You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2015/11/03 15:43:09 UTC
svn commit: r1712303 - in /webservices/wss4j/trunk: ws-security-common/
ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/
ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/
ws-security-stax/src/main/java/org/apache/wss4j/stax...
Author: coheigea
Date: Tue Nov 3 14:43:09 2015
New Revision: 1712303
URL: http://svn.apache.org/viewvc?rev=1712303&view=rev
Log:
Some kerberos refactoring
Removed:
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosClientAction.java
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosServiceAction.java
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderImpl.java
Modified:
webservices/wss4j/trunk/ws-security-common/pom.xml
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosClientExceptionAction.java
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosServiceExceptionAction.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/KerberosTokenValidator.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosServiceSecurityTokenImpl.java
Modified: webservices/wss4j/trunk/ws-security-common/pom.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/pom.xml?rev=1712303&r1=1712302&r2=1712303&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/pom.xml (original)
+++ webservices/wss4j/trunk/ws-security-common/pom.xml Tue Nov 3 14:43:09 2015
@@ -145,17 +145,6 @@
<scope>compile</scope>
</dependency>
<dependency>
- <groupId>org.apache.directory.server</groupId>
- <artifactId>apacheds-kerberos-codec</artifactId>
- <optional>true</optional>
- <exclusions>
- <exclusion>
- <groupId>net.sf.ehcache</groupId>
- <artifactId>ehcache-core</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- <dependency>
<groupId>net.sf.ehcache</groupId>
<artifactId>ehcache</artifactId>
<scope>compile</scope>
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosClientExceptionAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosClientExceptionAction.java?rev=1712303&r1=1712302&r2=1712303&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosClientExceptionAction.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosClientExceptionAction.java Tue Nov 3 14:43:09 2015
@@ -39,11 +39,7 @@ import org.ietf.jgss.Oid;
* Key Distribution Center.
*/
public class KerberosClientExceptionAction implements PrivilegedExceptionAction<KerberosContext> {
- private static final String javaVersion = System.getProperty("java.version");
- private static final boolean isJava5Or6 = javaVersion.startsWith("1.5") || javaVersion.startsWith("1.6");
- private static final boolean isOracleJavaVendor = System.getProperty("java.vendor").startsWith("Oracle");
private static final boolean isIBMJavaVendor = System.getProperty("java.vendor").startsWith("IBM");
- private static final boolean isHPJavaVendor = System.getProperty("java.vendor").startsWith("Hewlett-Packard");
private static final String SUN_JGSS_INQUIRE_TYPE_CLASS = "com.sun.security.jgss.InquireType";
private static final String SUN_JGSS_EXT_GSSCTX_CLASS = "com.sun.security.jgss.ExtendedGSSContext";
@@ -117,28 +113,26 @@ public class KerberosClientExceptionActi
krbCtx.setGssContext(secContext);
krbCtx.setKerberosToken(returnedToken);
- if (!isJava5Or6 && (isOracleJavaVendor || isIBMJavaVendor || isHPJavaVendor)) {
- try {
- @SuppressWarnings("rawtypes")
- Class inquireType = Class.forName(isIBMJavaVendor ? IBM_JGSS_INQUIRE_TYPE_CLASS : SUN_JGSS_INQUIRE_TYPE_CLASS);
+ try {
+ @SuppressWarnings("rawtypes")
+ Class inquireType = Class.forName(isIBMJavaVendor ? IBM_JGSS_INQUIRE_TYPE_CLASS : SUN_JGSS_INQUIRE_TYPE_CLASS);
- @SuppressWarnings("rawtypes")
- Class extendedGSSContext = Class.forName(isIBMJavaVendor ? IBM_JGSS_EXT_GSSCTX_CLASS : SUN_JGSS_EXT_GSSCTX_CLASS);
+ @SuppressWarnings("rawtypes")
+ Class extendedGSSContext = Class.forName(isIBMJavaVendor ? IBM_JGSS_EXT_GSSCTX_CLASS : SUN_JGSS_EXT_GSSCTX_CLASS);
- @SuppressWarnings("unchecked")
- Method inquireSecContext = extendedGSSContext.getMethod("inquireSecContext", inquireType);
+ @SuppressWarnings("unchecked")
+ Method inquireSecContext = extendedGSSContext.getMethod("inquireSecContext", inquireType);
- @SuppressWarnings("unchecked")
- Key key = (Key) inquireSecContext.invoke(secContext, Enum.valueOf(inquireType, "KRB5_GET_SESSION_KEY"));
+ @SuppressWarnings("unchecked")
+ Key key = (Key) inquireSecContext.invoke(secContext, Enum.valueOf(inquireType, "KRB5_GET_SESSION_KEY"));
- krbCtx.setSecretKey(key);
- }
- catch (ClassNotFoundException | NoSuchMethodException | IllegalAccessException
- | InvocationTargetException e) {
- throw new WSSecurityException(
- ErrorCode.FAILURE, e, "kerberosServiceTicketError"
- );
- }
+ krbCtx.setSecretKey(key);
+ }
+ catch (ClassNotFoundException | NoSuchMethodException | IllegalAccessException
+ | InvocationTargetException e) {
+ throw new WSSecurityException(
+ ErrorCode.FAILURE, e, "kerberosServiceTicketError"
+ );
}
return krbCtx;
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosServiceExceptionAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosServiceExceptionAction.java?rev=1712303&r1=1712302&r2=1712303&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosServiceExceptionAction.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosServiceExceptionAction.java Tue Nov 3 14:43:09 2015
@@ -37,11 +37,7 @@ import org.ietf.jgss.Oid;
public class KerberosServiceExceptionAction implements PrivilegedExceptionAction<KerberosServiceContext> {
- private static final String javaVersion = System.getProperty("java.version");
- private static final boolean isJava5Or6 = javaVersion.startsWith("1.5") || javaVersion.startsWith("1.6");
- private static final boolean isOracleJavaVendor = System.getProperty("java.vendor").startsWith("Oracle");
private static final boolean isIBMJavaVendor = System.getProperty("java.vendor").startsWith("IBM");
- private static final boolean isHPJavaVendor = System.getProperty("java.vendor").startsWith("Hewlett-Packard");
private static final String SUN_JGSS_INQUIRE_TYPE_CLASS = "com.sun.security.jgss.InquireType";
private static final String SUN_JGSS_EXT_GSSCTX_CLASS = "com.sun.security.jgss.ExtendedGSSContext";
@@ -109,29 +105,27 @@ public class KerberosServiceExceptionAct
krbServiceCtx.setGssContext(secContext);
krbServiceCtx.setKerberosToken(returnedToken);
- if (!isJava5Or6 && (isOracleJavaVendor || isIBMJavaVendor || isHPJavaVendor)) {
- try {
- @SuppressWarnings("rawtypes")
- Class inquireType = Class.forName(isIBMJavaVendor ? IBM_JGSS_INQUIRE_TYPE_CLASS : SUN_JGSS_INQUIRE_TYPE_CLASS);
-
- @SuppressWarnings("rawtypes")
- Class extendedGSSContext = Class.forName(isIBMJavaVendor ? IBM_JGSS_EXT_GSSCTX_CLASS : SUN_JGSS_EXT_GSSCTX_CLASS);
-
- @SuppressWarnings("unchecked")
- Method inquireSecContext = extendedGSSContext.getMethod(EXTENDED_JGSS_CONTEXT_INQUIRE_SEC_CONTEXT_METHOD_NAME, inquireType);
-
- @SuppressWarnings("unchecked")
- Key key = (Key) inquireSecContext.invoke(secContext, Enum.valueOf(inquireType, EXTENDED_JGSS_CONTEXT_INQUIRE_TYPE_KRB5_GET_SESSION_KEY));
-
- krbServiceCtx.setSessionKey(key);
- }
- catch (ClassNotFoundException | NoSuchMethodException | IllegalAccessException
- | InvocationTargetException e) {
- throw new WSSecurityException(
- ErrorCode.FAILURE, e, KERBEROS_TICKET_VALIDATION_ERROR_MSG_ID
- );
- }
- }
+ try {
+ @SuppressWarnings("rawtypes")
+ Class inquireType = Class.forName(isIBMJavaVendor ? IBM_JGSS_INQUIRE_TYPE_CLASS : SUN_JGSS_INQUIRE_TYPE_CLASS);
+
+ @SuppressWarnings("rawtypes")
+ Class extendedGSSContext = Class.forName(isIBMJavaVendor ? IBM_JGSS_EXT_GSSCTX_CLASS : SUN_JGSS_EXT_GSSCTX_CLASS);
+
+ @SuppressWarnings("unchecked")
+ Method inquireSecContext = extendedGSSContext.getMethod(EXTENDED_JGSS_CONTEXT_INQUIRE_SEC_CONTEXT_METHOD_NAME, inquireType);
+
+ @SuppressWarnings("unchecked")
+ Key key = (Key) inquireSecContext.invoke(secContext, Enum.valueOf(inquireType, EXTENDED_JGSS_CONTEXT_INQUIRE_TYPE_KRB5_GET_SESSION_KEY));
+
+ krbServiceCtx.setSessionKey(key);
+ }
+ catch (ClassNotFoundException | NoSuchMethodException | IllegalAccessException
+ | InvocationTargetException e) {
+ throw new WSSecurityException(
+ ErrorCode.FAILURE, e, KERBEROS_TICKET_VALIDATION_ERROR_MSG_ID
+ );
+ }
} finally {
if (null != secContext && !spnego) {
secContext.dispose();
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/KerberosTokenValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/KerberosTokenValidator.java?rev=1712303&r1=1712302&r2=1712303&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/KerberosTokenValidator.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/KerberosTokenValidator.java Tue Nov 3 14:43:09 2015
@@ -35,7 +35,6 @@ import org.apache.wss4j.common.kerberos.
import org.apache.wss4j.common.kerberos.KerberosServiceExceptionAction;
import org.apache.wss4j.common.kerberos.KerberosTokenDecoder;
import org.apache.wss4j.common.kerberos.KerberosTokenDecoderException;
-import org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl;
import org.apache.wss4j.common.token.BinarySecurity;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.message.token.KerberosSecurity;
@@ -224,12 +223,7 @@ public class KerberosTokenValidator impl
// Otherwise, try to extract the session key from the token if a KerberosTokenDecoder implementation is
// available
- if (null == credential.getSecretKey()) {
- KerberosTokenDecoder kerberosTokenDecoder = this.kerberosTokenDecoder;
- if (kerberosTokenDecoder == null) {
- kerberosTokenDecoder = new KerberosTokenDecoderImpl();
- }
-
+ if (null == credential.getSecretKey() && kerberosTokenDecoder != null) {
LOG.debug("KerberosTokenDecoder is set.Trying to obtain the session key from it.");
kerberosTokenDecoder.clear();
kerberosTokenDecoder.setToken(token);
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosServiceSecurityTokenImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosServiceSecurityTokenImpl.java?rev=1712303&r1=1712302&r2=1712303&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosServiceSecurityTokenImpl.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosServiceSecurityTokenImpl.java Tue Nov 3 14:43:09 2015
@@ -38,7 +38,6 @@ import org.apache.wss4j.common.kerberos.
import org.apache.wss4j.common.kerberos.KerberosServiceExceptionAction;
import org.apache.wss4j.common.kerberos.KerberosTokenDecoder;
import org.apache.wss4j.common.kerberos.KerberosTokenDecoderException;
-import org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl;
import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.stax.ext.WSInboundSecurityContext;
import org.apache.wss4j.stax.securityToken.KerberosServiceSecurityToken;
@@ -76,7 +75,7 @@ public class KerberosServiceSecurityToke
return WSSecurityTokenConstants.KerberosToken;
}
- protected KerberosTokenDecoder getTGT() throws WSSecurityException {
+ protected byte[] getTGTSessionKey() throws WSSecurityException {
try {
KerberosContextAndServiceNameCallback contextAndServiceNameCallback = new KerberosContextAndServiceNameCallback();
callbackHandler.handle(new Callback[]{contextAndServiceNameCallback});
@@ -112,7 +111,7 @@ public class KerberosServiceSecurityToke
service,
contextAndServiceNameCallback.isUsernameServiceNameForm(),
false);
- KerberosServiceContext krbServiceCtx= null;
+ KerberosServiceContext krbServiceCtx = null;
try {
krbServiceCtx = Subject.doAs(subject, action);
} catch (PrivilegedActionException e) {
@@ -128,25 +127,23 @@ public class KerberosServiceSecurityToke
this.principal = krbServiceCtx.getPrincipal();
- final Key sessionKey = krbServiceCtx.getSessionKey();
-
- if (null != sessionKey) {
- return new KerberosTokenDecoder() {
- public void setToken(byte[] token) {}
- public void setSubject(Subject subject) {}
- public byte[] getSessionKey() throws KerberosTokenDecoderException {
- return sessionKey.getEncoded();
- }
- public void clear() {}
- };
- } else {
- KerberosTokenDecoder kerberosTokenDecoder = new KerberosTokenDecoderImpl();
+ Key key = krbServiceCtx.getSessionKey();
+ if (key != null) {
+ return key.getEncoded();
+ }
+
+ if (kerberosTokenDecoder != null) {
+ kerberosTokenDecoder.clear();
kerberosTokenDecoder.setToken(binaryContent);
kerberosTokenDecoder.setSubject(subject);
- return kerberosTokenDecoder;
+ return kerberosTokenDecoder.getSessionKey();
}
+
+ return null;
} catch (LoginException | UnsupportedCallbackException | IOException e) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+ } catch (KerberosTokenDecoderException e) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, e);
}
}
@@ -159,16 +156,7 @@ public class KerberosServiceSecurityToke
return key;
}
- if (this.kerberosTokenDecoder == null) {
- this.kerberosTokenDecoder = getTGT();
- }
-
- byte[] sk;
- try {
- sk = this.kerberosTokenDecoder.getSessionKey();
- } catch (KerberosTokenDecoderException e) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, e);
- }
+ byte[] sk = getTGTSessionKey();
key = KeyUtils.prepareSecretKey(algorithmURI, sk);
setSecretKey(algorithmURI, key);