to "true",
      * then it tries to get a GSSCredential Object from the Message Context using the 
      * DELEGATED_CREDENTIAL configuration tag below, and then use this to obtain a service ticket.
@@ -618,7 +626,8 @@ public final class SecurityConstants {
             SAML_ONE_TIME_USE_CACHE_INSTANCE, ENABLE_STREAMING_SECURITY, RETURN_SECURITY_ERROR,
             CACHE_IDENTIFIER, CACHE_ISSUED_TOKEN_IN_ENDPOINT, PREFER_WSMEX_OVER_STS_CLIENT_CONFIG,
             DELEGATED_CREDENTIAL, KERBEROS_USE_CREDENTIAL_DELEGATION, 
-            KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, STS_TOKEN_IMMINENT_EXPIRY_VALUE
+            KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, STS_TOKEN_IMMINENT_EXPIRY_VALUE,
+            KERBEROS_REQUEST_CREDENTIAL_DELEGATION
         }));
         ALL_PROPERTIES = Collections.unmodifiableSet(s);
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/1496fd48/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosUtils.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosUtils.java
index b739edb..73118cb 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosUtils.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosUtils.java
@@ -59,11 +59,17 @@ public final class KerberosUtils {
                                               SecurityConstants.KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, 
                                               false);
             
+            boolean requestCredentialDelegation = 
+                MessageUtils.getContextualBoolean(message, 
+                                              SecurityConstants.KERBEROS_REQUEST_CREDENTIAL_DELEGATION, 
+                                              false);
+            
             client.setContextName(jaasContext);
             client.setServiceName(kerberosSpn);
             client.setCallbackHandler(callbackHandler);
             client.setUseDelegatedCredential(useCredentialDelegation);
             client.setUsernameServiceNameForm(isInServiceNameForm);
+            client.setRequestCredentialDelegation(requestCredentialDelegation);
         }
         return client;
     }