You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/10/30 16:12:02 UTC
svn commit: r1537125 - in
/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts:
operation/AbstractOperation.java operation/TokenIssueOperation.java
token/canceller/SCTCanceller.java
Author: coheigea
Date: Wed Oct 30 15:12:01 2013
New Revision: 1537125
URL: http://svn.apache.org/r1537125
Log:
Added some functionality to the STS to get it working with streaming WS-Security
Modified:
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java?rev=1537125&r1=1537124&r2=1537125&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java Wed Oct 30 15:12:01 2013
@@ -85,6 +85,12 @@ import org.apache.wss4j.dom.handler.WSHa
import org.apache.wss4j.dom.message.WSSecEncrypt;
import org.apache.wss4j.dom.message.WSSecEncryptedKey;
import org.apache.wss4j.dom.util.XmlSchemaDateFormat;
+import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
+import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent;
+import org.apache.xml.security.stax.securityEvent.SecurityEvent;
+import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
+import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
/**
* This abstract class contains some common functionality for different operations.
@@ -532,6 +538,7 @@ public abstract class AbstractOperation
@SuppressWarnings("unchecked")
List<WSHandlerResult> results =
(List<WSHandlerResult>) context.get(WSHandlerConstants.RECV_RESULTS);
+ // DOM
if (results != null) {
for (WSHandlerResult rResult : results) {
List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();
@@ -548,6 +555,31 @@ public abstract class AbstractOperation
}
}
}
+
+ // Streaming
+ @SuppressWarnings("unchecked")
+ final List<SecurityEvent> incomingEventList =
+ (List<SecurityEvent>) context.get(SecurityEvent.class.getName() + ".in");
+ if (incomingEventList != null) {
+ for (SecurityEvent incomingEvent : incomingEventList) {
+ if (WSSecurityEventConstants.SignedPart == incomingEvent.getSecurityEventType()
+ || WSSecurityEventConstants.SignedElement
+ == incomingEvent.getSecurityEventType()) {
+ org.apache.xml.security.stax.securityToken.SecurityToken token =
+ ((AbstractSecuredElementSecurityEvent)incomingEvent).getSecurityToken();
+ try {
+ if (token != null && token.getX509Certificates() != null
+ && token.getX509Certificates().length > 0) {
+ return token.getX509Certificates()[0];
+ }
+ } catch (XMLSecurityException ex) {
+ LOG.log(Level.FINE, ex.getMessage(), ex);
+ return null;
+ }
+ }
+ }
+ }
+
return null;
}
@@ -718,4 +750,24 @@ public abstract class AbstractOperation
eventPublisher.handleSTSEvent(event);
}
}
+
+ protected static org.apache.xml.security.stax.securityToken.SecurityToken
+ findInboundSecurityToken(
+ SecurityEventConstants.Event event,
+ MessageContext messageContext
+ ) throws XMLSecurityException {
+ @SuppressWarnings("unchecked")
+ final List<SecurityEvent> incomingEventList =
+ (List<SecurityEvent>) messageContext.get(SecurityEvent.class.getName() + ".in");
+ if (incomingEventList != null) {
+ for (SecurityEvent incomingEvent : incomingEventList) {
+ if (event == incomingEvent.getSecurityEventType()) {
+ org.apache.xml.security.stax.securityToken.SecurityToken token =
+ ((TokenSecurityEvent<?>)incomingEvent).getSecurityToken();
+ return token;
+ }
+ }
+ }
+ return null;
+ }
}
Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java?rev=1537125&r1=1537124&r2=1537125&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java Wed Oct 30 15:12:01 2013
@@ -387,23 +387,35 @@ public class TokenIssueOperation extends
final List<WSHandlerResult> handlerResults =
CastUtils.cast((List<?>) messageContext.get(WSHandlerConstants.RECV_RESULTS));
+ // Try DOM results first
if (handlerResults != null && handlerResults.size() > 0) {
WSHandlerResult handlerResult = handlerResults.get(0);
List<WSSecurityEngineResult> engineResults = handlerResult.getResults();
for (WSSecurityEngineResult engineResult : engineResults) {
- /*
- Integer actInt = (Integer)engineResult.get(WSSecurityEngineResult.TAG_ACTION);
- String id = (String)engineResult.get(WSSecurityEngineResult.TAG_ID);
- Element tokenElement =
- (Element)engineResult.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
- */
Object token = engineResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
if (token instanceof SamlAssertionWrapper) {
return (SamlAssertionWrapper)token;
}
}
}
+
+ // Now try steaming results
+ /*
+ * TODO Uncomment this after we release a beta/RC
+ try {
+ org.apache.xml.security.stax.securityToken.SecurityToken securityToken =
+ findInboundSecurityToken(WSSecurityEventConstants.SamlToken, messageContext);
+ if (securityToken instanceof SamlSecurityToken
+ && ((SamlSecurityToken)securityToken).getSamlAssertionWrapper() != null) {
+ return ((SamlSecurityToken)securityToken).getSamlAssertionWrapper();
+ }
+ } catch (XMLSecurityException e) {
+ LOG.log(Level.FINE, e.getMessage(), e);
+ return null;
+ }
+ */
+
return null;
}
Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java?rev=1537125&r1=1537124&r2=1537125&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java Wed Oct 30 15:12:01 2013
@@ -19,15 +19,16 @@
package org.apache.cxf.sts.token.canceller;
+import java.security.Key;
import java.util.Arrays;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
+import javax.crypto.SecretKey;
import javax.xml.ws.handler.MessageContext;
import org.w3c.dom.Element;
-
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.sts.request.ReceivedToken;
@@ -41,6 +42,10 @@ import org.apache.wss4j.dom.WSSecurityEn
import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.message.token.SecurityContextToken;
+import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
+import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent;
+import org.apache.xml.security.stax.securityEvent.SecurityEvent;
/**
* This class cancels a SecurityContextToken.
@@ -118,8 +123,34 @@ public class SCTCanceller implements Tok
}
private boolean matchKey(TokenCancellerParameters tokenParameters, byte[] secretKey) {
- boolean result = false;
MessageContext messageContext = tokenParameters.getWebServiceContext().getMessageContext();
+
+ if (matchDOMSignatureSecret(messageContext, secretKey)) {
+ return true;
+ }
+
+ try {
+ if (matchStreamingSignatureSecret(messageContext, secretKey)) {
+ return true;
+ }
+ } catch (XMLSecurityException ex) {
+ LOG.log(Level.FINE, ex.getMessage(), ex);
+ return false;
+ }
+
+ return false;
+ }
+
+ /**
+ * Set whether proof of possession is required or not to cancel a token
+ */
+ public void setVerifyProofOfPossession(boolean verifyProofOfPossession) {
+ this.verifyProofOfPossession = verifyProofOfPossession;
+ }
+
+ private boolean matchDOMSignatureSecret(
+ MessageContext messageContext, byte[] secretToMatch
+ ) {
final List<WSHandlerResult> handlerResults =
CastUtils.cast((List<?>) messageContext.get(WSHandlerConstants.RECV_RESULTS));
@@ -131,7 +162,7 @@ public class SCTCanceller implements Tok
Integer action = (Integer)engineResult.get(WSSecurityEngineResult.TAG_ACTION);
if (action.equals(WSConstants.SIGN)) {
byte[] receivedKey = (byte[])engineResult.get(WSSecurityEngineResult.TAG_SECRET);
- if (Arrays.equals(secretKey, receivedKey)) {
+ if (Arrays.equals(secretToMatch, receivedKey)) {
LOG.log(
Level.FINE,
"Verification of the proof of possession of the key associated with "
@@ -142,14 +173,41 @@ public class SCTCanceller implements Tok
}
}
}
-
- return result;
+
+ return false;
}
-
- /**
- * Set whether proof of possession is required or not to cancel a token
- */
- public void setVerifyProofOfPossession(boolean verifyProofOfPossession) {
- this.verifyProofOfPossession = verifyProofOfPossession;
+
+ private boolean matchStreamingSignatureSecret(
+ MessageContext messageContext, byte[] secretToMatch
+ ) throws XMLSecurityException {
+ @SuppressWarnings("unchecked")
+ final List<SecurityEvent> incomingEventList =
+ (List<SecurityEvent>) messageContext.get(SecurityEvent.class.getName() + ".in");
+ if (incomingEventList != null) {
+ for (SecurityEvent incomingEvent : incomingEventList) {
+ if (WSSecurityEventConstants.SignedPart == incomingEvent.getSecurityEventType()
+ || WSSecurityEventConstants.SignedElement
+ == incomingEvent.getSecurityEventType()) {
+ org.apache.xml.security.stax.securityToken.SecurityToken token =
+ ((AbstractSecuredElementSecurityEvent)incomingEvent).getSecurityToken();
+ if (token != null && token.getSecretKey() != null) {
+ for (String key : token.getSecretKey().keySet()) {
+ Key keyObject = token.getSecretKey().get(key);
+ if (keyObject instanceof SecretKey
+ && Arrays.equals(secretToMatch, ((SecretKey)keyObject).getEncoded())) {
+ LOG.log(
+ Level.FINE,
+ "Verification of the proof of possession of the key associated with "
+ + "the security context successful."
+ );
+ return true;
+ }
+ }
+ }
+ }
+ }
+ }
+
+ return false;
}
}