You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by ru...@apache.org on 2006/07/31 13:44:39 UTC
svn commit: r427078 - in /webservices/axis2/trunk/java/modules:
integration/test/org/apache/rahas/RahasSAMLTokenCertForHoKTest.java
rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java webapp/project.xml
Author: ruchithf
Date: Mon Jul 31 04:44:38 2006
New Revision: 427078
URL: http://svn.apache.org/viewvc?rev=427078&view=rev
Log:
- Updated the SAMLTokenIssuer to issue a SAMLToken (HoK) with a AuthStatement containing the requester's cert by authenticating the requester with signature.
- Added a testcase to test the above case
- Fixed AXIS2-848
Added:
webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/RahasSAMLTokenCertForHoKTest.java
Modified:
webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java
webservices/axis2/trunk/java/modules/webapp/project.xml
Added: webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/RahasSAMLTokenCertForHoKTest.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/RahasSAMLTokenCertForHoKTest.java?rev=427078&view=auto
==============================================================================
--- webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/RahasSAMLTokenCertForHoKTest.java (added)
+++ webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/RahasSAMLTokenCertForHoKTest.java Mon Jul 31 04:44:38 2006
@@ -0,0 +1,109 @@
+/*
+ * Copyright 2004,2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.rahas;
+
+import org.apache.axiom.om.OMElement;
+import org.apache.axiom.om.impl.builder.StAXOMBuilder;
+import org.apache.axis2.databinding.types.URI;
+import org.apache.axis2.security.sc.PWCallback;
+import org.apache.axis2.util.StreamWrapper;
+import org.apache.rahas.types.RequestSecurityTokenType;
+import org.apache.rampart.handler.config.InflowConfiguration;
+import org.apache.rampart.handler.config.OutflowConfiguration;
+import org.apache.rampart.util.Axis2Util;
+import org.opensaml.XML;
+
+import javax.xml.namespace.QName;
+
+
+public class RahasSAMLTokenCertForHoKTest extends TestClient {
+
+ public RahasSAMLTokenCertForHoKTest(String name) {
+ super(name);
+ }
+
+ public OutflowConfiguration getClientOutflowConfiguration() {
+ OutflowConfiguration ofc = new OutflowConfiguration();
+
+ ofc.setActionItems("Timestamp Signature");
+ ofc.setUser("alice");
+ ofc.setSignaturePropFile("rahas-sec.properties");
+ ofc.setPasswordCallbackClass(PWCallback.class.getName());
+ return ofc;
+ }
+
+ public InflowConfiguration getClientInflowConfiguration() {
+ InflowConfiguration ifc = new InflowConfiguration();
+
+ ifc.setActionItems("Timestamp Signature");
+ ifc.setPasswordCallbackClass(PWCallback.class.getName());
+ ifc.setSignaturePropFile("rahas-sec.properties");
+
+ return ifc;
+ }
+
+ public String getServiceRepo() {
+ return "rahas_service_repo_1";
+ }
+
+ public OMElement getRequest() {
+
+ RequestSecurityTokenType rst = new RequestSecurityTokenType();
+ try {
+ rst.setRequestType(new URI(RahasConstants.V_05_02.REQ_TYPE_ISSUE));
+ rst.setTokenType(new URI(RahasConstants.TOK_TYPE_SAML_10));
+ rst.setContext(new URI("http://get.optional.attrs.working"));
+
+ Axis2Util.useDOOM(false);
+ StAXOMBuilder builder = new StAXOMBuilder(new StreamWrapper(rst
+ .getPullParser(new QName(RahasConstants.WST_NS_05_02,
+ RahasConstants.REQUEST_SECURITY_TOKEN_LN))));
+
+ OMElement rstElem = builder.getDocumentElement();
+
+ rstElem.build();
+
+ //KeySize
+ TrustUtil.createKeySizeElement(RahasConstants.VERSION_05_02, rstElem, 256);
+
+ //KeyType
+ TrustUtil.createKeyTypeElement(RahasConstants.VERSION_05_02, rstElem, RahasConstants.KEY_TYPE_PUBLIC_KEY);
+
+ TrustUtil.createAppliesToElement(rstElem, "http://localhost:5555/axis2/services/SecureService");
+
+ rstElem = (OMElement)rstElem.detach();
+ return rstElem;
+
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ }
+
+ public void validateRsponse(OMElement resp) {
+ OMElement rst = resp.getFirstChildWithName(new QName(RahasConstants.WST_NS_05_02, RahasConstants.REQUESTED_SECURITY_TOKEN_LN));
+ assertNotNull("RequestedSecurityToken missing", rst);
+ OMElement elem = rst.getFirstChildWithName(new QName(XML.SAML_NS, "Assertion"));
+ assertNotNull("Missing SAML Assertoin", elem);
+ }
+
+
+ public String getRequestAction() {
+ return RahasConstants.V_05_02.RST_ACTON_ISSUE;
+ }
+
+
+}
Modified: webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java?rev=427078&r1=427077&r2=427078&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java (original)
+++ webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java Mon Jul 31 04:44:38 2006
@@ -51,9 +51,12 @@
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
+import org.w3c.dom.Text;
import javax.xml.namespace.QName;
+
import java.security.Principal;
+import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.text.DateFormat;
import java.util.Arrays;
@@ -193,9 +196,9 @@
}
if(keyType.endsWith(RahasConstants.KEY_TYPE_SYMM_KEY) ||
- keyType.endsWith(RahasConstants.KEY_TYPE_SYMM_KEY)) {
+ keyType.endsWith(RahasConstants.KEY_TYPE_PUBLIC_KEY)) {
assertion = createHoKAssertion(config, request, doc, crypto,
- creationTime, expirationTime, keyType, secret, principal);
+ creationTime, expirationTime, keyType, secret, principal, clientCert);
} else if(keyType.endsWith(RahasConstants.KEY_TYPE_BEARER)) {
assertion = createBearerAssertion(config, request, doc, crypto, creationTime, expirationTime, principal);
} else {
@@ -282,16 +285,6 @@
}
- /**
- * @param config
- * @param request
- * @param doc
- * @param crypto
- * @param creationTime
- * @param expirationTime
- * @param principal
- * @return
- */
private SAMLAssertion createBearerAssertion(SAMLTokenIssuerConfig config,
OMElement request, Document doc, Crypto crypto, Date creationTime,
Date expirationTime, Principal principal) throws TrustException {
@@ -302,7 +295,7 @@
//TODO: Find the email address
String subjectNameId = "rcuhtihf@apache.org";
SAMLNameIdentifier nameId = new SAMLNameIdentifier(subjectNameId, null, SAMLNameIdentifier.FORMAT_EMAIL);
- return createAuthAssertion(SAMLSubject.CONF_BEARER, nameId, config, crypto, creationTime, expirationTime);
+ return createAuthAssertion(doc, SAMLSubject.CONF_BEARER, nameId, null, config, crypto, creationTime, expirationTime);
} else {
throw new TrustException("samlUnsupportedPrincipal", new String[]{principal.getClass().getName()});
}
@@ -313,46 +306,73 @@
private SAMLAssertion createHoKAssertion(SAMLTokenIssuerConfig config,
OMElement request, Document doc, Crypto crypto, Date creationTime,
- Date expirationTime, String keyType, byte[] secret, Principal principal)
+ Date expirationTime, String keyType, byte[] secret,
+ Principal principal, X509Certificate clientCert)
throws TrustException {
- Element encryptedKeyElem = null;
- X509Certificate serviceCert = null;
- try {
-
- //Get ApliesTo to figureout which service to issue the token for
- serviceCert = getServiceCert(request, config, crypto);
-
- //Ceate the encrypted key
- WSSecEncryptedKey encrKeyBuilder = new WSSecEncryptedKey();
+
+ if(keyType.endsWith(RahasConstants.KEY_TYPE_SYMM_KEY)) {
+ Element encryptedKeyElem = null;
+ X509Certificate serviceCert = null;
+ try {
+
+ //Get ApliesTo to figureout which service to issue the token for
+ serviceCert = getServiceCert(request, config, crypto);
- //Use thumbprint id
- encrKeyBuilder.setKeyIdentifierType(WSConstants.THUMBPRINT_IDENTIFIER);
-
- //SEt the encryption cert
- encrKeyBuilder.setUseThisCert(serviceCert);
-
- //set keysize
- encrKeyBuilder.setKeySize(secret.length*8);
-
- //Set key encryption algo
- encrKeyBuilder.setKeyEncAlgo(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
-
- //Build
- encrKeyBuilder.prepare(doc, crypto);
-
- //Extract the base64 encoded secret value
- System.arraycopy(encrKeyBuilder.getEphemeralKey(), 0, secret, 0, secret.length);
-
- //Extract the Encryptedkey DOM element
- encryptedKeyElem = encrKeyBuilder.getEncryptedKeyElement();
- } catch (WSSecurityException e) {
- throw new TrustException(
- "errorInBuildingTheEncryptedKeyForPrincipal",
- new String[] { serviceCert.getSubjectDN().getName()}, e);
+ //Ceate the encrypted key
+ WSSecEncryptedKey encrKeyBuilder = new WSSecEncryptedKey();
+
+ //Use thumbprint id
+ encrKeyBuilder.setKeyIdentifierType(WSConstants.THUMBPRINT_IDENTIFIER);
+
+ //SEt the encryption cert
+ encrKeyBuilder.setUseThisCert(serviceCert);
+
+ //set keysize
+ encrKeyBuilder.setKeySize(secret.length*8);
+
+ //Set key encryption algo
+ encrKeyBuilder.setKeyEncAlgo(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
+
+ //Build
+ encrKeyBuilder.prepare(doc, crypto);
+
+ //Extract the base64 encoded secret value
+ System.arraycopy(encrKeyBuilder.getEphemeralKey(), 0, secret, 0, secret.length);
+
+ //Extract the Encryptedkey DOM element
+ encryptedKeyElem = encrKeyBuilder.getEncryptedKeyElement();
+ } catch (WSSecurityException e) {
+ throw new TrustException(
+ "errorInBuildingTheEncryptedKeyForPrincipal",
+ new String[] { serviceCert.getSubjectDN().getName()}, e);
+ }
+ return this.createAttributeAssertion(doc, encryptedKeyElem,
+ config, crypto, creationTime, expirationTime);
+ } else {
+ try {
+ String subjectNameId = principal.getName();
+ SAMLNameIdentifier nameId = new SAMLNameIdentifier(subjectNameId, null, SAMLNameIdentifier.FORMAT_EMAIL);
+
+ //Create the ds:KeyValue element with the ds:X509Data
+ byte[] clientCertBytes = clientCert.getEncoded();
+ String base64Cert = Base64.encode(clientCertBytes);
+
+ Text base64CertText = doc.createTextNode(base64Cert);
+ Element x509CertElem = doc.createElementNS(WSConstants.SIG_NS, "X509Certificate");
+ x509CertElem.appendChild(base64CertText);
+ Element x509DataElem = doc.createElementNS(WSConstants.SIG_NS, "X509Data");
+ x509DataElem.appendChild(x509CertElem);
+ Element keyValueElem = doc.createElementNS(WSConstants.SIG_NS, "KeyValue");
+ keyValueElem.appendChild(x509DataElem);
+
+ return this.createAuthAssertion(doc, SAMLSubject.CONF_HOLDER_KEY, nameId, keyValueElem, config, crypto, creationTime, expirationTime);
+ } catch (SAMLException e) {
+ throw new TrustException("samlAssertionCreationError", e);
+ } catch (CertificateEncodingException e) {
+ throw new TrustException("samlAssertionCreationError", e);
+ }
}
- return this.createAttributeAssertion(doc, encryptedKeyElem,
- config, crypto, creationTime, expirationTime);
}
/**
@@ -475,13 +495,22 @@
* @param expirationTime
* @return
*/
- private SAMLAssertion createAuthAssertion(String confMethod,
- SAMLNameIdentifier subjectNameId, SAMLTokenIssuerConfig config,
+ private SAMLAssertion createAuthAssertion(Document doc, String confMethod,
+ SAMLNameIdentifier subjectNameId, Element keyInfoContent, SAMLTokenIssuerConfig config,
Crypto crypto, Date notBefore, Date notAfter) throws TrustException {
try {
String[] confirmationMethods = new String[]{confMethod};
- SAMLSubject subject = new SAMLSubject(subjectNameId, Arrays.asList(confirmationMethods), null, null);
+ Element keyInfoElem = null;
+ if(keyInfoContent != null) {
+ keyInfoElem = doc.createElementNS(WSConstants.SIG_NS, "KeyInfo");
+ ((OMElement)keyInfoContent).declareNamespace(WSConstants.SIG_NS, WSConstants.SIG_PREFIX);
+ ((OMElement)keyInfoContent).declareNamespace(WSConstants.ENC_NS, WSConstants.ENC_PREFIX);
+
+ keyInfoElem.appendChild(keyInfoContent);
+ }
+
+ SAMLSubject subject = new SAMLSubject(subjectNameId, Arrays.asList(confirmationMethods), null, keyInfoElem);
SAMLAuthenticationStatement authStmt = new SAMLAuthenticationStatement(
subject,
Modified: webservices/axis2/trunk/java/modules/webapp/project.xml
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/webapp/project.xml?rev=427078&r1=427077&r2=427078&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/webapp/project.xml (original)
+++ webservices/axis2/trunk/java/modules/webapp/project.xml Mon Jul 31 04:44:38 2006
@@ -82,6 +82,11 @@
<artifactId>axiom-impl</artifactId>
<version>${axiom.version}</version>
</dependency>
+ <dependency>
+ <groupId>ws-commons</groupId>
+ <artifactId>axiom-dom</artifactId>
+ <version>${axiom.version}</version>
+ </dependency>
<dependency>
<groupId>xalan</groupId>
<artifactId>xalan</artifactId>
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-cvs-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-cvs-help@ws.apache.org