You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2017/04/05 11:50:04 UTC
[1/4] cxf git commit: Change the ReceivedTokenCallbackHandler to
follow an ordering when retrieving a token from the previous message
Repository: cxf
Updated Branches:
refs/heads/3.1.x-fixes eb98654ac -> b16f63b29
Change the ReceivedTokenCallbackHandler to follow an ordering when retrieving a token from the previous message
# Conflicts:
# rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/ReceivedTokenCallbackHandler.java
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/22a58c39
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/22a58c39
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/22a58c39
Branch: refs/heads/3.1.x-fixes
Commit: 22a58c399ccdb94f5969ab3be9dfad46cf222af2
Parents: eb98654
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Apr 5 10:08:46 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Apr 5 11:41:58 2017 +0100
----------------------------------------------------------------------
.../ReceivedTokenCallbackHandler.java | 91 ++++++++++++--------
1 file changed, 57 insertions(+), 34 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/22a58c39/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/ReceivedTokenCallbackHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/ReceivedTokenCallbackHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/ReceivedTokenCallbackHandler.java
index 523677b..7c32240 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/ReceivedTokenCallbackHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/ReceivedTokenCallbackHandler.java
@@ -21,24 +21,26 @@ package org.apache.cxf.ws.security.trust.delegation;
import java.io.IOException;
import java.lang.ref.WeakReference;
+import java.util.ArrayList;
import java.util.List;
+import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
-
import org.w3c.dom.Element;
+
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.PhaseInterceptorChain;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
-import org.apache.wss4j.common.token.BinarySecurity;
+import org.apache.wss4j.common.token.PKIPathSecurity;
+import org.apache.wss4j.common.token.X509Security;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.handler.WSHandlerResult;
-import org.apache.wss4j.dom.message.token.UsernameToken;
/**
* This CallbackHandler implementation obtains the previously received message from a
@@ -46,7 +48,18 @@ import org.apache.wss4j.dom.message.token.UsernameToken;
* (SAML/UsernameToken/BinarySecurityToken) from it to be used as the delegation token.
*/
public class ReceivedTokenCallbackHandler implements CallbackHandler {
-
+
+ private static final List<Integer> DEFAULT_SECURITY_PRIORITIES = new ArrayList<>();
+ static {
+ DEFAULT_SECURITY_PRIORITIES.add(WSConstants.ST_SIGNED);
+ DEFAULT_SECURITY_PRIORITIES.add(WSConstants.ST_UNSIGNED);
+ DEFAULT_SECURITY_PRIORITIES.add(WSConstants.UT);
+ DEFAULT_SECURITY_PRIORITIES.add(WSConstants.BST);
+ DEFAULT_SECURITY_PRIORITIES.add(WSConstants.UT_NOPASSWORD);
+ }
+
+ private List<Integer> securityPriorities = new ArrayList<>(DEFAULT_SECURITY_PRIORITIES);
+
private boolean useTransformedToken = true;
@SuppressWarnings("unchecked")
@@ -80,8 +93,8 @@ public class ReceivedTokenCallbackHandler implements CallbackHandler {
List<WSHandlerResult> results =
CastUtils.cast((List<?>)soapMessage.get(WSHandlerConstants.RECV_RESULTS));
if (results != null) {
- for (WSHandlerResult rResult : results) {
- Element token = findToken(rResult.getResults());
+ for (WSHandlerResult handlerResult : results) {
+ Element token = getTokenFromResults(handlerResult);
if (token != null) {
return token;
}
@@ -90,38 +103,40 @@ public class ReceivedTokenCallbackHandler implements CallbackHandler {
}
return null;
}
-
- private Element findToken(
- List<WSSecurityEngineResult> wsSecEngineResults
- ) {
- for (WSSecurityEngineResult wser : wsSecEngineResults) {
- // First check for a transformed token
- Object transformedToken = wser.get(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN);
- if (useTransformedToken && transformedToken instanceof SamlAssertionWrapper) {
- return ((SamlAssertionWrapper)transformedToken).getElement();
- }
-
- // Otherwise check the actions
- Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt.intValue() == WSConstants.ST_SIGNED
- || actInt.intValue() == WSConstants.ST_UNSIGNED) {
- SamlAssertionWrapper assertion =
- (SamlAssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
- return assertion.getElement();
- } else if (actInt.intValue() == WSConstants.UT
- || actInt.intValue() == WSConstants.UT_NOPASSWORD) {
- UsernameToken token =
- (UsernameToken)wser.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
- return token.getElement();
- } else if (actInt.intValue() == WSConstants.BST) {
- BinarySecurity token =
- (BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
- return token.getElement();
+
+ private Element getTokenFromResults(WSHandlerResult handlerResult) {
+ // Now go through the results in a certain order. Highest priority is first.
+ Map<Integer, List<WSSecurityEngineResult>> actionResults = handlerResult.getActionResults();
+ for (Integer resultPriority : securityPriorities) {
+ List<WSSecurityEngineResult> foundResults = actionResults.get(resultPriority);
+ if (foundResults != null && !foundResults.isEmpty()) {
+ for (WSSecurityEngineResult result : foundResults) {
+
+ if (!skipResult(resultPriority, result)) {
+ // First check for a transformed token
+ Object transformedToken = result.get(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN);
+ if (useTransformedToken && transformedToken instanceof SamlAssertionWrapper) {
+ return ((SamlAssertionWrapper)transformedToken).getElement();
+ }
+
+ if (result.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT) != null) {
+ return (Element)result.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
+ }
+ }
+ }
}
}
+
return null;
}
+ protected boolean skipResult(Integer resultPriority, WSSecurityEngineResult result) {
+ Object binarySecurity = result.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+
+ return resultPriority == WSConstants.BST
+ && (binarySecurity instanceof X509Security || binarySecurity instanceof PKIPathSecurity);
+ }
+
public boolean isUseTransformedToken() {
return useTransformedToken;
}
@@ -134,5 +149,13 @@ public class ReceivedTokenCallbackHandler implements CallbackHandler {
public void setUseTransformedToken(boolean useTransformedToken) {
this.useTransformedToken = useTransformedToken;
}
-
+
+ public List<Integer> getSecurityPriorities() {
+ return securityPriorities;
+ }
+
+ public void setSecurityPriorities(List<Integer> securityPriorities) {
+ this.securityPriorities = securityPriorities;
+ }
+
}
[4/4] cxf git commit: Fixing merge
Posted by co...@apache.org.
Fixing merge
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/b16f63b2
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/b16f63b2
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/b16f63b2
Branch: refs/heads/3.1.x-fixes
Commit: b16f63b29a864f3687932f9e664088b79f3c40e9
Parents: 4bca17b
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Apr 5 12:49:57 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Apr 5 12:49:57 2017 +0100
----------------------------------------------------------------------
.../org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/b16f63b2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java
index c2699fc..972a9fd 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java
@@ -21,7 +21,6 @@ package org.apache.cxf.ws.security.trust;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
-import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
@@ -38,6 +37,7 @@ import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.WSConstants;
+import org.apache.xml.security.utils.Base64;
public class DefaultSTSTokenCacher implements STSTokenCacher {
@@ -197,7 +197,7 @@ public class DefaultSTSTokenCacher implements STSTokenCacher {
try {
MessageDigest digest = MessageDigest.getInstance("SHA-256");
byte[] bytes = digest.digest(text.getBytes());
- return Base64.getMimeEncoder().encodeToString(bytes);
+ return Base64.encode(bytes);
} catch (NoSuchAlgorithmException e) {
// SHA-256 must be supported so not going to happen...
}
[3/4] cxf git commit: Recording .gitmergeinfo Changes
Posted by co...@apache.org.
Recording .gitmergeinfo Changes
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/4bca17bc
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/4bca17bc
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/4bca17bc
Branch: refs/heads/3.1.x-fixes
Commit: 4bca17bcaa911ff4f90d4d610e2ce0b974f68f96
Parents: 1a4fe22
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Apr 5 11:41:59 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Apr 5 11:41:59 2017 +0100
----------------------------------------------------------------------
.gitmergeinfo | 1 +
1 file changed, 1 insertion(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/4bca17bc/.gitmergeinfo
----------------------------------------------------------------------
diff --git a/.gitmergeinfo b/.gitmergeinfo
index 6fbafc1..4b95281 100644
--- a/.gitmergeinfo
+++ b/.gitmergeinfo
@@ -412,6 +412,7 @@ M 5b7b014cc1d24cba1191bc07fd48b13dbf4d4391
M 5cff82c735c7543ce6dfb6c52ac72f583dbb5d22
M 6242c682dfce4a2ba4869978c28b14f1472484c1
M 62f994427bdd12863dc987e348eec1e24e6ce849
+M 631ac6ba0765022a0f53500ac986b61cbabca60c
M 63a1088a9253da0452497440e900d35a5415c3c9
M 65c1204abcef8720d4eb985d58e3f865e39a1da3
M 6613e46662317ea151f72e26e5deb4f50148a148
[2/4] cxf git commit: Refactor how we extract "IDs" from delegation
tokens when used for caching
Posted by co...@apache.org.
Refactor how we extract "IDs" from delegation tokens when used for caching
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/1a4fe22f
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/1a4fe22f
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/1a4fe22f
Branch: refs/heads/3.1.x-fixes
Commit: 1a4fe22fc297f8be204788bcdfcd498e91201a01
Parents: 22a58c3
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Apr 5 11:01:21 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Apr 5 11:41:59 2017 +0100
----------------------------------------------------------------------
.../security/trust/DefaultSTSTokenCacher.java | 40 +++++++++++++++++---
1 file changed, 35 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/1a4fe22f/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java
index 6fc26f0..c2699fc 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java
@@ -19,6 +19,9 @@
package org.apache.cxf.ws.security.trust;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
@@ -33,6 +36,7 @@ import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.cxf.ws.security.tokenstore.TokenStoreUtils;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.WSConstants;
public class DefaultSTSTokenCacher implements STSTokenCacher {
@@ -163,16 +167,42 @@ public class DefaultSTSTokenCacher implements STSTokenCacher {
return false;
}
+ // Get an id from the token that is unique to that token
private static String getIdFromToken(Element token) {
if (token != null) {
- // Try to find the "Id" on the token.
- if (token.hasAttributeNS(WSConstants.WSU_NS, "Id")) {
- return token.getAttributeNS(WSConstants.WSU_NS, "Id");
- } else if (token.hasAttributeNS(null, "ID")) {
+ // For SAML tokens get the ID/AssertionID
+ if ("Assertion".equals(token.getLocalName())
+ && WSConstants.SAML2_NS.equals(token.getNamespaceURI())) {
return token.getAttributeNS(null, "ID");
- } else if (token.hasAttributeNS(null, "AssertionID")) {
+ } else if ("Assertion".equals(token.getLocalName())
+ && WSConstants.SAML_NS.equals(token.getNamespaceURI())) {
return token.getAttributeNS(null, "AssertionID");
}
+
+ // For UsernameTokens get the username
+ if (WSConstants.USERNAME_TOKEN_LN.equals(token.getLocalName())
+ && WSConstants.WSSE_NS.equals(token.getNamespaceURI())) {
+ Element usernameElement =
+ XMLUtils.getDirectChildElement(token, WSConstants.USERNAME_LN, WSConstants.WSSE_NS);
+ if (usernameElement != null) {
+ return XMLUtils.getElementText(usernameElement);
+ }
+ }
+
+ // For BinarySecurityTokens take the hash of the value
+ if (WSConstants.BINARY_TOKEN_LN.equals(token.getLocalName())
+ && WSConstants.WSSE_NS.equals(token.getNamespaceURI())) {
+ String text = XMLUtils.getElementText(token);
+ if (text != null && !"".equals(text)) {
+ try {
+ MessageDigest digest = MessageDigest.getInstance("SHA-256");
+ byte[] bytes = digest.digest(text.getBytes());
+ return Base64.getMimeEncoder().encodeToString(bytes);
+ } catch (NoSuchAlgorithmException e) {
+ // SHA-256 must be supported so not going to happen...
+ }
+ }
+ }
}
return "";
}