You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-commits@axis.apache.org by ve...@apache.org on 2017/02/06 10:16:47 UTC
svn commit: r1781863 [2/7] - in
/axis/axis2/java/rampart/branches/RAMPART-389: ./ apidocs/ code-coverage/
etc/ modules/distribution/ modules/distribution/src/ modules/documentation/
modules/rampart-core/ modules/rampart-core/src/main/java/META-INF/ mod...
Modified: axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/builder/BindingBuilder.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/builder/BindingBuilder.java?rev=1781863&r1=1781862&r2=1781863&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/builder/BindingBuilder.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/builder/BindingBuilder.java Mon Feb 6 10:16:45 2017
@@ -17,7 +17,10 @@
package org.apache.rampart.builder;
import org.apache.axiom.om.OMElement;
+import org.apache.axis2.addressing.AddressingConstants;
+import org.apache.axis2.addressing.AddressingHelper;
import org.apache.axis2.client.Options;
+import org.apache.axis2.description.AxisEndpoint;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.rahas.EncryptedKeyToken;
@@ -28,6 +31,7 @@ import org.apache.rampart.RampartMessage
import org.apache.rampart.policy.RampartPolicyData;
import org.apache.rampart.policy.SupportingPolicyData;
import org.apache.rampart.policy.model.RampartConfig;
+import org.apache.rampart.policy.model.KerberosConfig;
import org.apache.rampart.util.RampartUtil;
import org.apache.ws.secpolicy.Constants;
import org.apache.ws.secpolicy.SPConstants;
@@ -38,6 +42,7 @@ import org.apache.ws.secpolicy.model.Sup
import org.apache.ws.secpolicy.model.Token;
import org.apache.ws.secpolicy.model.UsernameToken;
import org.apache.ws.secpolicy.model.X509Token;
+import org.apache.ws.security.NamePasswordCallbackHandler;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSEncryptionPart;
import org.apache.ws.security.WSPasswordCallback;
@@ -53,6 +58,7 @@ import org.apache.ws.security.message.WS
import org.apache.ws.security.message.WSSecSignatureConfirmation;
import org.apache.ws.security.message.WSSecTimestamp;
import org.apache.ws.security.message.WSSecUsernameToken;
+import org.apache.ws.security.message.token.KerberosSecurity;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Document;
@@ -231,20 +237,6 @@ public abstract class BindingBuilder {
}
}
- //Deprecated after 1.5 release
- @Deprecated
- protected WSSecSignature getSignatureBuider(RampartMessageData rmd,
- Token token) throws RampartException {
- return getSignatureBuilder(rmd, token, null);
- }
-
- //Deprecated after 1.5 release
- @Deprecated
- protected WSSecSignature getSignatureBuider(RampartMessageData rmd, Token token,
- String userCertAlias) throws RampartException {
- return getSignatureBuilder(rmd, token, userCertAlias);
- }
-
protected WSSecSignature getSignatureBuilder(RampartMessageData rmd,
Token token)throws RampartException {
return getSignatureBuilder(rmd, token, null);
@@ -351,20 +343,18 @@ public abstract class BindingBuilder {
* @param suppTokens
* @throws RampartException
*/
- protected HashMap handleSupportingTokens(RampartMessageData rmd, SupportingToken suppTokens)
+ protected HashMap<Token,Object> handleSupportingTokens(RampartMessageData rmd, SupportingToken suppTokens)
throws RampartException {
//Create the list to hold the tokens
// TODO putting different types of objects. Need to figure out a way to add single types of objects
- HashMap endSuppTokMap = new HashMap();
+ HashMap<Token,Object> endSuppTokMap = new HashMap<Token,Object>();
if(suppTokens != null && suppTokens.getTokens() != null &&
suppTokens.getTokens().size() > 0) {
log.debug("Processing supporting tokens");
- ArrayList tokens = suppTokens.getTokens();
- for (Object objectToken : tokens) {
- Token token = (Token) objectToken;
+ for (Token token : suppTokens.getTokens()) {
org.apache.rahas.Token endSuppTok = null;
if (token instanceof IssuedToken && rmd.isInitiator()) {
String id = RampartUtil.getIssuedToken(rmd, (IssuedToken) token);
@@ -424,8 +414,10 @@ public abstract class BindingBuilder {
//Add the UT
Element elem = utBuilder.getUsernameTokenElement();
elem = RampartUtil.insertSiblingAfter(rmd, this.getInsertionLocation(), elem);
-
- encryptedTokensIdList.add(utBuilder.getId());
+
+ if (suppTokens.isEncryptedToken()) {
+ encryptedTokensIdList.add(utBuilder.getId());
+ }
//Move the insert location to the next element
this.setInsertionLocation(elem);
@@ -488,17 +480,13 @@ public abstract class BindingBuilder {
}
- protected List<byte[]> doEndorsedSignatures(RampartMessageData rmd, HashMap tokenMap) throws RampartException {
-
- Set tokenSet = tokenMap.keySet();
+ protected List<byte[]> doEndorsedSignatures(RampartMessageData rmd, HashMap<Token,Object> tokenMap) throws RampartException {
List<byte[]> sigValues = new ArrayList<byte[]>();
- for (Object aTokenSet : tokenSet) {
-
- Token token = (Token) aTokenSet;
-
- Object tempTok = tokenMap.get(token);
+ for (Map.Entry<Token,Object> entry : tokenMap.entrySet()) {
+ Token token = entry.getKey();
+ Object tempTok = entry.getValue();
// Migrating to a list
List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
@@ -864,5 +852,95 @@ public abstract class BindingBuilder {
}
}
-
+ protected KerberosSecurity addKerberosToken(RampartMessageData rmd, Token token)
+ throws RampartException {
+ RampartPolicyData rpd = rmd.getPolicyData();
+ KerberosConfig krbConfig = rpd.getRampartConfig().getKerberosConfig();
+
+ if (krbConfig == null) {
+ throw new RampartException("noKerberosConfigDefined");
+ }
+
+ log.debug("Token inclusion: " + token.getInclusion());
+
+ String user = krbConfig.getPrincipalName();
+ if (user == null) {
+ user = rpd.getRampartConfig().getUser();
+ }
+
+ String password = krbConfig.getPrincipalPassword();
+ if (password == null) {
+ CallbackHandler handler = RampartUtil.getPasswordCB(rmd);
+
+ if (handler != null) {
+ if (user == null) {
+ log.debug("Password callback is configured but no user value is specified in the configuration");
+ throw new RampartException("userMissing");
+ }
+
+ //TODO We do not have a separate usage type for Kerberos token, let's use custom token
+ WSPasswordCallback[] cb = { new WSPasswordCallback(user, WSPasswordCallback.CUSTOM_TOKEN) };
+ try {
+ handler.handle(cb);
+ if (cb[0].getPassword() != null && !"".equals(cb[0].getPassword())) {
+ password = cb[0].getPassword();
+ }
+ } catch (IOException e) {
+ throw new RampartException("errorInGettingPasswordForUser", new String[] { user }, e);
+ } catch (UnsupportedCallbackException e) {
+ throw new RampartException("errorInGettingPasswordForUser", new String[] { user }, e);
+ }
+ }
+ }
+
+ String principalName = null;
+ boolean isUsernameServiceNameForm = KerberosConfig.USERNAME_NAME_FORM.equals(krbConfig.getServicePrincipalNameForm());
+
+ AxisEndpoint endpoint = rmd.getMsgContext().findEndpoint();
+ if (endpoint != null) {
+ if (log.isDebugEnabled()) {
+ log.debug("Identified endpoint: " + endpoint.getName() + ". Looking for SPN identity claim.");
+ }
+
+ OMElement addressingIdentity = AddressingHelper.getAddressingIdentityParameterValue(endpoint);
+ if (addressingIdentity != null) {
+ OMElement spnClaim = addressingIdentity.getFirstChildWithName(AddressingConstants.QNAME_IDENTITY_SPN);
+ if (spnClaim != null) {
+ principalName = spnClaim.getText();
+ isUsernameServiceNameForm = false;
+ if (log.isDebugEnabled()) {
+ log.debug("Found SPN identity claim: " + principalName);
+ }
+ }
+ else {
+ OMElement upnClaim = addressingIdentity.getFirstChildWithName(AddressingConstants.QNAME_IDENTITY_UPN);
+ if (upnClaim != null) {
+ principalName = upnClaim.getText();
+ isUsernameServiceNameForm = true;
+ if (log.isDebugEnabled()) {
+ log.debug("Found UPN identity claim: " + principalName);
+ }
+ } else if (log.isDebugEnabled()) {
+ log.debug(String.format("Neither SPN nor UPN identity claim found in %s EPR element for endpoint %s.", addressingIdentity.getQName().toString(), endpoint.getName()));
+ }
+ }
+ }
+ }
+
+ if (principalName == null) {
+ principalName = krbConfig.getServicePrincipalName();
+ }
+
+ try {
+ KerberosSecurity bst = new KerberosSecurity(rmd.getDocument());
+
+ NamePasswordCallbackHandler cb = new NamePasswordCallbackHandler(user, password);
+ bst.retrieveServiceTicket(krbConfig.getJaasContext(), cb, principalName, isUsernameServiceNameForm,
+ krbConfig.isRequstCredentialDelegation(), krbConfig.getDelegationCredential());
+
+ return bst;
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInBuildingKereberosToken", e);
+ }
+ }
}
Modified: axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/builder/TransportBindingBuilder.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/builder/TransportBindingBuilder.java?rev=1781863&r1=1781862&r2=1781863&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/builder/TransportBindingBuilder.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/builder/TransportBindingBuilder.java Mon Feb 6 10:16:45 2017
@@ -32,6 +32,7 @@ import org.apache.ws.secpolicy.SPConstan
import org.apache.ws.secpolicy.model.AlgorithmSuite;
import org.apache.ws.secpolicy.model.Header;
import org.apache.ws.secpolicy.model.IssuedToken;
+import org.apache.ws.secpolicy.model.KerberosToken;
import org.apache.ws.secpolicy.model.SecureConversationToken;
import org.apache.ws.secpolicy.model.SignedEncryptedParts;
import org.apache.ws.secpolicy.model.SupportingToken;
@@ -44,10 +45,16 @@ import org.apache.ws.security.WSSecurity
import org.apache.ws.security.conversation.ConversationException;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.message.*;
+import org.apache.ws.security.message.token.KerberosSecurity;
+import org.apache.ws.security.util.Base64;
+import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
+import javax.crypto.SecretKey;
import javax.xml.crypto.dsig.Reference;
+import javax.xml.crypto.dsig.SignatureMethod;
+
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
@@ -138,6 +145,8 @@ public class TransportBindingBuilder ext
} else if (token instanceof SecureConversationToken) {
handleSecureConversationTokens(rmd, (SecureConversationToken) token);
signatureValues.add(doSecureConversationSignature(rmd, token, signdParts));
+ } else if (token instanceof KerberosToken) {
+ signatureValues.add(doKerberosTokenSignature(rmd, (KerberosToken)token, signdParts));
}
}
}
@@ -292,6 +301,77 @@ public class TransportBindingBuilder ext
}
+ /**
+ * Generates a signature over the timestamp element (if any) using the Kerberos client/server session key.
+ *
+ * @param rmd
+ * @param token
+ * @param signdParts
+ */
+ private byte[] doKerberosTokenSignature(RampartMessageData rmd, KerberosToken token, SignedEncryptedParts signdParts) throws RampartException {
+
+ Document doc = rmd.getDocument();
+
+ List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
+
+ //TODO Shall we always include a timestamp?
+ if (this.timestampElement != null) {
+ sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
+ }
+
+ if (signdParts != null) {
+ if (signdParts.isBody()) {
+ SOAPEnvelope env = rmd.getMsgContext().getEnvelope();
+ sigParts.add(new WSEncryptionPart(RampartUtil.addWsuIdToElement(env.getBody())));
+ }
+
+ ArrayList headers = signdParts.getHeaders();
+ for (Iterator iterator = headers.iterator(); iterator.hasNext();) {
+ Header header = (Header) iterator.next();
+ WSEncryptionPart wep = new WSEncryptionPart(header.getName(),
+ header.getNamespace(),
+ "Content");
+ sigParts.add(wep);
+ }
+ }
+
+ try {
+ KerberosSecurity kerberosBst = addKerberosToken(rmd, token);
+ kerberosBst.setID("Id-" + kerberosBst.hashCode());
+
+ WSSecSignature sign = new WSSecSignature();
+ sign.setSignatureAlgorithm(SignatureMethod.HMAC_SHA1);
+
+ if (token.isRequiresKeyIdentifierReference()) {
+ sign.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+
+ byte[] digestBytes = WSSecurityUtil.generateDigest(kerberosBst.getToken());
+ sign.setCustomTokenId(Base64.encode(digestBytes));
+ sign.setCustomTokenValueType(WSConstants.WSS_KRB_KI_VALUE_TYPE);
+ } else {
+ sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
+
+ sign.setCustomTokenId(kerberosBst.getID());
+ sign.setCustomTokenValueType(kerberosBst.getValueType());
+ }
+
+ SecretKey secretKey = kerberosBst.getSecretKey();
+ sign.setSecretKey(secretKey.getEncoded());
+
+ sign.prepare(doc, null, rmd.getSecHeader());
+
+ WSSecurityUtil.prependChildElement(rmd.getSecHeader().getSecurityHeader(), kerberosBst.getElement());
+
+ List<Reference> referenceList = sign.addReferencesToSign(sigParts, rmd.getSecHeader());
+
+ sign.computeSignature(referenceList, false, null);
+
+ return sign.getSignatureValue();
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInSignatureWithKerberosToken", e);
+ }
+ }
+
private void appendToHeader(WSSecHeader secHeader, Element appendingChild) {
// TODO this is bit dubious, before migration code was like "dkSig.appendSigToHeader(rmd.getSecHeader())"
Modified: axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/handler/PostDispatchVerificationHandler.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/handler/PostDispatchVerificationHandler.java?rev=1781863&r1=1781862&r2=1781863&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/handler/PostDispatchVerificationHandler.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/handler/PostDispatchVerificationHandler.java Mon Feb 6 10:16:45 2017
@@ -30,7 +30,6 @@ import org.apache.neethi.Policy;
import org.apache.neethi.PolicyEngine;
import org.apache.rampart.RampartMessageData;
import org.apache.rampart.policy.RampartPolicyData;
-import org.apache.rampart.util.HandlerParameterDecoder;
import org.apache.rampart.util.RampartUtil;
import org.apache.ws.secpolicy.model.Binding;
import org.apache.ws.secpolicy.model.SupportingToken;
@@ -122,13 +121,13 @@ public class PostDispatchVerificationHan
return InvocationResponse.CONTINUE;
}
- Iterator alternatives = policy.getAlternatives();
+ Iterator<List<Assertion>> alternatives = policy.getAlternatives();
boolean securityPolicyPresent = false;
if(alternatives.hasNext()) {
- List assertions = (List)alternatives.next();
- for (Iterator iterator = assertions.iterator(); iterator.hasNext();) {
- Assertion assertion = (Assertion) iterator.next();
+ List<Assertion> assertions = alternatives.next();
+ for (Iterator<Assertion> iterator = assertions.iterator(); iterator.hasNext();) {
+ Assertion assertion = iterator.next();
//Check for any *Binding assertion
if (assertion instanceof Binding) {
securityPolicyPresent = true;
Modified: axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/policy/RampartPolicyBuilder.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/policy/RampartPolicyBuilder.java?rev=1781863&r1=1781862&r2=1781863&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/policy/RampartPolicyBuilder.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/policy/RampartPolicyBuilder.java Mon Feb 6 10:16:45 2017
@@ -36,7 +36,6 @@ import org.apache.ws.secpolicy.model.Sig
import org.apache.ws.secpolicy.model.SupportingToken;
import org.apache.ws.secpolicy.model.SymmetricAsymmetricBindingBase;
import org.apache.ws.secpolicy.model.SymmetricBinding;
-import org.apache.ws.secpolicy.model.TokenWrapper;
import org.apache.ws.secpolicy.model.TransportBinding;
import org.apache.ws.secpolicy.model.TransportToken;
import org.apache.ws.secpolicy.model.Trust10;
@@ -65,15 +64,15 @@ public class RampartPolicyBuilder {
*
* @param topLevelAssertions
* The iterator of the top level policy assertions
- * @return The compile Poilcy data block.
+ * @return The compile Policy data block.
* @throws WSSPolicyException
*/
- public static RampartPolicyData build(List topLevelAssertions)
+ public static RampartPolicyData build(List<Assertion> topLevelAssertions)
throws WSSPolicyException {
RampartPolicyData rpd = new RampartPolicyData();
- for (Iterator iter = topLevelAssertions.iterator(); iter.hasNext();) {
+ for (Iterator<Assertion> iter = topLevelAssertions.iterator(); iter.hasNext();) {
Assertion assertion = (Assertion) iter.next();
if (assertion instanceof Binding) {
@@ -228,14 +227,14 @@ public class RampartPolicyBuilder {
*/
private static void processSignedEncryptedElements(
SignedEncryptedElements see, RampartPolicyData rpd) {
- Iterator it = see.getXPathExpressions().iterator();
+ Iterator<String> it = see.getXPathExpressions().iterator();
if (see.isSignedElemets()) {
while (it.hasNext()) {
- rpd.setSignedElements((String) it.next());
+ rpd.setSignedElements(it.next());
}
} else {
while (it.hasNext()) {
- rpd.setEncryptedElements((String) it.next());
+ rpd.setEncryptedElements(it.next());
}
}
rpd.addDeclaredNamespaces(see.getDeclaredNamespaces());
@@ -251,7 +250,7 @@ public class RampartPolicyBuilder {
*/
private static void processSignedEncryptedParts(SignedEncryptedParts sep,
RampartPolicyData rpd) {
- Iterator it = sep.getHeaders().iterator();
+ Iterator<Header> it = sep.getHeaders().iterator();
if (sep.isSignedParts()) {
rpd.setSignBody(sep.isBody());
rpd.setSignAttachments(sep.isAttachments());
@@ -259,7 +258,7 @@ public class RampartPolicyBuilder {
rpd.setSignBodyOptional(sep.isOptional());
rpd.setSignAttachmentsOptional(sep.isOptional());
while (it.hasNext()) {
- Header header = (Header) it.next();
+ Header header = it.next();
rpd.addSignedPart(header.getNamespace(), header.getName());
}
} else {
@@ -268,7 +267,7 @@ public class RampartPolicyBuilder {
rpd.setEncryptBodyOptional(sep.isOptional());
rpd.setEncryptAttachmentsOptional(sep.isOptional());
while (it.hasNext()) {
- Header header = (Header) it.next();
+ Header header = it.next();
rpd.setEncryptedParts(header.getNamespace(), header.getName(),"Header");
}
}
@@ -277,9 +276,9 @@ public class RampartPolicyBuilder {
private static void processContentEncryptedElements(ContentEncryptedElements cee,
RampartPolicyData rpd) {
- Iterator it = cee.getXPathExpressions().iterator();
+ Iterator<String> it = cee.getXPathExpressions().iterator();
while (it.hasNext()) {
- rpd.setContentEncryptedElements((String) it.next());
+ rpd.setContentEncryptedElements(it.next());
}
rpd.addDeclaredNamespaces(cee.getDeclaredNamespaces());
}
@@ -287,9 +286,9 @@ public class RampartPolicyBuilder {
private static void processRequiredElements(RequiredElements req,
RampartPolicyData rpd) {
- Iterator it = req.getXPathExpressions().iterator();
+ Iterator<String> it = req.getXPathExpressions().iterator();
while (it.hasNext()) {
- rpd.setRequiredElements((String) it.next());
+ rpd.setRequiredElements(it.next());
}
rpd.addDeclaredNamespaces(req.getDeclaredNamespaces());
}
@@ -363,14 +362,14 @@ public class RampartPolicyBuilder {
*/
private static void asymmetricBinding(AsymmetricBinding binding,
RampartPolicyData rpd) throws WSSPolicyException {
- TokenWrapper tokWrapper = binding.getRecipientToken();
- TokenWrapper tokWrapper1 = binding.getInitiatorToken();
- if (tokWrapper == null || tokWrapper1 == null) {
+ RecipientToken rt = binding.getRecipientToken();
+ InitiatorToken it = binding.getInitiatorToken();
+ if (rt == null || it == null) {
throw new WSSPolicyException("Asymmetric binding should have both Initiator and " +
"Recipient tokens defined");
}
- rpd.setRecipientToken(((RecipientToken) tokWrapper).getReceipientToken());
- rpd.setInitiatorToken(((InitiatorToken) tokWrapper1).getInitiatorToken());
+ rpd.setRecipientToken(rt.getReceipientToken());
+ rpd.setInitiatorToken(it.getInitiatorToken());
}
private static void processSupportingTokens(SupportingToken token,
Modified: axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/policy/RampartPolicyData.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/policy/RampartPolicyData.java?rev=1781863&r1=1781862&r2=1781863&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/policy/RampartPolicyData.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/policy/RampartPolicyData.java Mon Feb 6 10:16:45 2017
@@ -35,7 +35,6 @@ import org.apache.ws.security.WSEncrypti
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
-import java.util.Vector;
public class RampartPolicyData {
@@ -126,8 +125,7 @@ public class RampartPolicyData {
private List<String> contentEncryptedElements = new ArrayList<String>();
- //TODO make this strongly type attribute
- private HashMap declaredNamespaces = new HashMap();
+ private HashMap<String, String> declaredNamespaces = new HashMap<String, String>();
/*
* Holds the supporting tokens elements
@@ -528,11 +526,11 @@ public class RampartPolicyData {
return signedParts;
}
- public HashMap getDeclaredNamespaces() {
+ public HashMap<String, String> getDeclaredNamespaces() {
return declaredNamespaces;
}
- public void addDeclaredNamespaces(HashMap namespaces) {
+ public void addDeclaredNamespaces(HashMap<String, String> namespaces) {
declaredNamespaces.putAll(namespaces);
}
@@ -900,7 +898,7 @@ public class RampartPolicyData {
case SPConstants.SUPPORTING_TOKEN_SIGNED_ENDORSING:
if(this.signedEndorsingSupportingTokensIdMap == null) {
- this.signedEndorsingSupportingTokensIdMap = new HashMap();
+ this.signedEndorsingSupportingTokensIdMap = new HashMap<Token,String>();
}
return null;
Modified: axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/policy/SupportingPolicyData.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/policy/SupportingPolicyData.java?rev=1781863&r1=1781862&r2=1781863&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/policy/SupportingPolicyData.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/policy/SupportingPolicyData.java Mon Feb 6 10:16:45 2017
@@ -1,53 +1,62 @@
-package org.apache.rampart.policy;
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
-import java.util.Iterator;
+package org.apache.rampart.policy;
import org.apache.ws.secpolicy.model.Header;
import org.apache.ws.secpolicy.model.SupportingToken;
public class SupportingPolicyData extends RampartPolicyData {
- public void build(SupportingToken token) {
+ public void build(SupportingToken token) {
- if (token.getSignedParts() != null && !token.getSignedParts().isOptional()) {
- Iterator it = token.getSignedParts().getHeaders().iterator();
- this.setSignBody(token.getSignedParts().isBody());
- while (it.hasNext()) {
- Header header = (Header) it.next();
- this.addSignedPart(header.getNamespace(), header.getName());
- }
- }
-
- if (token.getEncryptedParts() != null && !token.getEncryptedParts().isOptional()) {
- Iterator it = token.getEncryptedParts().getHeaders().iterator();
- this.setEncryptBody(token.getEncryptedParts().isBody());
- while (it.hasNext()) {
- Header header = (Header) it.next();
- this.setEncryptedParts(header.getNamespace(), header.getName(),
- "Header");
- }
- }
-
- if (token.getSignedElements() != null && !token.getSignedElements().isOptional()) {
- Iterator it = token.getSignedElements().getXPathExpressions()
- .iterator();
- while (it.hasNext()) {
- this.setSignedElements((String) it.next());
- }
- this.addDeclaredNamespaces(token.getSignedElements()
- .getDeclaredNamespaces());
- }
-
- if (token.getEncryptedElements() != null && !token.getEncryptedElements().isOptional()) {
- Iterator it = token.getEncryptedElements().getXPathExpressions()
- .iterator();
- while (it.hasNext()) {
- this.setEncryptedElements((String) it.next());
- }
- if (token.getSignedElements() == null) {
- this.addDeclaredNamespaces(token.getEncryptedElements()
- .getDeclaredNamespaces());
- }
- }
- }
+ if (token.getSignedParts() != null && !token.getSignedParts().isOptional()) {
+ this.setSignBody(token.getSignedParts().isBody());
+ for (Header header : token.getSignedParts().getHeaders()) {
+ this.addSignedPart(header.getNamespace(), header.getName());
+ }
+ }
+
+ if (token.getEncryptedParts() != null && !token.getEncryptedParts().isOptional()) {
+ this.setEncryptBody(token.getEncryptedParts().isBody());
+ for (Header header : token.getEncryptedParts().getHeaders()) {
+ this.setEncryptedParts(header.getNamespace(), header.getName(),
+ "Header");
+ }
+ }
+
+ if (token.getSignedElements() != null && !token.getSignedElements().isOptional()) {
+ for (String xpath : token.getSignedElements().getXPathExpressions()) {
+ this.setSignedElements(xpath);
+ }
+ this.addDeclaredNamespaces(token.getSignedElements()
+ .getDeclaredNamespaces());
+ }
+
+ if (token.getEncryptedElements() != null && !token.getEncryptedElements().isOptional()) {
+ for (String xpath : token.getEncryptedElements().getXPathExpressions()) {
+ this.setEncryptedElements(xpath);
+ }
+ if (token.getSignedElements() == null) {
+ this.addDeclaredNamespaces(token.getEncryptedElements()
+ .getDeclaredNamespaces());
+ }
+ }
+ }
}
Modified: axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java?rev=1781863&r1=1781862&r2=1781863&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java Mon Feb 6 10:16:45 2017
@@ -22,6 +22,7 @@ import org.apache.neethi.Assertion;
import org.apache.neethi.AssertionBuilderFactory;
import org.apache.neethi.builders.AssertionBuilder;
import org.apache.rampart.policy.model.CryptoConfig;
+import org.apache.rampart.policy.model.KerberosConfig;
import org.apache.rampart.policy.model.OptimizePartsConfig;
import org.apache.rampart.policy.model.RampartConfig;
import org.apache.rampart.policy.model.SSLConfig;
@@ -88,6 +89,16 @@ public class RampartConfigBuilder implem
}
+ childElement = element.getFirstChildWithName(new QName(
+ RampartConfig.NS, RampartConfig.KERBEROS_CONFIG));
+ if (childElement != null) {
+ KerberosConfig kerberosConfig = (KerberosConfig)new KerberosConfigBuilder().
+ build(childElement,
+ factory);
+ rampartConfig.setKerberosConfig(kerberosConfig);
+
+ }
+
childElement = element.getFirstChildWithName(new QName(
RampartConfig.NS, RampartConfig.SIG_CRYPTO_LN));
if (childElement != null) {
Modified: axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java?rev=1781863&r1=1781862&r2=1781863&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java Mon Feb 6 10:16:45 2017
@@ -114,6 +114,8 @@ public class RampartConfig implements As
public final static String SSL_CONFIG = "sslConfig";
+ public final static String KERBEROS_CONFIG = "kerberosConfig";
+
private String user;
private String userCertAlias;
@@ -150,7 +152,17 @@ public class RampartConfig implements As
private String nonceLifeTime = Integer.toString(DEFAULT_NONCE_LIFE_TIME);
private SSLConfig sslConfig;
+
+ private KerberosConfig kerberosConfig;
+
+ public KerberosConfig getKerberosConfig() {
+ return kerberosConfig;
+ }
+ public void setKerberosConfig(KerberosConfig kerberosConfig) {
+ this.kerberosConfig = kerberosConfig;
+ }
+
/*To set timeStampStrict in WSSConfig through rampartConfig - default value is false*/
private boolean timeStampStrict = false;
@@ -392,6 +404,12 @@ public class RampartConfig implements As
writer.writeEndElement();
}
+ if (kerberosConfig != null) {
+ writer.writeStartElement(NS, KERBEROS_CONFIG);
+ kerberosConfig.serialize(writer);
+ writer.writeEndElement();
+ }
+
writer.writeEndElement();
}
Modified: axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/util/Axis2Util.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/util/Axis2Util.java?rev=1781863&r1=1781862&r2=1781863&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/util/Axis2Util.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/util/Axis2Util.java Mon Feb 6 10:16:45 2017
@@ -20,19 +20,14 @@ import org.apache.axiom.om.OMAbstractFac
import org.apache.axiom.om.OMAttribute;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMFactory;
-import org.apache.axiom.om.OMMetaFactory;
import org.apache.axiom.om.OMNamespace;
import org.apache.axiom.om.OMNode;
import org.apache.axiom.om.OMXMLBuilderFactory;
-import org.apache.axiom.om.impl.builder.StAXOMBuilder;
-import org.apache.axiom.soap.SOAP11Constants;
-import org.apache.axiom.soap.SOAP12Constants;
+import org.apache.axiom.om.OMXMLParserWrapper;
import org.apache.axiom.soap.SOAPEnvelope;
-import org.apache.axiom.soap.SOAPFactory;
import org.apache.axiom.soap.SOAPHeader;
import org.apache.axiom.soap.SOAPHeaderBlock;
import org.apache.axiom.soap.SOAPModelBuilder;
-import org.apache.axiom.soap.impl.builder.StAXSOAPModelBuilder;
import org.apache.rampart.handler.WSSHandlerConstants;
import org.apache.ws.security.WSSecurityException;
import org.apache.xml.security.utils.XMLUtils;
@@ -144,21 +139,9 @@ public class Axis2Util {
}
}
- // Check the namespace and find SOAP version and factory
- String nsURI = null;
- OMMetaFactory metaFactory = OMAbstractFactory.getMetaFactory(OMAbstractFactory.FEATURE_DOM);
- SOAPFactory factory;
- if (env.getNamespace().getNamespaceURI().equals(
- SOAP11Constants.SOAP_ENVELOPE_NAMESPACE_URI)) {
- nsURI = SOAP11Constants.SOAP_ENVELOPE_NAMESPACE_URI;
- factory = metaFactory.getSOAP11Factory();
- } else {
- nsURI = SOAP12Constants.SOAP_ENVELOPE_NAMESPACE_URI;
- factory = metaFactory.getSOAP12Factory();
- }
-
- StAXSOAPModelBuilder stAXSOAPModelBuilder = new StAXSOAPModelBuilder(
- env.getXMLStreamReader(), factory, nsURI);
+ SOAPModelBuilder stAXSOAPModelBuilder = OMXMLBuilderFactory.createStAXSOAPModelBuilder(
+ OMAbstractFactory.getMetaFactory(OMAbstractFactory.FEATURE_DOM),
+ env.getXMLStreamReader());
SOAPEnvelope envelope = (stAXSOAPModelBuilder)
.getSOAPEnvelope();
envelope.getParent().build();
@@ -337,7 +320,7 @@ public class Axis2Util {
* @return
*/
public static OMElement toDOOM(OMFactory factory, OMElement element){
- StAXOMBuilder builder = new StAXOMBuilder(factory, element.getXMLStreamReader());
+ OMXMLParserWrapper builder = OMXMLBuilderFactory.createStAXOMBuilder(factory, element.getXMLStreamReader());
OMElement elem = builder.getDocumentElement();
elem.build();
return elem;
Modified: axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java?rev=1781863&r1=1781862&r2=1781863&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-389/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java Mon Feb 6 10:16:45 2017
@@ -29,6 +29,7 @@ import org.apache.axis2.client.Options;
import org.apache.axis2.context.MessageContext;
import org.apache.axis2.dataretrieval.DRConstants;
import org.apache.axis2.dataretrieval.client.MexClient;
+import org.apache.axis2.description.AxisService;
import org.apache.axis2.description.Parameter;
import org.apache.axis2.mex.MexConstants;
import org.apache.axis2.mex.MexException;
@@ -55,6 +56,7 @@ import org.apache.rampart.RampartMessage
import org.apache.rampart.policy.RampartPolicyData;
import org.apache.rampart.policy.SupportingPolicyData;
import org.apache.rampart.policy.model.CryptoConfig;
+import org.apache.rampart.policy.model.KerberosConfig;
import org.apache.rampart.policy.model.RampartConfig;
import org.apache.ws.secpolicy.SPConstants;
import org.apache.ws.secpolicy.model.*;
@@ -75,6 +77,7 @@ import org.apache.ws.security.message.WS
import org.apache.ws.security.message.WSSecEncryptedKey;
import org.apache.ws.security.util.Loader;
import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.ws.security.validate.KerberosTokenDecoder;
import org.apache.xml.security.utils.Constants;
import org.jaxen.JaxenException;
import org.jaxen.XPath;
@@ -165,6 +168,64 @@ public class RampartUtil {
return cbHandler;
}
+ /**
+ * Instantiates any Kerberos token decoder implementation configured via {@link KerberosConfig#setKerberosTokenDecoderClass(String)}
+ * using the {@link AxisService#getClassLoader() class loader} of the specified message context's {@link MessageContext#getAxisService() service}.
+ *
+ * @param msgContext The current message context. Must not be null and must contain a valid service instance.
+ * @param kerberosConfig Rampart's Kerberos configuration.
+ *
+ * @return A new instance of {@link KerberosTokenDecoder} implementation configured via {@link KerberosConfig#setKerberosTokenDecoderClass(String)} or <code>null</code>
+ * if no Kerberos token decoder is configured.
+ * @throws RampartException If the class cannot be loaded or instantiated.
+ */
+ public static KerberosTokenDecoder getKerberosTokenDecoder(MessageContext msgContext, KerberosConfig kerberosConfig) throws RampartException {
+ if (kerberosConfig == null) {
+ throw new IllegalArgumentException("Kerberos config must not be null");
+ }
+ else if (msgContext == null) {
+ throw new IllegalArgumentException("Message context must not be null");
+ }
+
+ AxisService service = msgContext.getAxisService();
+ if (service == null) {
+ throw new IllegalArgumentException("No service available in message context: " + msgContext.getLogIDString());
+ }
+
+ KerberosTokenDecoder kerberosTokenDecoder;
+
+ String kerberosTokenDecoderClass = kerberosConfig.getKerberosTokenDecoderClass();
+ if (kerberosTokenDecoderClass == null) {
+ if (log.isDebugEnabled()) {
+ log.debug("No Kerberos token decoder class configured for service: " + service.getName());
+ }
+ return null;
+ }
+
+ if (log.isDebugEnabled()) {
+ log.debug(String.format("Loading Kerberos token decoder class '%s' using class loader of service '%s'", kerberosTokenDecoderClass, service.getName()));
+ }
+
+ ClassLoader classLoader = service.getClassLoader();
+ Class krbTokenDecoderClass;
+ try {
+ krbTokenDecoderClass = Loader.loadClass(classLoader, kerberosTokenDecoderClass);
+ }
+ catch (ClassNotFoundException e) {
+ throw new RampartException("cannotLoadKrbTokenDecoderClass",
+ new String[] { kerberosTokenDecoderClass }, e);
+ }
+
+ try {
+ kerberosTokenDecoder = (KerberosTokenDecoder) krbTokenDecoderClass.newInstance();
+ } catch (java.lang.Exception e) {
+ throw new RampartException("cannotCreateKrbTokenDecoderInstance",
+ new String[] { kerberosTokenDecoderClass }, e);
+ }
+
+ return kerberosTokenDecoder;
+ }
+
/**
* Returns an instance of PolicyValidatorCallbackHandler to be used to validate ws-security results.
*
@@ -1472,7 +1533,12 @@ public class RampartUtil {
String encrKeyId = (String) wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID);
if (actInt == WSConstants.ENCR &&
encrKeyId != null) {
- return encrKeyId;
+ if (encrKeyId.length() > 0) {
+ return encrKeyId;
+ }
+ else if (log.isDebugEnabled()) {
+ log.debug("Found encryption security processing result with empty id, skipping it: " + wsSecEngineResult);
+ }
}
}
}
@@ -1924,4 +1990,58 @@ public class RampartUtil {
QName value = code.getValueAsQName();
return value == null ? false : value.getNamespaceURI().equals(WSConstants.WSSE_NS);
}
+
+ /**
+ * @param rpd Rampart policy data instance. Must not be null.
+ * @return A collection of all {@link UsernameToken} supporting token assertions in the specified Rampart policy instance. The method will check the following lists:
+ * <ul>
+ * <li>{@link RampartPolicyData#getSupportingTokensList()}</li>
+ * <li>{@link RampartPolicyData#getSignedSupportingTokens()}</li>
+ * <li>{@link RampartPolicyData#getSignedEndorsingSupportingTokens()}</li>
+ * <li>{@link RampartPolicyData#getEndorsingSupportingTokens()}</li>
+ * <li>{@link RampartPolicyData#getEncryptedSupportingTokens()}</li>
+ * <li>{@link RampartPolicyData#getSignedEncryptedSupportingTokens()}</li>
+ * <li>{@link RampartPolicyData#getEndorsingEncryptedSupportingTokens()}</li>
+ * <li>{@link RampartPolicyData#getSignedEndorsingEncryptedSupportingTokens()}</li>
+ * </ul>
+ */
+ public static Collection<UsernameToken> getUsernameTokens(RampartPolicyData rpd) {
+ Collection<UsernameToken> usernameTokens = new ArrayList<UsernameToken>();
+
+ List<SupportingToken> supportingToks = rpd.getSupportingTokensList();
+ for (SupportingToken suppTok : supportingToks) {
+ usernameTokens.addAll(getUsernameTokens(suppTok));
+ }
+
+ usernameTokens.addAll(getUsernameTokens(rpd.getSignedSupportingTokens()));
+ usernameTokens.addAll(getUsernameTokens(rpd.getSignedEndorsingSupportingTokens()));
+ usernameTokens.addAll(getUsernameTokens(rpd.getEndorsingSupportingTokens()));
+ usernameTokens.addAll(getUsernameTokens(rpd.getEncryptedSupportingTokens()));
+ usernameTokens.addAll(getUsernameTokens(rpd.getSignedEncryptedSupportingTokens()));
+ usernameTokens.addAll(getUsernameTokens(rpd.getEndorsingEncryptedSupportingTokens()));
+ usernameTokens.addAll(getUsernameTokens(rpd.getSignedEndorsingEncryptedSupportingTokens()));
+
+ return usernameTokens;
+ }
+
+ /**
+ * @param suppTok The {@link SupportingToken} assertion to check for username tokens.
+ * @return A collection of all tokens in the specified <code>suppTok</code> SupportingToken assertion which are instances of {@link UsernameToken}.
+ * If the specified <code>suppTok</code> SupportingToken assertion is <code>null</code>, an empty collection will be returned.
+ */
+ public static Collection<UsernameToken> getUsernameTokens(SupportingToken suppTok) {
+
+ if (suppTok == null) {
+ return new ArrayList<UsernameToken>();
+ }
+
+ Collection<UsernameToken> usernameTokens = new ArrayList<UsernameToken>();
+ for (org.apache.ws.secpolicy.model.Token token : suppTok.getTokens()) {
+ if (token instanceof UsernameToken) {
+ usernameTokens.add((UsernameToken)token);
+ }
+ }
+
+ return usernameTokens;
+ }
}