You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@servicemix.apache.org by ff...@apache.org on 2009/06/18 11:18:05 UTC

svn commit: r785976 - in /servicemix/smx3/branches/servicemix-3.2/deployables/bindingcomponents/servicemix-cxf-bc/src: main/java/org/apache/servicemix/cxfbc/ main/java/org/apache/servicemix/cxfbc/interceptors/ test/resources/org/apache/servicemix/cxfbc...

Author: ffang
Date: Thu Jun 18 09:18:04 2009
New Revision: 785976

URL: http://svn.apache.org/viewvc?rev=785976&view=rev
Log:
[SMXCOMP-572]JbiJAASInterceptor should also support WS-Security X.509 Certificate Token Profile

Modified:
    servicemix/smx3/branches/servicemix-3.2/deployables/bindingcomponents/servicemix-cxf-bc/src/main/java/org/apache/servicemix/cxfbc/CxfBcConsumer.java
    servicemix/smx3/branches/servicemix-3.2/deployables/bindingcomponents/servicemix-cxf-bc/src/main/java/org/apache/servicemix/cxfbc/interceptors/JbiJAASInterceptor.java
    servicemix/smx3/branches/servicemix-3.2/deployables/bindingcomponents/servicemix-cxf-bc/src/test/resources/org/apache/servicemix/cxfbc/ws/security/xbean.xml

Modified: servicemix/smx3/branches/servicemix-3.2/deployables/bindingcomponents/servicemix-cxf-bc/src/main/java/org/apache/servicemix/cxfbc/CxfBcConsumer.java
URL: http://svn.apache.org/viewvc/servicemix/smx3/branches/servicemix-3.2/deployables/bindingcomponents/servicemix-cxf-bc/src/main/java/org/apache/servicemix/cxfbc/CxfBcConsumer.java?rev=785976&r1=785975&r2=785976&view=diff
==============================================================================
--- servicemix/smx3/branches/servicemix-3.2/deployables/bindingcomponents/servicemix-cxf-bc/src/main/java/org/apache/servicemix/cxfbc/CxfBcConsumer.java (original)
+++ servicemix/smx3/branches/servicemix-3.2/deployables/bindingcomponents/servicemix-cxf-bc/src/main/java/org/apache/servicemix/cxfbc/CxfBcConsumer.java Thu Jun 18 09:18:04 2009
@@ -169,6 +169,8 @@
         
     private ClassLoader suClassLoader;
     
+    private boolean x509;
+    
     /**
      * @return the wsdl
      */
@@ -446,7 +448,7 @@
             cxfService.getInInterceptors().add(
                     new JbiJAASInterceptor(((CxfBcComponent) this
                             .getServiceUnit().getComponent())
-                            .getConfiguration().getAuthenticationService()));
+                            .getConfiguration().getAuthenticationService(), isX509()));
             cxfService.getInInterceptors().add(new JbiInvokerInterceptor());
                 
             cxfService.getInInterceptors().add(new JbiPostInvokerInterceptor());
@@ -1097,4 +1099,20 @@
         return features;
     }
 
+    /**
+     * Specifies if the endpoint use X.509 Certificate to do the authentication.
+     * 
+     * @param x509
+     *            a boolean
+     * @org.apache.xbean.Property description="Specifies if the endpoint use X.509 Certificate to do the authentication.
+     *  Default is <code>false</code>. 
+     */
+    public void setX509(boolean x509) {
+        this.x509 = x509;
+    }
+
+    public boolean isX509() {
+        return x509;
+    }
+
 }

Modified: servicemix/smx3/branches/servicemix-3.2/deployables/bindingcomponents/servicemix-cxf-bc/src/main/java/org/apache/servicemix/cxfbc/interceptors/JbiJAASInterceptor.java
URL: http://svn.apache.org/viewvc/servicemix/smx3/branches/servicemix-3.2/deployables/bindingcomponents/servicemix-cxf-bc/src/main/java/org/apache/servicemix/cxfbc/interceptors/JbiJAASInterceptor.java?rev=785976&r1=785975&r2=785976&view=diff
==============================================================================
--- servicemix/smx3/branches/servicemix-3.2/deployables/bindingcomponents/servicemix-cxf-bc/src/main/java/org/apache/servicemix/cxfbc/interceptors/JbiJAASInterceptor.java (original)
+++ servicemix/smx3/branches/servicemix-3.2/deployables/bindingcomponents/servicemix-cxf-bc/src/main/java/org/apache/servicemix/cxfbc/interceptors/JbiJAASInterceptor.java Thu Jun 18 09:18:04 2009
@@ -17,6 +17,7 @@
 package org.apache.servicemix.cxfbc.interceptors;
 
 import java.security.GeneralSecurityException;
+import java.security.cert.X509Certificate;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Vector;
@@ -39,13 +40,15 @@
     private String domain = "servicemix-domain";
     private AuthenticationService authenticationService;
     private ThreadLocal<Subject> currentSubject = new ThreadLocal<Subject>();
+    private boolean x509;
     
     
-    public JbiJAASInterceptor(AuthenticationService authenticationService) {
+    public JbiJAASInterceptor(AuthenticationService authenticationService, boolean x509) {
         super();
         setPhase(Phase.PRE_PROTOCOL);
         getAfter().add(WSS4JInInterceptor.class.getName());
         this.authenticationService = authenticationService;
+        this.x509 = x509;
     }
     
     
@@ -63,11 +66,17 @@
             if (results == null) {
                 return;
             }
+            
             for (Iterator iter = results.iterator(); iter.hasNext();) {
                 WSHandlerResult hr = (WSHandlerResult) iter.next();
                 if (hr == null || hr.getResults() == null) {
                     return;
                 }
+                boolean authenticated = false;
+                //favor WSSE UsernameToken based authentication over X.509 certificate
+                //based authentication. For that purpose we iterate twice over the
+                //WSHandler result list
+
                 for (Iterator it = hr.getResults().iterator(); it.hasNext();) {
                     WSSecurityEngineResult er = (WSSecurityEngineResult) it.next();
                         
@@ -75,8 +84,21 @@
                         WSUsernameTokenPrincipal p = (WSUsernameTokenPrincipal)er.getPrincipal();
                         subject.getPrincipals().add(p);
                         this.authenticationService.authenticate(subject, domain, p.getName(), p.getPassword());
+                        authenticated = true;
                     }
                 }
+                //Second iteration checking for X.509 certificate to run authentication on
+                //but only if not already authenticated on WSSE UsernameToken
+                if (!authenticated && x509) {
+                    for (Iterator it = hr.getResults().iterator(); it.hasNext();) {
+                        WSSecurityEngineResult er = (WSSecurityEngineResult) it.next();
+                        if (er != null && er.getCertificate() instanceof X509Certificate) {
+                            X509Certificate cert = er.getCertificate();
+                            this.authenticationService.authenticate(subject, domain, cert.getIssuerX500Principal().getName(), cert);
+                        }
+                    }
+                }
+
             }
             
             message.put(Subject.class, subject);

Modified: servicemix/smx3/branches/servicemix-3.2/deployables/bindingcomponents/servicemix-cxf-bc/src/test/resources/org/apache/servicemix/cxfbc/ws/security/xbean.xml
URL: http://svn.apache.org/viewvc/servicemix/smx3/branches/servicemix-3.2/deployables/bindingcomponents/servicemix-cxf-bc/src/test/resources/org/apache/servicemix/cxfbc/ws/security/xbean.xml?rev=785976&r1=785975&r2=785976&view=diff
==============================================================================
--- servicemix/smx3/branches/servicemix-3.2/deployables/bindingcomponents/servicemix-cxf-bc/src/test/resources/org/apache/servicemix/cxfbc/ws/security/xbean.xml (original)
+++ servicemix/smx3/branches/servicemix-3.2/deployables/bindingcomponents/servicemix-cxf-bc/src/test/resources/org/apache/servicemix/cxfbc/ws/security/xbean.xml Thu Jun 18 09:18:04 2009
@@ -46,6 +46,7 @@
                       targetEndpoint="TimestampSignEncrypt"
                       targetService="greeter:SOAPServiceWSSecurity"
 		      targetInterface="greeter:Greeter"
+                      x509="false"
                       >
         <cxfbc:inInterceptors>
           <bean class="org.apache.cxf.interceptor.LoggingInInterceptor"/>