You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2011/08/29 13:04:58 UTC
svn commit: r1162731 - in /cxf/trunk:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ke...
Author: coheigea
Date: Mon Aug 29 11:04:57 2011
New Revision: 1162731
URL: http://svn.apache.org/viewvc?rev=1162731&view=rev
Log:
[CXF-3767] - Added support for using derived keys with Kerberos tokens + added a system test.
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/KerberosTokenBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml
cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/KerberosTokenBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/KerberosTokenBuilder.java?rev=1162731&r1=1162730&r2=1162731&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/KerberosTokenBuilder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/KerberosTokenBuilder.java Mon Aug 29 11:04:57 2011
@@ -74,6 +74,8 @@ public class KerberosTokenBuilder implem
kerberosToken.setV5ApReqToken11(true);
} else if (SPConstants.KERBEROS_GSS_V5_AP_REQ_TOKEN_11.equals(localpart)) {
kerberosToken.setGssV5ApReqToken11(true);
+ } else if (SPConstants.REQUIRE_DERIVED_KEYS.equals(localpart)) {
+ kerberosToken.setDerivedKeys(true);
}
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java?rev=1162731&r1=1162730&r2=1162731&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java Mon Aug 29 11:04:57 2011
@@ -603,7 +603,7 @@ public class SymmetricBindingHandler ext
}
dkSign.setExternalKey(tok.getSecret(), tokenRef.getElement());
} else {
- if (policyToken instanceof SecureConversationToken) {
+ if (!attached || policyToken instanceof SecureConversationToken) {
dkSign.setTokenIdDirectId(true);
}
dkSign.setExternalKey(tok.getSecret(), tok.getId());
Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java?rev=1162731&r1=1162730&r2=1162731&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java (original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java Mon Aug 29 11:04:57 2011
@@ -209,6 +209,26 @@ public class KerberosTokenTest extends A
assertTrue(result.equals(BigInteger.valueOf(50)));
}
+
+ @org.junit.Test
+ @org.junit.Ignore
+ public void testKerberosOverSymmetricDerivedProtection() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = KerberosTokenTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ DoubleItService service = new DoubleItService();
+
+ DoubleItPortType kerberosPort = service.getDoubleItKerberosSymmetricDerivedProtectionPort();
+ updateAddressPort(kerberosPort, PORT);
+ BigInteger result = kerberosPort.doubleIt(BigInteger.valueOf(25));
+ assertTrue(result.equals(BigInteger.valueOf(50)));
+ }
+
private boolean checkUnrestrictedPoliciesInstalled() {
try {
byte[] data = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07};
Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml?rev=1162731&r1=1162730&r2=1162731&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml Mon Aug 29 11:04:57 2011
@@ -168,4 +168,20 @@
</jaxws:properties>
</jaxws:client>
+ <jaxws:client name="{http://WSSec/kerberos}DoubleItKerberosSymmetricDerivedProtectionPort"
+ createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.encryption.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.encryption.username" value="bob"/>
+ <entry key="ws-security.kerberos.client">
+ <bean class="org.apache.cxf.ws.security.kerberos.KerberosClient">
+ <constructor-arg ref="cxf"/>
+ <property name="jaasLoginModuleName" value="alice"/>
+ <property name="serviceName" value="bob@service.ws.apache.org"/>
+ </bean>
+ </entry>
+ </jaxws:properties>
+ </jaxws:client>
+
</beans>
Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml?rev=1162731&r1=1162730&r2=1162731&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml Mon Aug 29 11:04:57 2011
@@ -216,4 +216,23 @@
</jaxws:endpoint>
+ <jaxws:endpoint
+ id="KerberosOverSymmetricDerivedProtection"
+ address="http://localhost:${testutil.ports.Server}/DoubleItKerberosSymmetricDerivedProtection"
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItKerberosSymmetricDerivedProtectionPort"
+ xmlns:s="http://WSSec/kerberos"
+ implementor="org.apache.cxf.systest.ws.kerberos.server.DoubleItImpl"
+ wsdlLocation="wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl">
+
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.bst.validator" value-ref="kerberosValidator"/>
+ </jaxws:properties>
+
+ </jaxws:endpoint>
+
</beans>
Modified: cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl?rev=1162731&r1=1162730&r2=1162731&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl Mon Aug 29 11:04:57 2011
@@ -214,6 +214,26 @@
</wsdl:operation>
</wsdl:binding>
+ <wsdl:binding name="DoubleItKerberosSymmetricDerivedProtectionBinding" type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItKerberosSymmetricDerivedProtectionPolicy" />
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http" />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction="" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+ </wsdl:output>
+ <wsdl:fault name="DoubleItFault">
+ <soap:body use="literal" name="DoubleItFault" />
+ </wsdl:fault>
+ </wsdl:operation>
+ </wsdl:binding>
+
<wsdl:service name="DoubleItService">
<wsdl:port name="DoubleItKerberosTransportPort" binding="tns:DoubleItKerberosTransportBinding">
<soap:address location="https://localhost:9009/DoubleItKerberosTransport" />
@@ -242,6 +262,10 @@
binding="tns:DoubleItKerberosSymmetricProtectionBinding">
<soap:address location="http://localhost:9001/DoubleItKerberosSymmetricProtection" />
</wsdl:port>
+ <wsdl:port name="DoubleItKerberosSymmetricDerivedProtectionPort"
+ binding="tns:DoubleItKerberosSymmetricDerivedProtectionBinding">
+ <soap:address location="http://localhost:9001/DoubleItKerberosSymmetricDerivedProtection" />
+ </wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="DoubleItKerberosTransportPolicy">
@@ -584,6 +608,47 @@
</wsp:ExactlyOne>
</wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItKerberosSymmetricDerivedProtectionPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:SymmetricBinding>
+ <wsp:Policy>
+ <sp:ProtectionToken>
+ <wsp:Policy>
+ <sp:KerberosToken
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Once">
+ <wsp:Policy>
+ <sp:WssGssKerberosV5ApReqToken11/>
+ <sp:RequireDerivedKeys />
+ </wsp:Policy>
+ </sp:KerberosToken>
+ </wsp:Policy>
+ </sp:ProtectionToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ <sp:OnlySignEntireHeadersAndBody/>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic256/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:SymmetricBinding>
+ <sp:Wss11>
+ <wsp:Policy>
+ <sp:MustSupportRefIssuerSerial/>
+ <sp:MustSupportRefThumbprint/>
+ <sp:MustSupportRefEncryptedKey/>
+ </wsp:Policy>
+ </sp:Wss11>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
<wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
<wsp:ExactlyOne>
<wsp:All>