You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by ru...@apache.org on 2006/07/21 18:21:06 UTC
svn commit: r424371 - in /webservices/axis2/trunk/java/modules:
integration/test/org/apache/rahas/ rahas/src/org/apache/rahas/
rahas/src/org/apache/rahas/impl/
Author: ruchithf
Date: Fri Jul 21 09:21:04 2006
New Revision: 424371
URL: http://svn.apache.org/viewvc?rev=424371&view=rev
Log:
- Added SAMLtoken issuer response to return a RequestSecurityTokenResponse collection in the case of the WS-SX version
- Refactored SAMLTokenIssuer to make it more generic - issusing bearer assertions and assertions with auth statements coming up
Modified:
webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/RahasSAMLTokenV1205Test.java
webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/RahasConstants.java
webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/TrustUtil.java
webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java
webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuerConfig.java
Modified: webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/RahasSAMLTokenV1205Test.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/RahasSAMLTokenV1205Test.java?rev=424371&r1=424370&r2=424371&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/RahasSAMLTokenV1205Test.java (original)
+++ webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/RahasSAMLTokenV1205Test.java Fri Jul 21 09:21:04 2006
@@ -84,7 +84,9 @@
}
public void validateRsponse(OMElement resp) {
- OMElement rst = resp.getFirstChildWithName(new QName(RahasConstants.WST_NS_05_12, RahasConstants.REQUESTED_SECURITY_TOKEN_LN));
+ OMElement rstr = resp.getFirstChildWithName(new QName(RahasConstants.WST_NS_05_12, RahasConstants.REQUEST_SECURITY_TOKEN_RESPONSE_LN));
+ assertNotNull("RequestedSecurityToken missing", rstr);
+ OMElement rst = rstr.getFirstChildWithName(new QName(RahasConstants.WST_NS_05_12, RahasConstants.REQUESTED_SECURITY_TOKEN_LN));
assertNotNull("RequestedSecurityToken missing", rst);
OMElement elem = rst.getFirstChildWithName(new QName(XML.SAML_NS, "Assertion"));
assertNotNull("Missing SAML Assertoin", elem);
Modified: webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/RahasConstants.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/RahasConstants.java?rev=424371&r1=424370&r2=424371&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/RahasConstants.java (original)
+++ webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/RahasConstants.java Fri Jul 21 09:21:04 2006
@@ -48,6 +48,7 @@
public final static String REQUESTED_ATTACHED_REFERENCE_LN = "RequestedAttachedReference";
public final static String REQUESTED_UNATTACHED_REFERENCE_LN = "RequestedUnattachedReference";
public final static String KEY_SIZE_LN = "KeySize";
+ public final static String KEY_TYPE_LN = "KeyType";
public final static String ENTROPY_LN = "Entropy";
public final static String APPLIES_TO_LN = "AppliesTo";
public final static String LIFETIME_LN = "Lifetime";
@@ -78,6 +79,11 @@
//Token types
public final static String TOK_TYPE_SCT = "http://schemas.xmlsoap.org/ws/2005/02/sc/sct";
+
+ //Key types
+ public final static String KEY_TYPE_SYMM_KEY = WST_NS_05_02 + "/SymmetricKey";
+ public final static String KEY_TYPE_PUBLIC_KEY = WST_NS_05_02 + "/PublicKey";
+ public final static String KEY_TYPE_BEARER = WST_NS_05_02 + "/Bearer";
}
public class V_05_12 {
@@ -105,6 +111,11 @@
//Token types
public final static String TOK_TYPE_SCT = "http://schemas.xmlsoap.org/ws/2005/12/sc/sct";
+
+ //Key types
+ public final static String KEY_TYPE_SYMM_KEY = WST_NS_05_12 + "/SymmetricKey";
+ public final static String KEY_TYPE_PUBLIC_KEY = WST_NS_05_12 + "/PublicKey";
+ public final static String KEY_TYPE_BEARER = WST_NS_05_12 + "/Bearer";
}
//Token types
Modified: webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/TrustUtil.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/TrustUtil.java?rev=424371&r1=424370&r2=424371&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/TrustUtil.java (original)
+++ webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/TrustUtil.java Fri Jul 21 09:21:04 2006
@@ -62,6 +62,15 @@
RahasConstants.REQUEST_SECURITY_TOKEN_RESPONSE_LN,
RahasConstants.WST_PREFIX);
}
+
+ public static OMElement createRequestSecurityTokenResponseCollectionElement(
+ int version,
+ OMElement parent) throws TrustException {
+ String ns = getWSTNamespace(version);
+ return createOMElement(parent, ns,
+ RahasConstants.REQUEST_SECURITY_TOKEN_RESPONSE_COLLECTION_LN,
+ RahasConstants.WST_PREFIX);
+ }
public static OMElement createRequestedSecurityTokenElement(
int version, OMElement parent) throws TrustException {
@@ -159,6 +168,14 @@
RahasConstants.WST_PREFIX);
}
+ public static OMElement createKeyTypeElement(
+ int version, OMElement parent) throws TrustException {
+ String ns = getWSTNamespace(version);
+ return createOMElement(parent, ns,
+ RahasConstants.KEY_TYPE_LN,
+ RahasConstants.WST_PREFIX);
+ }
+
public static OMElement createLifetimeElement(
int version, OMElement parent,
String created, String expires) throws TrustException {
@@ -209,6 +226,47 @@
return parent.getOMFactory().createOMElement(new QName(ns, ln, prefix),
parent);
}
+
+ /**
+ * Find the value of the KeyType element of the RST
+ * @param version WS-Trsut version
+ * @param rst RequestSecurityToken element
+ * @return The value of the KeyType element of the RST. If there's no
+ * KeyType element null will be returned.
+ * @throws TrustException
+ */
+ public static String findKeyType(OMElement rst) throws TrustException {
+ OMElement keyTypeElem = rst.getFirstChildWithName(new QName(rst.getNamespace().getName(), RahasConstants.KEY_TYPE_LN));
+ if(keyTypeElem != null) {
+ String text = keyTypeElem.getText();
+ if(text != null && !"".equals(text.trim())) {
+ return text.trim();
+ }
+ }
+ return null;
+ }
+
+ /**
+ * Find the KeySize
+ * @param rst
+ * @return Value of KeySize if available, otherwise -1
+ * @throws TrustException
+ */
+ public static int findKeySize(OMElement rst) throws TrustException {
+ OMElement keySizeElem = rst.getFirstChildWithName(new QName(rst.getNamespace().getName(), RahasConstants.KEY_SIZE_LN));
+ if(keySizeElem != null) {
+ String text = keySizeElem.getText();
+ if(text != null && !"".equals(text.trim())) {
+ try {
+ return Integer.parseInt(text.trim());
+ } catch (NumberFormatException e) {
+ throw new TrustException(TrustException.BAD_REQUEST, e);
+ }
+ }
+ }
+ return -1;
+ }
+
public static String getWSTNamespace(int version) throws TrustException {
switch (version){
@@ -247,4 +305,5 @@
}
return storage;
}
+
}
Modified: webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java?rev=424371&r1=424370&r2=424371&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java (original)
+++ webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java Fri Jul 21 09:21:04 2006
@@ -143,68 +143,65 @@
new String[] { this.configParamName });
}
}
-
- Crypto crypto = CryptoFactory.getInstance(config.cryptoPropFile,
- inMsgCtx.getAxisService().getClassLoader());
+
+ //Set the DOM impl to DOOM
+ DocumentBuilderFactoryImpl.setDOOMRequired(true);
+
SOAPEnvelope env = TrustUtil.createSOAPEnvelope(inMsgCtx.getEnvelope()
.getNamespace().getName());
- // Get the document
- Document doc = ((Element) env).getOwnerDocument();
-
- byte[] secret = null;
-
- Element encryptedKeyElem = null;
- try {
-
- //Get ApliesTo to figureout which service to issue the token for
- X509Certificate serviceCert = getServiceCert(request, config, crypto);
-
- //Ceate the encrypted key
- WSSecEncryptedKey encrKeyBuilder = new WSSecEncryptedKey();
-
- //Use thumbprint id
- encrKeyBuilder.setKeyIdentifierType(WSConstants.THUMBPRINT_IDENTIFIER);
- //SEt the encryption cert
- encrKeyBuilder.setUseThisCert(serviceCert);
-
- //set keysize
- encrKeyBuilder.setKeySize(256);
-
- //Set key encryption algo
- encrKeyBuilder.setKeyEncAlgo(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
-
- //Build
- encrKeyBuilder.prepare(doc, crypto);
-
- //Extract the base64 encoded secret value
- secret = encrKeyBuilder.getEphemeralKey();
-
- //Extract the Encryptedkey DOM element
- encryptedKeyElem = encrKeyBuilder.getEncryptedKeyElement();
- } catch (WSSecurityException e) {
- throw new TrustException(
- "errorInBuildingTheEncryptedKeyForPrincipal",
- new String[] { clientCert.getSubjectDN().getName()}, e);
- }
+ Crypto crypto = CryptoFactory.getInstance(config.cryptoPropFile,
+ inMsgCtx.getAxisService().getClassLoader());
//Creation and expiration times
Date creationTime = new Date();
Date expirationTime = new Date();
expirationTime.setTime(creationTime.getTime() + config.ttl);
- //Set the DOM impl to DOOM
- DocumentBuilderFactoryImpl.setDOOMRequired(true);
-
- SAMLAssertion assertion = this.createAssertion(doc, encryptedKeyElem,
- config, crypto, creationTime, expirationTime);
+ // Get the document
+ Document doc = ((Element) env).getOwnerDocument();
+
+ //Get the key size and create a new byte array of that size
+ int keySize = TrustUtil.findKeySize(request);
+
+ keySize = (keySize == -1) ? config.keySize : keySize;
+
+ byte[] secret = new byte[keySize/8];
+
+ /*
+ * Find the KeyType
+ * If the KeyType is SymmetricKey or PublicKey, issue a SAML HoK
+ * assertion.
+ * - In the case of the PublicKey, in coming security header
+ * MUST contain a certificate (maybe via signature)
+ *
+ * If the KeyType is Bearer then issue a Bearer assertion
+ *
+ * If the key type is missing we will issue a HoK asserstion
+ */
+
+ String keyType = TrustUtil.findKeyType(request);
+ ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+
+ SAMLAssertion assertion = createHoKAssertion(config, request, doc, crypto, creationTime, expirationTime, keyType, secret);
+ OMElement rstrElem = null;
int version = TrustUtil.getWSTVersion(request.getNamespace().getName());
- OMElement rstrElem = TrustUtil
+ if(RahasConstants.VERSION_05_02 == version) {
+ rstrElem = TrustUtil
.createRequestSecurityTokenResponseElement(version, env.getBody());
-
+ } else {
+ OMElement rstrcElem = TrustUtil
+ .createRequestSecurityTokenResponseCollectionElement(
+ version, env.getBody());
+
+ rstrElem = TrustUtil
+ .createRequestSecurityTokenResponseElement(version, rstrcElem);
+ }
+
TrustUtil.createtTokenTypeElement(version, rstrElem).setText(
RahasConstants.TOK_TYPE_SAML_10);
@@ -316,11 +313,54 @@
}
+ private SAMLAssertion createHoKAssertion(SAMLTokenIssuerConfig config,
+ OMElement request, Document doc, Crypto crypto, Date creationTime,
+ Date expirationTime, String keyType, byte[] secret)
+ throws TrustException {
+
+ Element encryptedKeyElem = null;
+ X509Certificate serviceCert = null;
+ try {
+
+ //Get ApliesTo to figureout which service to issue the token for
+ serviceCert = getServiceCert(request, config, crypto);
+
+ //Ceate the encrypted key
+ WSSecEncryptedKey encrKeyBuilder = new WSSecEncryptedKey();
+
+ //Use thumbprint id
+ encrKeyBuilder.setKeyIdentifierType(WSConstants.THUMBPRINT_IDENTIFIER);
+
+ //SEt the encryption cert
+ encrKeyBuilder.setUseThisCert(serviceCert);
+
+ //set keysize
+ encrKeyBuilder.setKeySize(secret.length*8);
+
+ //Set key encryption algo
+ encrKeyBuilder.setKeyEncAlgo(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
+
+ //Build
+ encrKeyBuilder.prepare(doc, crypto);
+
+ //Extract the base64 encoded secret value
+ System.arraycopy(encrKeyBuilder.getEphemeralKey(), 0, secret, 0, secret.length);
+
+ //Extract the Encryptedkey DOM element
+ encryptedKeyElem = encrKeyBuilder.getEncryptedKeyElement();
+ } catch (WSSecurityException e) {
+ throw new TrustException(
+ "errorInBuildingTheEncryptedKeyForPrincipal",
+ new String[] { serviceCert.getSubjectDN().getName()}, e);
+ }
+ return this.createAssertion(doc, encryptedKeyElem,
+ config, crypto, creationTime, expirationTime);
+ }
/**
* Create the SAML assertion with the secret held in an
* <code>xenc:EncryptedKey</code>
* @param doc
- * @param encryptedKeyElem
+ * @param keyInfoContent
* @param config
* @param crypto
* @param notBefore
@@ -329,7 +369,7 @@
* @throws TrustException
*/
private SAMLAssertion createAssertion(Document doc,
- Element encryptedKeyElem,
+ Element keyInfoContent,
SAMLTokenIssuerConfig config,
Crypto crypto,
Date notBefore,
@@ -338,10 +378,10 @@
String[] confirmationMethods = new String[]{SAMLSubject.CONF_HOLDER_KEY};
Element keyInfoElem = doc.createElementNS(WSConstants.SIG_NS, "KeyInfo");
- ((OMElement)encryptedKeyElem).declareNamespace(WSConstants.SIG_NS, WSConstants.SIG_PREFIX);
- ((OMElement)encryptedKeyElem).declareNamespace(WSConstants.ENC_NS, WSConstants.ENC_PREFIX);
+ ((OMElement)keyInfoContent).declareNamespace(WSConstants.SIG_NS, WSConstants.SIG_PREFIX);
+ ((OMElement)keyInfoContent).declareNamespace(WSConstants.ENC_NS, WSConstants.ENC_PREFIX);
- keyInfoElem.appendChild(encryptedKeyElem);
+ keyInfoElem.appendChild(keyInfoContent);
SAMLSubject subject = new SAMLSubject(null,
Arrays.asList(confirmationMethods),
@@ -381,6 +421,9 @@
}
}
+
+
+
/*
* (non-Javadoc)
*
Modified: webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuerConfig.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuerConfig.java?rev=424371&r1=424370&r2=424371&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuerConfig.java (original)
+++ webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuerConfig.java Fri Jul 21 09:21:04 2006
@@ -76,6 +76,8 @@
public final static QName ADD_REQUESTED_ATTACHED_REF = new QName("addRequestedAttachedRef");
public final static QName ADD_REQUESTED_UNATTACHED_REF = new QName("addRequestedUnattachedRef");
+ public final static QName USE_SAML_ATTRIBUTE_STATEMENT = new QName("useSAMLAttributeStatement");
+
public final static QName ISSUER_NAME = new QName("issuerName");
protected String cryptoPropFile;
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-cvs-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-cvs-help@ws.apache.org