You are viewing a plain text version of this content. The canonical link for it is here.
Posted to axis-cvs@ws.apache.org by ru...@apache.org on 2006/07/26 21:20:38 UTC
svn commit: r425809 - in /webservices/axis2/trunk/java/modules: integration/
integration/test-resources/rahas/ integration/test/org/apache/rahas/
rahas/src/org/apache/rahas/ rahas/src/org/apache/rahas/impl/
samples/src/sample/security/
Author: ruchithf
Date: Wed Jul 26 12:20:37 2006
New Revision: 425809
URL: http://svn.apache.org/viewvc?rev=425809&view=rev
Log:
- Updated the SAMLTokenIssuer to issue bearer tokens
- Updated the sts cert to the standard STS cert used for interop scenarios
- Added a test to test the STS issuing a SAML bearer token authenticating the requester using a UsernameToken
Added:
webservices/axis2/trunk/java/modules/integration/test-resources/rahas/issuer.properties
- copied, changed from r425731, webservices/axis2/trunk/java/modules/integration/test-resources/rahas/sctIssuer.properties
webservices/axis2/trunk/java/modules/integration/test-resources/rahas/rahas-sec.properties
- copied, changed from r425785, webservices/axis2/trunk/java/modules/integration/test-resources/rahas/sec.properties
webservices/axis2/trunk/java/modules/integration/test-resources/rahas/rahas-sts.jks
- copied, changed from r425731, webservices/axis2/trunk/java/modules/integration/test-resources/rahas/sts.jks
Removed:
webservices/axis2/trunk/java/modules/integration/test-resources/rahas/sctIssuer.properties
webservices/axis2/trunk/java/modules/integration/test-resources/rahas/sec.properties
webservices/axis2/trunk/java/modules/integration/test-resources/rahas/sts.jks
Modified:
webservices/axis2/trunk/java/modules/integration/maven.xml
webservices/axis2/trunk/java/modules/integration/test-resources/rahas/s1-services.xml
webservices/axis2/trunk/java/modules/integration/test-resources/rahas/s3-services.xml
webservices/axis2/trunk/java/modules/integration/test-resources/rahas/sec.jks
webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/PWCallback.java
webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/RahasSAMLTokenTest.java
webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/RahasSAMLTokenUTForHoKV1205Test.java
webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/RahasSAMLTokenV1205Test.java
webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/errors.properties
webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java
webservices/axis2/trunk/java/modules/samples/src/sample/security/Client.java
webservices/axis2/trunk/java/modules/samples/src/sample/security/Service.java
Modified: webservices/axis2/trunk/java/modules/integration/maven.xml
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/integration/maven.xml?rev=425809&r1=425808&r2=425809&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/integration/maven.xml (original)
+++ webservices/axis2/trunk/java/modules/integration/maven.xml Wed Jul 26 12:20:37 2006
@@ -296,12 +296,12 @@
<copy overwrite="yes" file="target/test-classes/org/apache/rahas/Service.class"
tofile="target/temp-rahas/org/apache/rahas/Service.class"/>
<copy overwrite="yes" file="target/test-classes/org/apache/rahas/PWCallback.class"
- tofile="target/temp-sc/org/apache/rahas/PWCallback.class"/>
+ tofile="target/temp-rahas/org/apache/rahas/PWCallback.class"/>
<copy overwrite="yes" todir="target/temp-rahas">
<fileset dir="test-resources/rahas">
- <include name="sctIssuer.properties"/>
- <include name="sts.jks"/>
+ <include name="issuer.properties"/>
+ <include name="rahas-sts.jks"/>
</fileset>
</copy>
@@ -349,8 +349,6 @@
<!-- copy the services.xml and create the aar -->
<copy overwrite="yes" file="test-resources/rahas/s1-services.xml"
tofile="target/temp-rahas/META-INF/services.xml"/>
- <copy overwrite="yes" file="test-resources/rahas/saml.s1.properties"
- tofile="target/temp-rahas/saml.s1.properties"/>
<jar overwrite="yes" jarfile="target/test-resources/rahas_service_repo_1/services/SecureService.aar"
basedir="target/temp-rahas"/>
@@ -375,8 +373,6 @@
<!-- copy the services.xml and create the aar -->
<copy overwrite="yes" file="test-resources/rahas/s3-services.xml"
tofile="target/temp-rahas/META-INF/services.xml"/>
- <copy overwrite="yes" file="test-resources/rahas/sctIssuer.properties"
- tofile="target/temp-rahas/sctIssuer.properties"/>
<jar overwrite="yes" jarfile="target/test-resources/rahas_service_repo_3/services/SecureService.aar"
basedir="target/temp-rahas"/>
Copied: webservices/axis2/trunk/java/modules/integration/test-resources/rahas/issuer.properties (from r425731, webservices/axis2/trunk/java/modules/integration/test-resources/rahas/sctIssuer.properties)
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/integration/test-resources/rahas/issuer.properties?p2=webservices/axis2/trunk/java/modules/integration/test-resources/rahas/issuer.properties&p1=webservices/axis2/trunk/java/modules/integration/test-resources/rahas/sctIssuer.properties&r1=425731&r2=425809&rev=425809&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/integration/test-resources/rahas/sctIssuer.properties (original)
+++ webservices/axis2/trunk/java/modules/integration/test-resources/rahas/issuer.properties Wed Jul 26 12:20:37 2006
@@ -1,4 +1,4 @@
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=password
-org.apache.ws.security.crypto.merlin.file=sts.jks
+org.apache.ws.security.crypto.merlin.file=rahas-sts.jks
Copied: webservices/axis2/trunk/java/modules/integration/test-resources/rahas/rahas-sec.properties (from r425785, webservices/axis2/trunk/java/modules/integration/test-resources/rahas/sec.properties)
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/integration/test-resources/rahas/rahas-sec.properties?p2=webservices/axis2/trunk/java/modules/integration/test-resources/rahas/rahas-sec.properties&p1=webservices/axis2/trunk/java/modules/integration/test-resources/rahas/sec.properties&r1=425785&r2=425809&rev=425809&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/integration/test-resources/rahas/sec.properties (original)
+++ webservices/axis2/trunk/java/modules/integration/test-resources/rahas/rahas-sec.properties Wed Jul 26 12:20:37 2006
@@ -1,5 +1,5 @@
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=password
-org.apache.ws.security.crypto.merlin.file=sec.jks
+org.apache.ws.security.crypto.merlin.file=rahas-sts.jks
Copied: webservices/axis2/trunk/java/modules/integration/test-resources/rahas/rahas-sts.jks (from r425731, webservices/axis2/trunk/java/modules/integration/test-resources/rahas/sts.jks)
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/integration/test-resources/rahas/rahas-sts.jks?p2=webservices/axis2/trunk/java/modules/integration/test-resources/rahas/rahas-sts.jks&p1=webservices/axis2/trunk/java/modules/integration/test-resources/rahas/sts.jks&r1=425731&r2=425809&rev=425809&view=diff
==============================================================================
Binary files - no diff available.
Modified: webservices/axis2/trunk/java/modules/integration/test-resources/rahas/s1-services.xml
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/integration/test-resources/rahas/s1-services.xml?rev=425809&r1=425808&r2=425809&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/integration/test-resources/rahas/s1-services.xml (original)
+++ webservices/axis2/trunk/java/modules/integration/test-resources/rahas/s1-services.xml Wed Jul 26 12:20:37 2006
@@ -13,9 +13,9 @@
<parameter name="saml-issuer-config">
<saml-issuer-config>
<issuerName>Test_STS</issuerName>
- <issuerKeyAlias>sts</issuerKeyAlias>
+ <issuerKeyAlias>ip</issuerKeyAlias>
<issuerKeyPassword>password</issuerKeyPassword>
- <cryptoProperties>sctIssuer.properties</cryptoProperties>
+ <cryptoProperties>issuer.properties</cryptoProperties>
<timeToLive>300000</timeToLive>
<keySize>256</keySize>
<addRequestedAttachedRef />
@@ -32,16 +32,16 @@
<parameter name="InflowSecurity">
<action>
<items>Timestamp Signature</items>
- <signaturePropFile>sctIssuer.properties</signaturePropFile>
+ <signaturePropFile>issuer.properties</signaturePropFile>
</action>
</parameter>
<parameter name="OutflowSecurity">
<action>
<items>Timestamp Signature</items>
- <user>sts</user>
- <signaturePropFile xmlns="">sctIssuer.properties</signaturePropFile>
- <passwordCallbackClass xmlns="">org.apache.axis2.security.sc.PWCallback</passwordCallbackClass>
+ <user>ip</user>
+ <signaturePropFile xmlns="">issuer.properties</signaturePropFile>
+ <passwordCallbackClass xmlns="">org.apache.rahas.PWCallback</passwordCallbackClass>
</action>
</parameter>
Modified: webservices/axis2/trunk/java/modules/integration/test-resources/rahas/s3-services.xml
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/integration/test-resources/rahas/s3-services.xml?rev=425809&r1=425808&r2=425809&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/integration/test-resources/rahas/s3-services.xml (original)
+++ webservices/axis2/trunk/java/modules/integration/test-resources/rahas/s3-services.xml Wed Jul 26 12:20:37 2006
@@ -13,9 +13,9 @@
<parameter name="saml-issuer-config">
<saml-issuer-config>
<issuerName>Test_STS</issuerName>
- <issuerKeyAlias>sts</issuerKeyAlias>
+ <issuerKeyAlias>ip</issuerKeyAlias>
<issuerKeyPassword>password</issuerKeyPassword>
- <cryptoProperties>sctIssuer.properties</cryptoProperties>
+ <cryptoProperties>issuer.properties</cryptoProperties>
<timeToLive>300000</timeToLive>
<keySize>256</keySize>
<addRequestedAttachedRef />
@@ -32,15 +32,15 @@
<parameter name="InflowSecurity">
<action>
<items>Timestamp UsernameToken</items>
- <passwordCallbackClass xmlns="">org.apache.axis2.security.sc.PWCallback</passwordCallbackClass>
+ <passwordCallbackClass xmlns="">org.apache.rahas.PWCallback</passwordCallbackClass>
</action>
</parameter>
<parameter name="OutflowSecurity">
<action>
<items>Timestamp</items>
- <user>sts</user>
- <passwordCallbackClass xmlns="">org.apache.axis2.security.sc.PWCallback</passwordCallbackClass>
+ <user>ip</user>
+ <passwordCallbackClass xmlns="">org.apache.rahas.PWCallback</passwordCallbackClass>
<enableSignatureConfirmation>false</enableSignatureConfirmation>
</action>
</parameter>
Modified: webservices/axis2/trunk/java/modules/integration/test-resources/rahas/sec.jks
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/integration/test-resources/rahas/sec.jks?rev=425809&r1=425808&r2=425809&view=diff
==============================================================================
Binary files - no diff available.
Modified: webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/PWCallback.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/PWCallback.java?rev=425809&r1=425808&r2=425809&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/PWCallback.java (original)
+++ webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/PWCallback.java Wed Jul 26 12:20:37 2006
@@ -160,7 +160,7 @@
pc.setPassword("noR");
- } else if(pc.getIdentifer().equals("sts")) {
+ } else if(pc.getIdentifer().equals("ip")) {
pc.setPassword("password");
Modified: webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/RahasSAMLTokenTest.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/RahasSAMLTokenTest.java?rev=425809&r1=425808&r2=425809&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/RahasSAMLTokenTest.java (original)
+++ webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/RahasSAMLTokenTest.java Wed Jul 26 12:20:37 2006
@@ -45,7 +45,7 @@
ofc.setActionItems("Timestamp Signature");
ofc.setUser("alice");
- ofc.setSignaturePropFile("sec.properties");
+ ofc.setSignaturePropFile("rahas-sec.properties");
ofc.setPasswordCallbackClass(PWCallback.class.getName());
return ofc;
}
@@ -55,7 +55,7 @@
ifc.setActionItems("Timestamp Signature");
ifc.setPasswordCallbackClass(PWCallback.class.getName());
- ifc.setSignaturePropFile("sec.properties");
+ ifc.setSignaturePropFile("rahas-sec.properties");
return ifc;
}
Modified: webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/RahasSAMLTokenUTForHoKV1205Test.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/RahasSAMLTokenUTForHoKV1205Test.java?rev=425809&r1=425808&r2=425809&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/RahasSAMLTokenUTForHoKV1205Test.java (original)
+++ webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/RahasSAMLTokenUTForHoKV1205Test.java Wed Jul 26 12:20:37 2006
@@ -17,7 +17,7 @@
package org.apache.rahas;
import org.apache.axiom.om.OMElement;
-import org.apache.axis2.security.sc.PWCallback;
+import org.apache.rahas.PWCallback;
import org.apache.rampart.handler.config.InflowConfiguration;
import org.apache.rampart.handler.config.OutflowConfiguration;
import org.opensaml.XML;
Modified: webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/RahasSAMLTokenV1205Test.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/RahasSAMLTokenV1205Test.java?rev=425809&r1=425808&r2=425809&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/RahasSAMLTokenV1205Test.java (original)
+++ webservices/axis2/trunk/java/modules/integration/test/org/apache/rahas/RahasSAMLTokenV1205Test.java Wed Jul 26 12:20:37 2006
@@ -17,7 +17,7 @@
package org.apache.rahas;
import org.apache.axiom.om.OMElement;
-import org.apache.axis2.security.sc.PWCallback;
+import org.apache.rahas.PWCallback;
import org.apache.rampart.handler.config.InflowConfiguration;
import org.apache.rampart.handler.config.OutflowConfiguration;
import org.opensaml.XML;
@@ -61,7 +61,7 @@
ofc.setActionItems("Timestamp Signature");
ofc.setUser("alice");
- ofc.setSignaturePropFile("sec.properties");
+ ofc.setSignaturePropFile("rahas-sec.properties");
ofc.setPasswordCallbackClass(PWCallback.class.getName());
return ofc;
}
@@ -71,7 +71,7 @@
ifc.setActionItems("Timestamp Signature");
ifc.setPasswordCallbackClass(PWCallback.class.getName());
- ifc.setSignaturePropFile("sec.properties");
+ ifc.setSignaturePropFile("rahas-sec.properties");
return ifc;
}
Modified: webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/errors.properties
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/errors.properties?rev=425809&r1=425808&r2=425809&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/errors.properties (original)
+++ webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/errors.properties Wed Jul 26 12:20:37 2006
@@ -45,4 +45,5 @@
samlAssertionCreationError = Error in creating a SAMLToken using opensaml library
aliasMissingForService = Certificate alias missing for service : \"{0}\"
samlInvalidAppliesToElem = Invalid wst:AppliesTo element, Rahas SAML token issuer expects the service epr to be the child
-samlIssuerNameMissing = issuerName value missing in the SAMLTokenIssuer configuration
\ No newline at end of file
+samlIssuerNameMissing = issuerName value missing in the SAMLTokenIssuer configuration
+samlUnsupportedPrincipal = Unsupported principal : \"{0}\"
\ No newline at end of file
Modified: webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java?rev=425809&r1=425808&r2=425809&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java (original)
+++ webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java Wed Jul 26 12:20:37 2006
@@ -30,6 +30,7 @@
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.WSUsernameTokenPrincipal;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoFactory;
import org.apache.ws.security.handler.WSHandlerConstants;
@@ -42,7 +43,9 @@
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLAttribute;
import org.opensaml.SAMLAttributeStatement;
+import org.opensaml.SAMLAuthenticationStatement;
import org.opensaml.SAMLException;
+import org.opensaml.SAMLNameIdentifier;
import org.opensaml.SAMLStatement;
import org.opensaml.SAMLSubject;
import org.w3c.dom.Document;
@@ -192,9 +195,9 @@
if(keyType.endsWith(RahasConstants.KEY_TYPE_SYMM_KEY) ||
keyType.endsWith(RahasConstants.KEY_TYPE_SYMM_KEY)) {
assertion = createHoKAssertion(config, request, doc, crypto,
- creationTime, expirationTime, keyType, secret);
+ creationTime, expirationTime, keyType, secret, principal);
} else if(keyType.endsWith(RahasConstants.KEY_TYPE_BEARER)) {
- //TODO Create bearer token
+ assertion = createBearerAssertion(config, request, doc, crypto, creationTime, expirationTime, principal);
} else {
throw new TrustException("unsupportedKeyType");
}
@@ -218,8 +221,10 @@
TrustUtil.createtTokenTypeElement(version, rstrElem).setText(
RahasConstants.TOK_TYPE_SAML_10);
-
- TrustUtil.createKeySizeElement(version, rstrElem, keySize);
+
+ if(keyType.endsWith(RahasConstants.KEY_TYPE_SYMM_KEY)) {
+ TrustUtil.createKeySizeElement(version, rstrElem, keySize);
+ }
if (config.addRequestedAttachedRef) {
TrustUtil.createRequestedAttachedRef(version, rstrElem, "#"
@@ -262,12 +267,14 @@
throw new TrustException("samlConverstionError", e);
}
- //Add the RequestedProofToken
- OMElement reqProofTokElem = TrustUtil
- .createRequestedProofTokenElement(version, rstrElem);
- OMElement binSecElem = TrustUtil.createBinarySecretElement(version,
- reqProofTokElem, null);
- binSecElem.setText(Base64.encode(secret));
+ if(keyType.endsWith(RahasConstants.KEY_TYPE_SYMM_KEY)) {
+ //Add the RequestedProofToken
+ OMElement reqProofTokElem = TrustUtil
+ .createRequestedProofTokenElement(version, rstrElem);
+ OMElement binSecElem = TrustUtil.createBinarySecretElement(version,
+ reqProofTokElem, null);
+ binSecElem.setText(Base64.encode(secret));
+ }
// Unet the DOM impl to DOOM
DocumentBuilderFactoryImpl.setDOOMRequired(false);
@@ -276,56 +283,37 @@
/**
- * Uses the <code>wst:AppliesTo</code> to figure out the certificate to
- * encrypt the secret in the SAML token
- * @param request
* @param config
+ * @param request
+ * @param doc
* @param crypto
- * @throws WSSecurityException
+ * @param creationTime
+ * @param expirationTime
+ * @param principal
* @return
*/
- private X509Certificate getServiceCert(OMElement request,
- SAMLTokenIssuerConfig config, Crypto crypto)
- throws WSSecurityException, TrustException {
-
- String address = this.getServiceAddress(request);
-
- if(address != null && !"".equals(address)) {
- String alias = (String)config.trustedServices.get(address);;
- return (X509Certificate)crypto.getCertificates(alias)[0];
- } else {
- //Return the STS cert
- return (X509Certificate)crypto.getCertificates(config.issuerKeyAlias)[0];
- }
-
- }
-
-
- private String getServiceAddress(OMElement request) throws TrustException {
- OMElement appliesToElem = request.getFirstChildWithName(
- new QName(RahasConstants.WSP_NS, RahasConstants.APPLIES_TO_LN));
- if(appliesToElem != null) {
- OMElement eprElem = appliesToElem.getFirstChildWithName(new QName(
- RahasConstants.WSA_NS, RahasConstants.ENDPOINT_REFERENCE));
- if (eprElem != null) {
- OMElement addrElem = eprElem.getFirstChildWithName(new QName(
- RahasConstants.WSA_NS, RahasConstants.ADDRESS));
- if (addrElem != null && addrElem.getText() != null && !"".equals(addrElem.getText().trim())) {
- return addrElem.getText().trim();
- } else {
- throw new TrustException("samlInvalidAppliesToElem");
- }
+ private SAMLAssertion createBearerAssertion(SAMLTokenIssuerConfig config,
+ OMElement request, Document doc, Crypto crypto, Date creationTime,
+ Date expirationTime, Principal principal) throws TrustException {
+ try {
+ //In the case where the principal is a UT
+ if(principal instanceof WSUsernameTokenPrincipal) {
+ WSUsernameTokenPrincipal utPrincipal = (WSUsernameTokenPrincipal)principal;
+ //TODO: Find the email address
+ String subjectNameId = "rcuhtihf@apache.org";
+ SAMLNameIdentifier nameId = new SAMLNameIdentifier(subjectNameId, null, SAMLNameIdentifier.FORMAT_EMAIL);
+ return createAuthAssertion(SAMLSubject.CONF_BEARER, nameId, config, crypto, creationTime, expirationTime);
} else {
- throw new TrustException("samlInvalidAppliesToElem");
+ throw new TrustException("samlUnsupportedPrincipal", new String[]{principal.getClass().getName()});
}
+ } catch (SAMLException e) {
+ throw new TrustException("samlAssertionCreationError", e);
}
- //If the AppliesTo element is missing
- return null;
}
-
+
private SAMLAssertion createHoKAssertion(SAMLTokenIssuerConfig config,
OMElement request, Document doc, Crypto crypto, Date creationTime,
- Date expirationTime, String keyType, byte[] secret)
+ Date expirationTime, String keyType, byte[] secret, Principal principal)
throws TrustException {
Element encryptedKeyElem = null;
@@ -363,9 +351,58 @@
"errorInBuildingTheEncryptedKeyForPrincipal",
new String[] { serviceCert.getSubjectDN().getName()}, e);
}
- return this.createAssertion(doc, encryptedKeyElem,
+ return this.createAttributeAssertion(doc, encryptedKeyElem,
config, crypto, creationTime, expirationTime);
}
+
+ /**
+ * Uses the <code>wst:AppliesTo</code> to figure out the certificate to
+ * encrypt the secret in the SAML token
+ * @param request
+ * @param config
+ * @param crypto
+ * @throws WSSecurityException
+ * @return
+ */
+ private X509Certificate getServiceCert(OMElement request,
+ SAMLTokenIssuerConfig config, Crypto crypto)
+ throws WSSecurityException, TrustException {
+
+ String address = this.getServiceAddress(request);
+
+ if(address != null && !"".equals(address)) {
+ String alias = (String)config.trustedServices.get(address);;
+ return (X509Certificate)crypto.getCertificates(alias)[0];
+ } else {
+ //Return the STS cert
+ return (X509Certificate)crypto.getCertificates(config.issuerKeyAlias)[0];
+ }
+
+ }
+
+
+ private String getServiceAddress(OMElement request) throws TrustException {
+ OMElement appliesToElem = request.getFirstChildWithName(
+ new QName(RahasConstants.WSP_NS, RahasConstants.APPLIES_TO_LN));
+ if(appliesToElem != null) {
+ OMElement eprElem = appliesToElem.getFirstChildWithName(new QName(
+ RahasConstants.WSA_NS, RahasConstants.ENDPOINT_REFERENCE));
+ if (eprElem != null) {
+ OMElement addrElem = eprElem.getFirstChildWithName(new QName(
+ RahasConstants.WSA_NS, RahasConstants.ADDRESS));
+ if (addrElem != null && addrElem.getText() != null && !"".equals(addrElem.getText().trim())) {
+ return addrElem.getText().trim();
+ } else {
+ throw new TrustException("samlInvalidAppliesToElem");
+ }
+ } else {
+ throw new TrustException("samlInvalidAppliesToElem");
+ }
+ }
+ //If the AppliesTo element is missing
+ return null;
+ }
+
/**
* Create the SAML assertion with the secret held in an
* <code>xenc:EncryptedKey</code>
@@ -378,7 +415,7 @@
* @return
* @throws TrustException
*/
- private SAMLAssertion createAssertion(Document doc,
+ private SAMLAssertion createAttributeAssertion(Document doc,
Element keyInfoContent,
SAMLTokenIssuerConfig config,
Crypto crypto,
@@ -431,7 +468,51 @@
}
}
-
+ /**
+ * @param conf_bearer
+ * @param subjectNameId
+ * @param creationTime
+ * @param expirationTime
+ * @return
+ */
+ private SAMLAssertion createAuthAssertion(String confMethod,
+ SAMLNameIdentifier subjectNameId, SAMLTokenIssuerConfig config,
+ Crypto crypto, Date notBefore, Date notAfter) throws TrustException {
+ try {
+ String[] confirmationMethods = new String[]{confMethod};
+
+ SAMLSubject subject = new SAMLSubject(subjectNameId, Arrays.asList(confirmationMethods), null, null);
+
+ SAMLAuthenticationStatement authStmt = new SAMLAuthenticationStatement(
+ subject,
+ SAMLAuthenticationStatement.AuthenticationMethod_Password,
+ notBefore, null, null, null);
+ SAMLStatement[] statements = {authStmt};
+
+ SAMLAssertion assertion = new SAMLAssertion(config.issuerName, notBefore,
+ notAfter, null, null, Arrays.asList(statements));
+
+ //sign the assertion
+ X509Certificate[] issuerCerts =
+ crypto.getCertificates(config.issuerKeyAlias);
+
+ String sigAlgo = XMLSignature.ALGO_ID_SIGNATURE_RSA;
+ String pubKeyAlgo =
+ issuerCerts[0].getPublicKey().getAlgorithm();
+ if (pubKeyAlgo.equalsIgnoreCase("DSA")) {
+ sigAlgo = XMLSignature.ALGO_ID_SIGNATURE_DSA;
+ }
+ java.security.Key issuerPK =
+ crypto.getPrivateKey(config.issuerKeyAlias,
+ config.issuerKeyPassword);
+ assertion.sign(sigAlgo, issuerPK, Arrays.asList(issuerCerts));
+
+
+ return assertion;
+ } catch (Exception e) {
+ throw new TrustException("samlAssertionCreationError", e);
+ }
+ }
/*
Modified: webservices/axis2/trunk/java/modules/samples/src/sample/security/Client.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/samples/src/sample/security/Client.java?rev=425809&r1=425808&r2=425809&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/samples/src/sample/security/Client.java (original)
+++ webservices/axis2/trunk/java/modules/samples/src/sample/security/Client.java Wed Jul 26 12:20:37 2006
@@ -42,10 +42,10 @@
// Get the repository location from the args
String repo = args[0];
- String port = args[1];
+ String port = "9080";
OMElement payload = getEchoElement();
- ConfigurationContext configContext = ConfigurationContextFactory.createConfigurationContextFromFileSystem(repo, null);
+ ConfigurationContext configContext = ConfigurationContextFactory.createConfigurationContextFromFileSystem(repo, repo + "/conf/axis2.xml");
ServiceClient serviceClient = new ServiceClient(configContext, null);
Options options = new Options();
options.setTo(new EndpointReference("http://127.0.0.1:" + port + "/axis2/services/SecureService"));
@@ -55,6 +55,7 @@
serviceClient.setOptions(options);
//Blocking invocation
+ System.out.println(payload);
OMElement result = serviceClient.sendReceive(payload);
StringWriter writer = new StringWriter();
Modified: webservices/axis2/trunk/java/modules/samples/src/sample/security/Service.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/samples/src/sample/security/Service.java?rev=425809&r1=425808&r2=425809&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/samples/src/sample/security/Service.java (original)
+++ webservices/axis2/trunk/java/modules/samples/src/sample/security/Service.java Wed Jul 26 12:20:37 2006
@@ -1,28 +1,36 @@
/*
-* Copyright 2004,2005 The Apache Software Foundation.
-*
-* Licensed under the Apache License, Version 2.0 (the "License");
-* you may not use this file except in compliance with the License.
-* You may obtain a copy of the License at
-*
-* http://www.apache.org/licenses/LICENSE-2.0
-*
-* Unless required by applicable law or agreed to in writing, software
-* distributed under the License is distributed on an "AS IS" BASIS,
-* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-* See the License for the specific language governing permissions and
-* limitations under the License.
-*/
+ * Copyright 2004,2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
package sample.security;
import org.apache.axiom.om.OMElement;
public class Service {
- public OMElement echo(OMElement elem) {
- elem.build();
- elem.detach();
- return elem;
- }
-
+ public OMElement echo(OMElement elem) {
+ elem.build();
+ elem.detach();
+
+// for (int i = 0; i < 17; i++) {
+// OMElement chldElem = elem.getOMFactory().createOMElement("child",
+// null);
+// chldElem.setText("Fixing Roy's problem " + i);
+// elem.addChild(chldElem);
+// }
+
+ return elem;
+ }
+
}
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-cvs-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-cvs-help@ws.apache.org