You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/07/01 15:29:47 UTC
svn commit: r1498434 - in /cxf/trunk:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandle...
Author: coheigea
Date: Mon Jul 1 13:29:47 2013
New Revision: 1498434
URL: http://svn.apache.org/r1498434
Log:
More streaming Kerberos work
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/StaxKerberosTokenTest.java
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java?rev=1498434&r1=1498433&r2=1498434&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java Mon Jul 1 13:29:47 2013
@@ -278,13 +278,7 @@ public class KerberosTokenInterceptorPro
KerberosServiceSecurityToken kerberosToken =
((KerberosTokenSecurityEvent)event).getSecurityToken();
if (kerberosToken != null) {
- SecurityToken token = new SecurityToken(kerberosToken.getId());
- token.setTokenType(kerberosToken.getKerberosTokenValueType());
-
- byte[] secret = getSecretKeyFromToken(kerberosToken);
- token.setSecret(secret);
- getTokenStore(message).add(token);
- message.getExchange().put(SecurityConstants.TOKEN_ID, token.getId());
+ storeKerberosToken(message, kerberosToken);
}
}
} else {
@@ -299,6 +293,27 @@ public class KerberosTokenInterceptorPro
}
}
+ private void storeKerberosToken(Message message, KerberosServiceSecurityToken kerberosToken) {
+ SecurityToken token = new SecurityToken(kerberosToken.getId());
+ token.setTokenType(kerberosToken.getKerberosTokenValueType());
+
+ SecretKey secretKey = getSecretKeyFromToken(kerberosToken);
+ token.setKey(secretKey);
+ if (secretKey != null) {
+ token.setSecret(secretKey.getEncoded());
+ }
+
+ byte[] ticket = kerberosToken.getBinaryContent();
+ try {
+ token.setSHA1(Base64.encode(WSSecurityUtil.generateDigest(ticket)));
+ } catch (WSSecurityException e) {
+ // Just consume this for now as it isn't critical...
+ }
+
+ getTokenStore(message).add(token);
+ message.getExchange().put(SecurityConstants.TOKEN_ID, token.getId());
+ }
+
private SecurityEvent findKerberosEvent(Message message) {
@SuppressWarnings("unchecked")
final List<SecurityEvent> incomingEventList =
@@ -314,13 +329,13 @@ public class KerberosTokenInterceptorPro
return null;
}
- private byte[] getSecretKeyFromToken(KerberosServiceSecurityToken kerberosToken) {
+ private SecretKey getSecretKeyFromToken(KerberosServiceSecurityToken kerberosToken) {
try {
Map<String, Key> secretKeys = kerberosToken.getSecretKey();
if (secretKeys != null) {
for (String key : kerberosToken.getSecretKey().keySet()) {
if (secretKeys.get(key) instanceof SecretKey) {
- return ((SecretKey)secretKeys.get(key)).getEncoded();
+ return (SecretKey)secretKeys.get(key);
}
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java?rev=1498434&r1=1498433&r2=1498434&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java Mon Jul 1 13:29:47 2013
@@ -369,14 +369,16 @@ public class WSS4JStaxInInterceptor exte
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
- WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
-
- String id = pc.getIdentifier();
- SecurityToken tok = store.getToken(id);
- if (tok != null) {
- pc.setKey(tok.getSecret());
- pc.setCustomToken(tok.getToken());
- return;
+ if (callbacks[i] instanceof WSPasswordCallback) {
+ WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
+
+ String id = pc.getIdentifier();
+ SecurityToken tok = store.getToken(id);
+ if (tok != null) {
+ pc.setKey(tok.getSecret());
+ pc.setCustomToken(tok.getToken());
+ return;
+ }
}
}
if (internal != null) {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java?rev=1498434&r1=1498433&r2=1498434&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java Mon Jul 1 13:29:47 2013
@@ -72,6 +72,7 @@ import org.apache.xml.security.stax.impl
import org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEvent;
import org.apache.xml.security.stax.securityToken.OutboundSecurityToken;
+import org.apache.xml.security.stax.securityToken.SecurityTokenConstants.TokenType;
import org.apache.xml.security.stax.securityToken.SecurityTokenProvider;
import org.apache.xml.security.utils.Base64;
@@ -351,6 +352,8 @@ public class StaxSymmetricBindingHandler
if (isRequestor()) {
config.put(ConfigurationConstants.ENC_KEY_ID,
getKeyIdentifierType(recToken, encrToken));
+ } else if (recToken.getToken() instanceof KerberosToken && !isRequestor()) {
+ config.put(ConfigurationConstants.ENC_KEY_ID, "KerberosSHA1");
} else {
config.put(ConfigurationConstants.ENC_KEY_ID, "EncryptedKeySHA1");
}
@@ -422,6 +425,8 @@ public class StaxSymmetricBindingHandler
} else {
config.put(ConfigurationConstants.SIG_KEY_ID, "EncryptedKeySHA1");
}
+ } else if (policyToken instanceof KerberosToken && !isRequestor()) {
+ config.put(ConfigurationConstants.SIG_KEY_ID, "KerberosSHA1");
}
if (sigToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
@@ -538,8 +543,14 @@ public class StaxSymmetricBindingHandler
}
private void storeSecurityToken(SecurityToken tok) {
+ TokenType tokenType = WSSecurityTokenConstants.EncryptedKeyToken;
+ if (tok.getTokenType() != null
+ && tok.getTokenType().startsWith(WSSConstants.NS_KERBEROS11_TOKEN_PROFILE)) {
+ tokenType = WSSecurityTokenConstants.KerberosToken;
+ }
+
final GenericOutboundSecurityToken encryptedKeySecurityToken =
- new GenericOutboundSecurityToken(tok.getId(), WSSecurityTokenConstants.EncryptedKeyToken, tok.getKey());
+ new GenericOutboundSecurityToken(tok.getId(), tokenType, tok.getKey());
final SecurityTokenProvider<OutboundSecurityToken> encryptedKeySecurityTokenProvider =
new SecurityTokenProvider<OutboundSecurityToken>() {
Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java?rev=1498434&r1=1498433&r2=1498434&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java (original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java Mon Jul 1 13:29:47 2013
@@ -44,6 +44,8 @@ import org.junit.BeforeClass;
*
* See here for more information:
* http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services-part.html
+ *
+ * It tests both DOM + StAX clients against the DOM server
*/
@org.junit.Ignore
public class KerberosTokenTest extends AbstractBusClientServerTestBase {
Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/StaxKerberosTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/StaxKerberosTokenTest.java?rev=1498434&r1=1498433&r2=1498434&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/StaxKerberosTokenTest.java (original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/StaxKerberosTokenTest.java Mon Jul 1 13:29:47 2013
@@ -102,7 +102,7 @@ public class StaxKerberosTokenTest exten
((java.io.Closeable)kerberosPort).close();
bus.shutdown(true);
}
- /*
+
@org.junit.Test
public void testKerberosOverSymmetric() throws Exception {
@@ -125,8 +125,12 @@ public class StaxKerberosTokenTest exten
updateAddressPort(kerberosPort, PORT);
- int result = kerberosPort.doubleIt(25);
- assertTrue(result == 50);
+ // DOM
+ kerberosPort.doubleIt(25);
+
+ // Streaming
+ SecurityTestUtil.enableStreaming(kerberosPort);
+ kerberosPort.doubleIt(25);
((java.io.Closeable)kerberosPort).close();
bus.shutdown(true);
@@ -154,13 +158,16 @@ public class StaxKerberosTokenTest exten
updateAddressPort(kerberosPort, PORT);
- int result = kerberosPort.doubleIt(25);
- assertTrue(result == 50);
+ // DOM
+ kerberosPort.doubleIt(25);
+
+ // Streaming
+ SecurityTestUtil.enableStreaming(kerberosPort);
+ kerberosPort.doubleIt(25);
((java.io.Closeable)kerberosPort).close();
bus.shutdown(true);
}
- */
@org.junit.Test
public void testKerberosOverAsymmetric() throws Exception {
@@ -252,7 +259,7 @@ public class StaxKerberosTokenTest exten
((java.io.Closeable)kerberosPort).close();
bus.shutdown(true);
}
- /*
+
@org.junit.Test
public void testKerberosOverSymmetricProtection() throws Exception {
@@ -270,13 +277,18 @@ public class StaxKerberosTokenTest exten
service.getPort(portQName, DoubleItPortType.class);
updateAddressPort(kerberosPort, PORT);
- int result = kerberosPort.doubleIt(25);
- assertTrue(result == 50);
+
+ // DOM
+ kerberosPort.doubleIt(25);
+
+ // TODO Streaming
+ // SecurityTestUtil.enableStreaming(kerberosPort);
+ // kerberosPort.doubleIt(25);
((java.io.Closeable)kerberosPort).close();
bus.shutdown(true);
}
-
+ /*
@org.junit.Test
public void testKerberosOverSymmetricDerivedProtection() throws Exception {