You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/02/05 21:39:15 UTC
[3/3] cxf git commit: Fixed TLS client auth issue
Fixed TLS client auth issue
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/7ea12c2d
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/7ea12c2d
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/7ea12c2d
Branch: refs/heads/master
Commit: 7ea12c2dab4440f2dcd3b070a662957534fd6011
Parents: af11d1b
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Feb 5 16:14:08 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Feb 5 17:54:04 2016 +0000
----------------------------------------------------------------------
.../sts/rest/RESTSecurityTokenServiceImpl.java | 16 +++++-
.../cxf/systest/sts/rest/RESTUnitTest.java | 2 +-
.../systest/sts/rest/WSS4JBasicAuthFilter.java | 54 --------------------
.../basic/src/test/resources/logging.properties | 4 +-
.../apache/cxf/systest/sts/rest/cxf-client.xml | 3 ++
.../cxf/systest/sts/rest/cxf-rest-sts.xml | 8 +--
6 files changed, 22 insertions(+), 65 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/7ea12c2d/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java
index 6955931..393b806 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java
@@ -20,6 +20,7 @@
package org.apache.cxf.sts.rest;
import java.security.Principal;
+import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
@@ -34,6 +35,8 @@ import org.w3c.dom.Element;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.jaxrs.ext.MessageContext;
import org.apache.cxf.phase.PhaseInterceptorChain;
+import org.apache.cxf.security.SecurityContext;
+import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.sts.QNameConstants;
import org.apache.cxf.sts.STSConstants;
import org.apache.cxf.sts.token.provider.jwt.JWTTokenProvider;
@@ -87,7 +90,6 @@ public class RESTSecurityTokenServiceImpl extends SecurityTokenServiceImpl imple
@Override
public Response getToken(String tokenType, String keyType, List<String> requestedClaims) {
-
if (tokenTypeMap != null && tokenTypeMap.containsKey(tokenType)) {
tokenType = tokenTypeMap.get(tokenType);
}
@@ -213,6 +215,18 @@ public class RESTSecurityTokenServiceImpl extends SecurityTokenServiceImpl imple
@Override
protected Principal getPrincipal() {
+ SecurityContext sc = (SecurityContext)messageContext.get(SecurityContext.class);
+ if (sc == null || sc.getUserPrincipal() == null) {
+ // Get the TLS client principal if no security context is set up
+ TLSSessionInfo tlsInfo =
+ (TLSSessionInfo)PhaseInterceptorChain.getCurrentMessage().get(TLSSessionInfo.class);
+ if (tlsInfo != null && tlsInfo.getPeerCertificates() != null
+ && tlsInfo.getPeerCertificates().length > 0
+ && (tlsInfo.getPeerCertificates()[0] instanceof X509Certificate)
+ ) {
+ return ((X509Certificate)tlsInfo.getPeerCertificates()[0]).getSubjectX500Principal();
+ }
+ }
return messageContext.getSecurityContext().getUserPrincipal();
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/7ea12c2d/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java
index 0668e39..7caf0f2 100644
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java
@@ -77,7 +77,7 @@ public class RESTUnitTest extends AbstractBusClientServerTestBase {
SpringBusFactory.setThreadDefaultBus(bus);
String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
- WebClient client = WebClient.create(address, "alice", "clarinet", busFile.toString());
+ WebClient client = WebClient.create(address, busFile.toString());
client.type("application/xml").accept("application/xml");
client.path("saml2.0");
http://git-wip-us.apache.org/repos/asf/cxf/blob/7ea12c2d/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/WSS4JBasicAuthFilter.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/WSS4JBasicAuthFilter.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/WSS4JBasicAuthFilter.java
deleted file mode 100644
index 08873cf..0000000
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/WSS4JBasicAuthFilter.java
+++ /dev/null
@@ -1,54 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.systest.sts.rest;
-
-import java.io.IOException;
-
-import javax.ws.rs.container.ContainerRequestContext;
-import javax.ws.rs.container.ContainerRequestFilter;
-import javax.ws.rs.core.Response;
-
-import org.apache.cxf.configuration.security.AuthorizationPolicy;
-import org.apache.cxf.jaxrs.utils.ExceptionUtils;
-import org.apache.cxf.jaxrs.utils.JAXRSUtils;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.rt.security.saml.interceptor.WSS4JBasicAuthValidator;
-
-/**
- * Extends the WSS4J validator as a JAX-RS request filter
- */
-public class WSS4JBasicAuthFilter extends WSS4JBasicAuthValidator implements ContainerRequestFilter {
-
- public void filter(ContainerRequestContext requestContext) throws IOException {
- Message message = JAXRSUtils.getCurrentMessage();
- AuthorizationPolicy policy = message.get(AuthorizationPolicy.class);
-
- if (policy == null || policy.getUserName() == null || policy.getPassword() == null) {
- requestContext.abortWith(
- Response.status(401).header("WWW-Authenticate", "Basic realm=\"IdP\"").build());
- }
-
- try {
- super.validate(message);
- } catch (Exception ex) {
- throw ExceptionUtils.toInternalServerErrorException(ex, null);
- }
- }
-
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cxf/blob/7ea12c2d/services/sts/systests/basic/src/test/resources/logging.properties
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/resources/logging.properties b/services/sts/systests/basic/src/test/resources/logging.properties
index 016ae26..f70123b 100644
--- a/services/sts/systests/basic/src/test/resources/logging.properties
+++ b/services/sts/systests/basic/src/test/resources/logging.properties
@@ -43,7 +43,7 @@
# can be overridden by a facility specific level
# Note that the ConsoleHandler also has a separate level
# setting to limit messages printed to the console.
-.level= FINE
+.level= INFO
############################################################
# Handler specific properties.
@@ -57,7 +57,7 @@ java.util.logging.FileHandler.count = 1
java.util.logging.FileHandler.formatter = java.util.logging.XMLFormatter
# Limit the message that are printed on the console to WARNING and above.
-java.util.logging.ConsoleHandler.level = FINE
+java.util.logging.ConsoleHandler.level = INFO
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
http://git-wip-us.apache.org/repos/asf/cxf/blob/7ea12c2d/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-client.xml
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-client.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-client.xml
index 892e5a5..f45b741 100644
--- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-client.xml
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-client.xml
@@ -25,6 +25,9 @@
</cxf:bus>
<http:conduit name="https://localhost:.*">
<http:tlsClientParameters disableCNCheck="true">
+ <sec:keyManagers keyPassword="ckpass">
+ <sec:keyStore type="jks" password="cspass" resource="clientstore.jks"/>
+ </sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="jks" password="cspass" resource="clientstore.jks"/>
</sec:trustManagers>
http://git-wip-us.apache.org/repos/asf/cxf/blob/7ea12c2d/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml
index 309f3f2..106bca4 100644
--- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml
@@ -105,11 +105,6 @@
<bean id="jsonProvider" class="com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider" />
- <bean id="callbackHandler" class="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
- <bean id="basicAuthFilter" class="org.apache.cxf.systest.sts.rest.WSS4JBasicAuthFilter">
- <property name="callbackHandler" ref="callbackHandler"/>
- </bean>
-
<jaxrs:server id="stsRESTService"
depends-on="ClientAuthHttpsSettings"
address="https://localhost:${testutil.ports.STSRESTServer}/SecurityTokenService">
@@ -118,7 +113,6 @@
</jaxrs:serviceBeans>
<jaxrs:providers>
<ref bean="jsonProvider" />
- <ref bean="basicAuthFilter"/>
</jaxrs:providers>
<jaxrs:extensionMappings>
<entry key="json" value="application/json;charset=UTF-8" />
@@ -135,7 +129,7 @@
<sec:trustManagers>
<sec:keyStore type="jks" password="stsspass" resource="stsstore.jks"/>
</sec:trustManagers>
- <sec:clientAuthentication want="false" required="false"/>
+ <sec:clientAuthentication want="true" required="true"/>
</httpj:tlsServerParameters>
</httpj:engine>
</httpj:engine-factory>