You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/03/06 19:44:26 UTC
cxf git commit: [CXF-6283] - Support binary attributes in the
LDAPClaimsHandler
Repository: cxf
Updated Branches:
refs/heads/master e4b2e746d -> 590313298
[CXF-6283] - Support binary attributes in the LDAPClaimsHandler
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/59031329
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/59031329
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/59031329
Branch: refs/heads/master
Commit: 590313298b7a4d79c80b130357c5036adb6102c2
Parents: e4b2e74
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Mar 6 18:43:48 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Mar 6 18:44:15 2015 +0000
----------------------------------------------------------------------
.../cxf/sts/claims/LdapClaimsHandler.java | 40 +++++++++-------
.../systest/kerberos/ldap/LDAPClaimsTest.java | 49 ++++++++++++++++++++
systests/kerberos/src/test/resources/ldap.ldif | 28 +++++++++++
.../kerberos/src/test/resources/ldap.properties | 3 +-
systests/kerberos/src/test/resources/ldap.xml | 1 +
5 files changed, 103 insertions(+), 18 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/59031329/services/sts/sts-core/src/main/java/org/apache/cxf/sts/claims/LdapClaimsHandler.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/claims/LdapClaimsHandler.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/claims/LdapClaimsHandler.java
index f833798..4596cac 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/claims/LdapClaimsHandler.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/claims/LdapClaimsHandler.java
@@ -246,32 +246,38 @@ public class LdapClaimsHandler implements ClaimsHandler, RealmSupport {
NamingEnumeration<?> list = (NamingEnumeration<?>)attr.getAll();
while (list.hasMore()) {
Object obj = list.next();
- if (!(obj instanceof String)) {
+ if (obj instanceof String) {
+ String itemValue = (String)obj;
+ if (this.isX500FilterEnabled()) {
+ try {
+ X500Principal x500p = new X500Principal(itemValue);
+ itemValue = x500p.getName();
+ int index = itemValue.indexOf('=');
+ itemValue = itemValue.substring(index + 1, itemValue.indexOf(',', index));
+ } catch (Exception ex) {
+ //Ignore, not X500 compliant thus use the whole string as the value
+ }
+ }
+ claimValue.append(itemValue);
+ if (list.hasMore()) {
+ claimValue.append(this.getDelimiter());
+ }
+ } else if (obj instanceof byte[]) {
+ // Just store byte[]
+ c.addValue(obj);
+ } else {
LOG.warning("LDAP attribute '" + ldapAttribute
+ "' has got an unsupported value type");
break;
}
- String itemValue = (String)obj;
- if (this.isX500FilterEnabled()) {
- try {
- X500Principal x500p = new X500Principal(itemValue);
- itemValue = x500p.getName();
- int index = itemValue.indexOf('=');
- itemValue = itemValue.substring(index + 1, itemValue.indexOf(',', index));
- } catch (Exception ex) {
- //Ignore, not X500 compliant thus use the whole string as the value
- }
- }
- claimValue.append(itemValue);
- if (list.hasMore()) {
- claimValue.append(this.getDelimiter());
- }
}
} catch (NamingException ex) {
LOG.warning("Failed to read value of LDAP attribute '" + ldapAttribute + "'");
}
- c.addValue(claimValue.toString());
+ if (claimValue.length() > 0) {
+ c.addValue(claimValue.toString());
+ }
// c.setIssuer(issuer);
// c.setOriginalIssuer(originalIssuer);
// c.setNamespace(namespace);
http://git-wip-us.apache.org/repos/asf/cxf/blob/59031329/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/ldap/LDAPClaimsTest.java
----------------------------------------------------------------------
diff --git a/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/ldap/LDAPClaimsTest.java b/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/ldap/LDAPClaimsTest.java
index 04347ee..a14e312 100644
--- a/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/ldap/LDAPClaimsTest.java
+++ b/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/ldap/LDAPClaimsTest.java
@@ -19,11 +19,14 @@
package org.apache.cxf.systest.kerberos.ldap;
+import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.net.URI;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
@@ -319,7 +322,53 @@ public class LDAPClaimsTest extends AbstractLdapTestUnit {
);
}
}
+
+ @org.junit.Test
+ public void testRetrieveBinaryClaims() throws Exception {
+ LdapClaimsHandler claimsHandler = (LdapClaimsHandler)appContext.getBean("testClaimsHandler");
+
+ String user = props.getProperty("binaryClaimUser");
+ Assert.notNull(user, "Property 'binaryClaimUser' not configured");
+ ClaimCollection requestedClaims = createRequestClaimCollection();
+ // Ask for the (binary) cert as well
+ Claim claim = new Claim();
+ claim.setClaimType(URI.create("http://custom/x509"));
+ claim.setOptional(true);
+ requestedClaims.add(claim);
+
+ List<URI> expectedClaims = new ArrayList<URI>();
+ expectedClaims.add(ClaimTypes.FIRSTNAME);
+ expectedClaims.add(ClaimTypes.LASTNAME);
+ expectedClaims.add(ClaimTypes.EMAILADDRESS);
+ expectedClaims.add(URI.create("http://custom/x509"));
+
+ ClaimsParameters params = new ClaimsParameters();
+ params.setPrincipal(new CustomTokenPrincipal(user));
+ ProcessedClaimCollection retrievedClaims =
+ claimsHandler.retrieveClaimValues(requestedClaims, params);
+
+ Assert.isTrue(
+ retrievedClaims.size() == expectedClaims.size(),
+ "Retrieved number of claims [" + retrievedClaims.size()
+ + "] doesn't match with expected [" + expectedClaims.size() + "]"
+ );
+
+ boolean foundCert = false;
+ for (ProcessedClaim c : retrievedClaims) {
+ if (URI.create("http://custom/x509").equals(c.getClaimType())) {
+ foundCert = true;
+ Assert.isTrue(c.getValues().get(0) instanceof byte[]);
+ CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
+ InputStream in = new ByteArrayInputStream((byte[])c.getValues().get(0));
+ X509Certificate cert = (X509Certificate)certFactory.generateCertificate(in);
+ Assert.isTrue(cert != null);
+ }
+ }
+
+ Assert.isTrue(foundCert);
+ }
+
private ClaimCollection createRequestClaimCollection() {
ClaimCollection claims = new ClaimCollection();
Claim claim = new Claim();
http://git-wip-us.apache.org/repos/asf/cxf/blob/59031329/systests/kerberos/src/test/resources/ldap.ldif
----------------------------------------------------------------------
diff --git a/systests/kerberos/src/test/resources/ldap.ldif b/systests/kerberos/src/test/resources/ldap.ldif
index bdb6a83..0456f93 100644
--- a/systests/kerberos/src/test/resources/ldap.ldif
+++ b/systests/kerberos/src/test/resources/ldap.ldif
@@ -59,6 +59,34 @@ mail: alice@users.apache.org
givenname: alice2
userpassword: security
+# Other principal.
+dn: cn=dave,ou=users,dc=example,dc=com
+objectclass: top
+objectclass: person
+objectclass: inetOrgPerson
+objectclass: organizationalPerson
+cn: dave
+sn: smith
+uid: dave
+mail: dave@users.apache.org
+givenname: dave2
+userpassword: security
+userCertificate:: MIIDFjCCAn+gAwIBAgIJAI3hLAppEXfSMA0GCSqGSIb3DQEBBQU
+ AMGYxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCYXllcm4xDzANBgNVBAcTBk11bmljaDENMAsGA1
+ UEChMESG9tZTEVMBMGA1UECxMMQXBhY2hlIFdTUzRKMQ8wDQYDVQQDEwZXZXJuZXIwHhcNMDkwN
+ DI0MTAzMjQ2WhcNMTkwNDIyMTAzMjQ2WjBmMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmF5ZXJu
+ MQ8wDQYDVQQHEwZNdW5pY2gxDTALBgNVBAoTBEhvbWUxFTATBgNVBAsTDEFwYWNoZSBXU1M0SjE
+ PMA0GA1UEAxMGV2VybmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWyYLtAg1XlEGC5d
+ Cc4SP1Rg4SbEVLWvXBIZrAIG1MqDpjDFM7WlOdMudqmVFn6+z+PMPfuQdTET7+udhDty4ukhycu
+ Akiv80lie+6tbfWddR9i3gZt0YMTq2PvXOpKiBAjD7umjbzbGnSbXAWKAYLQO5Nzcjc9eYVWxNu
+ rUqJvwIDAQABo4HLMIHIMB0GA1UdDgQWBBRWF+/2a4tZ/iMZaN54wOFNZ33QZjCBmAYDVR0jBIG
+ QMIGNgBRWF+/2a4tZ/iMZaN54wOFNZ33QZqFqpGgwZjELMAkGA1UEBhMCREUxDzANBgNVBAgTBk
+ JheWVybjEPMA0GA1UEBxMGTXVuaWNoMQ0wCwYDVQQKEwRIb21lMRUwEwYDVQQLEwxBcGFjaGUgV
+ 1NTNEoxDzANBgNVBAMTBldlcm5lcoIJAI3hLAppEXfSMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
+ AQEFBQADgYEAYTuCjZSScbxzaWtItIL0Szh410aAisfB12MDWTGvxOL6YdqXtlwpA/miTK67KaE
+ Bnsb7PwnUGClKvGIoFYAtvgAyKclzsl4dl4pA8P2a4ofSKsdVKLyIIS7Vqgj0fmlc6lYJlhXIxU
+ Hz4tR1T97/ZU1uAr5KwXiEA7SYQzZkHZg=
+
dn: uid=admin,dc=example,dc=com
objectClass: top
objectClass: person
http://git-wip-us.apache.org/repos/asf/cxf/blob/59031329/systests/kerberos/src/test/resources/ldap.properties
----------------------------------------------------------------------
diff --git a/systests/kerberos/src/test/resources/ldap.properties b/systests/kerberos/src/test/resources/ldap.properties
index 7ca488b..36b29a4 100644
--- a/systests/kerberos/src/test/resources/ldap.properties
+++ b/systests/kerberos/src/test/resources/ldap.properties
@@ -18,4 +18,5 @@
#
claimUser=alice
-otherClaimUser=bob
\ No newline at end of file
+otherClaimUser=bob
+binaryClaimUser=dave
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cxf/blob/59031329/systests/kerberos/src/test/resources/ldap.xml
----------------------------------------------------------------------
diff --git a/systests/kerberos/src/test/resources/ldap.xml b/systests/kerberos/src/test/resources/ldap.xml
index 6cf0396..11583e7 100644
--- a/systests/kerberos/src/test/resources/ldap.xml
+++ b/systests/kerberos/src/test/resources/ldap.xml
@@ -33,6 +33,7 @@
<entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" value="sn"/>
<entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" value="mail"/>
<entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country" value="c"/>
+ <entry key="http://custom/x509" value="usercertificate"/>
</util:map>
<bean id="testClaimsHandler" class="org.apache.cxf.sts.claims.LdapClaimsHandler">
<property name="ldapTemplate" ref="ldapTemplate" />