You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by as...@apache.org on 2013/12/08 17:43:25 UTC
svn commit: r1549063 - in
/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts:
STSConstants.java operation/TokenIssueOperation.java
token/provider/DefaultSubjectProvider.java
Author: ashakirin
Date: Sun Dec 8 16:43:25 2013
New Revision: 1549063
URL: http://svn.apache.org/r1549063
Log:
Prepare the feature for [CXF-5443], STS Symmetric HOK: using server endpoint (AppliesTo) as certificate identifier to encrypt symmetric key
Modified:
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/STSConstants.java
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/STSConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/STSConstants.java?rev=1549063&r1=1549062&r2=1549063&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/STSConstants.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/STSConstants.java Sun Dec 8 16:43:25 2013
@@ -142,6 +142,14 @@ public final class STSConstants {
public static final String TOKEN_RENEWING_ALLOW_AFTER_EXPIRY =
"org.apache.cxf.sts.token.renewing.allow.after.expiry";
+ /**
+ * Constant to specify service endpoint as certificate alias for encryption.
+ * Constant is recognized by STS encryption alias is replaced with AppliesTo() address.
+ * This address will be used in WSS4J crypto to search service certificate
+ */
+ public static final String USE_ENDPOINT_AS_CERT_ALIAS =
+ "useEndpointAsCertAlias";
+
private STSConstants() {
// complete
}
Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java?rev=1549063&r1=1549062&r2=1549063&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java Sun Dec 8 16:43:25 2013
@@ -34,6 +34,7 @@ import javax.xml.ws.handler.MessageConte
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.sts.QNameConstants;
+import org.apache.cxf.sts.STSConstants;
import org.apache.cxf.sts.claims.RequestClaimCollection;
import org.apache.cxf.sts.event.STSIssueFailureEvent;
import org.apache.cxf.sts.event.STSIssueSuccessEvent;
@@ -65,6 +66,7 @@ import org.apache.wss4j.common.ext.WSSec
import org.apache.wss4j.common.principal.SAMLTokenPrincipal;
import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.handler.WSHandlerResult;
@@ -224,6 +226,7 @@ public class TokenIssueOperation extends
try {
KeyRequirements keyRequirements = requestParser.getKeyRequirements();
EncryptionProperties encryptionProperties = providerParameters.getEncryptionProperties();
+ mapEncryptionProperties(tokenRequirements, encryptionProperties);
RequestSecurityTokenResponseType response =
createResponse(
encryptionProperties, tokenResponse, tokenRequirements, keyRequirements, context
@@ -441,4 +444,15 @@ public class TokenIssueOperation extends
return binarySecret;
}
+ private void mapEncryptionProperties(TokenRequirements tokenRequirements,
+ EncryptionProperties encryptionProperties) {
+
+ if (STSConstants.USE_ENDPOINT_AS_CERT_ALIAS
+ .equals(encryptionProperties.getEncryptionName())
+ && (tokenRequirements.getAppliesTo() != null)) {
+ encryptionProperties.setEncryptionName(tokenRequirements.getAppliesTo()
+ .getTextContent());
+ encryptionProperties.setKeyIdentifierType(WSConstants.ENDPOINT_KEY_IDENTIFIER);
+ }
+ }
}
Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java?rev=1549063&r1=1549062&r2=1549063&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java Sun Dec 8 16:43:25 2013
@@ -124,7 +124,7 @@ public class DefaultSubjectProvider impl
if (STSConstants.SYMMETRIC_KEY_KEYTYPE.equals(keyType)) {
Crypto crypto = stsProperties.getEncryptionCrypto();
- CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+
EncryptionProperties encryptionProperties = providerParameters.getEncryptionProperties();
String encryptionName = encryptionProperties.getEncryptionName();
if (encryptionName == null) {
@@ -135,7 +135,18 @@ public class DefaultSubjectProvider impl
LOG.fine("No encryption Name is configured for Symmetric KeyType");
throw new STSException("No Encryption Name is configured", STSException.REQUEST_FAILED);
}
- cryptoType.setAlias(encryptionName);
+
+ CryptoType cryptoType = null;
+
+ // Check using of service endpoint (AppliesTo) as certificate identifier
+ if (encryptionProperties.getKeyIdentifierType() == (WSConstants.ENDPOINT_KEY_IDENTIFIER)) {
+ cryptoType = new CryptoType(CryptoType.TYPE.ENDPOINT);
+ cryptoType.setEndpoint(encryptionProperties.getEncryptionName());
+ } else {
+ cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+ cryptoType.setAlias(encryptionName);
+ }
+
try {
X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
if (certs == null || certs.length <= 0) {