axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ruchi...@apache.org
Subject svn commit: r417952 - in /webservices/axis2/trunk/java/modules: integration/test-resources/rahas/ rahas/src/org/apache/rahas/ rahas/src/org/apache/rahas/impl/
Date Thu, 29 Jun 2006 06:58:07 GMT
Author: ruchithf
Date: Wed Jun 28 23:58:06 2006
New Revision: 417952

URL: http://svn.apache.org/viewvc?rev=417952&view=rev
Log:
Modified the SAML token issuer and the configuration to create its own assertions without
using the SAMLIssuer from WSS4J


Modified:
    webservices/axis2/trunk/java/modules/integration/test-resources/rahas/s1-services.xml
    webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/TrustUtil.java
    webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/errors.properties
    webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java
    webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuerConfig.java
    webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SCTIssuer.java

Modified: webservices/axis2/trunk/java/modules/integration/test-resources/rahas/s1-services.xml
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/integration/test-resources/rahas/s1-services.xml?rev=417952&r1=417951&r2=417952&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/integration/test-resources/rahas/s1-services.xml
(original)
+++ webservices/axis2/trunk/java/modules/integration/test-resources/rahas/s1-services.xml
Wed Jun 28 23:58:06 2006
@@ -12,17 +12,15 @@
 
     <parameter name="saml-issuer-config">
 		<saml-issuer-config>
-			<samlPropFile>saml.s1.properties</samlPropFile>
 			<user>sts</user>
 			<cryptoProperties>sctIssuer.properties</cryptoProperties>
 			<addRequestedAttachedRef />
 			<addRequestedUnattachedRef />
-			
-			<trusted-services cryptoProperties="sctIssuer.properties">
+			<trusted-services>
 				<service alias="bob">http://localhost:5555/axis2/services/SecureService</service>
-				<service alias="bob1">http://localhost:5555/axis2/services/SecureService</service>
-				<service alias="bob2">http://localhost:5555/axis2/services/SecureService</service>
-				<service alias="bob3">http://localhost:5555/axis2/services/SecureService</service>
+				<service alias="bob1">http://localhost:5555/axis2/services/SecureService1</service>
+				<service alias="bob2">http://localhost:5555/axis2/services/SecureService2</service>
+				<service alias="bob3">http://localhost:5555/axis2/services/SecureService3</service>
 			</trusted-services>
 		</saml-issuer-config>
     </parameter>

Modified: webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/TrustUtil.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/TrustUtil.java?rev=417952&r1=417951&r2=417952&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/TrustUtil.java (original)
+++ webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/TrustUtil.java Wed Jun
28 23:58:06 2006
@@ -20,6 +20,7 @@
 import org.apache.axiom.om.impl.dom.DOOMAbstractFactory;
 import org.apache.axiom.soap.SOAP11Constants;
 import org.apache.axiom.soap.SOAPEnvelope;
+import org.apache.axis2.context.MessageContext;
 import org.apache.ws.security.message.token.Reference;
 import org.apache.ws.security.message.token.SecurityTokenReference;
 import org.w3c.dom.Document;
@@ -141,5 +142,25 @@
             String ln, String prefix) {
         return parent.getOMFactory().createOMElement(new QName(ns, ln, prefix),
                 parent);
+    }
+    
+    
+    /**
+     * Returns the token store.
+     * If the token store is aleady available in the service context then
+     * fetch it and return it. If not create a new one, hook it up in the 
+     * service context and return it
+     * @param msgCtx
+     * @return
+     */
+    public static TokenStorage getTokenStore(MessageContext msgCtx) {
+        String tempKey = TokenStorage.TOKEN_STORAGE_KEY
+                                + msgCtx.getAxisService().getName();
+        TokenStorage storage = (TokenStorage) msgCtx.getProperty(tempKey);
+        if (storage == null) {
+            storage = new SimpleTokenStore();
+            msgCtx.getConfigurationContext().setProperty(tempKey, storage);
+        }
+        return storage;
     }
 }

Modified: webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/errors.properties
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/errors.properties?rev=417952&r1=417951&r2=417952&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/errors.properties (original)
+++ webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/errors.properties Wed
Jun 28 23:58:06 2006
@@ -37,5 +37,5 @@
 samlPropFileMissing = samlPropFile missing in the SAMLTokenIssuer configuration
 samlConverstionError = Error in converting a SAML token to DOOM 
 samlAssertionCreationError = Error in creating a SAMLToken using opensaml library
-samlMissingTustStore = Missing .properties file to specify the crypto information of the
trusted services
-aliasMissingForService=Certificate alias missing for service : \"{0}\"
\ No newline at end of file
+aliasMissingForService = Certificate alias missing for service : \"{0}\"
+samlInvalidAppliesToValue = Invalid wst:AppliesTo value, right now Rahas SAML token issuer
expects the service epr address to be the value

Modified: webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java?rev=417952&r1=417951&r2=417952&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java
(original)
+++ webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuer.java
Wed Jun 28 23:58:06 2006
@@ -18,35 +18,39 @@
 
 import org.apache.axiom.om.OMElement;
 import org.apache.axiom.om.OMNode;
-import org.apache.axiom.om.impl.dom.DOOMAbstractFactory;
 import org.apache.axiom.om.impl.dom.jaxp.DocumentBuilderFactoryImpl;
-import org.apache.axiom.soap.SOAP11Constants;
 import org.apache.axiom.soap.SOAPEnvelope;
 import org.apache.axis2.context.MessageContext;
 import org.apache.axis2.description.Parameter;
 import org.apache.rahas.Constants;
+import org.apache.rahas.Token;
 import org.apache.rahas.TokenIssuer;
 import org.apache.rahas.TrustException;
 import org.apache.rahas.TrustUtil;
 import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
 import org.apache.ws.security.components.crypto.Crypto;
 import org.apache.ws.security.components.crypto.CryptoFactory;
 import org.apache.ws.security.handler.WSHandlerConstants;
 import org.apache.ws.security.handler.WSHandlerResult;
 import org.apache.ws.security.message.WSSecEncryptedKey;
-import org.apache.ws.security.saml.SAMLIssuer;
-import org.apache.ws.security.saml.SAMLIssuerFactory;
 import org.opensaml.SAMLAssertion;
+import org.opensaml.SAMLAttribute;
+import org.opensaml.SAMLAttributeStatement;
 import org.opensaml.SAMLException;
+import org.opensaml.SAMLStatement;
 import org.opensaml.SAMLSubject;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 
+import javax.xml.namespace.QName;
+
 import java.security.Principal;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
+import java.util.Date;
 import java.util.Vector;
 
 /**
@@ -79,7 +83,7 @@
         
         //Flag to identify whether we found a cert or not
         Principal principal = null;
-        X509Certificate cert = null;
+        X509Certificate clientCert = null;
         
         Vector results = null;
         if ((results = (Vector) inMsgCtx
@@ -96,7 +100,7 @@
                         (WSSecurityEngineResult) wsSecEngineResults.get(j);
                     if (wser.getAction() == WSConstants.SIGN
                             && wser.getPrincipal() != null) {
-                        cert = wser.getCertificate();
+                        clientCert = wser.getCertificate();
                         principal = wser.getPrincipal();
                     } else if(wser.getAction() == WSConstants.UT
                             && wser.getPrincipal() != null){
@@ -110,15 +114,6 @@
             }
         }
         
-        //Get ApliesTo to figureout which service to issue the token for
-        
-        
-        SOAPEnvelope env = TrustUtil.createSOAPEnvelope(inMsgCtx.getEnvelope()
-                .getNamespace().getName());
-        // Get the document
-        Document doc = ((Element) env).getOwnerDocument();
-
-        
         SAMLTokenIssuerConfig config = null;
         if(this.configElement != null) {
             config = SAMLTokenIssuerConfig
@@ -144,20 +139,43 @@
             }
         }
 
-        
         Crypto crypto = CryptoFactory.getInstance(config.cryptoPropFile,
                 inMsgCtx.getAxisService().getClassLoader());
+        
+        SOAPEnvelope env = TrustUtil.createSOAPEnvelope(inMsgCtx.getEnvelope()
+                .getNamespace().getName());
+        // Get the document
+        Document doc = ((Element) env).getOwnerDocument();
+        
+        byte[] secret = null;
+        
+        Element encryptedKeyElem = null;
+        try {
+            
+            //Get ApliesTo to figureout which service to issue the token for
+            X509Certificate serviceCert = getServiceCert(request, config, crypto);
 
-        SAMLIssuer saml = SAMLIssuerFactory.getInstance(config.samlPropFile);
-        saml.setUsername(config.user);
-        saml.setUserCrypto(crypto);
-        saml.setInstanceDoc(doc);
+            //Ceate the encrypted key
+            WSSecEncryptedKey encrKeyBuilder = new WSSecEncryptedKey();
+    
+            encrKeyBuilder.setKeyIdentifierType(WSConstants.THUMBPRINT_IDENTIFIER);
 
-        // Set the DOM impl to DOOM
+            encrKeyBuilder.setUseThisCert(serviceCert);
+            encrKeyBuilder.prepare(doc, crypto);
+            
+            secret = encrKeyBuilder.getEphemeralKey();
+            encryptedKeyElem = encrKeyBuilder.getEncryptedKeyElement();
+        } catch (WSSecurityException e) {
+            throw new TrustException(
+                    "errorInBuildingTheEncryptedKeyForPrincipal",
+                    new String[] { clientCert.getSubjectDN().getName()});
+        }
+        
+        //Set the DOM impl to DOOM
         DocumentBuilderFactoryImpl.setDOOMRequired(true);
 
-        SAMLAssertion assertion = saml.newAssertion();
-
+        SAMLAssertion assertion = this.createAssertion(doc, encryptedKeyElem, config);
+        
         OMElement rstrElem = TrustUtil
                 .createRequestSecurityTokenResponseElement(env.getBody());
         OMElement reqSecTokenElem = TrustUtil
@@ -172,43 +190,95 @@
             TrustUtil.createRequestedUnattachedRef(rstrElem, assertion.getId(),
                     Constants.TOK_TYPE_SAML_10);
         }
-
+        
         try {
             Node tempNode = assertion.toDOM();
             reqSecTokenElem.addChild((OMNode) ((Element) rstrElem).getOwnerDocument()
                     .importNode(tempNode, true));
+            
+            //Store the token
+            Token sctToken = new Token(assertion.getId(), (OMElement)assertion.toDOM());
+            //At this point we definitely have the secret
+            //Otherwise it should fail with an exception earlier
+            sctToken.setSecret(secret); 
+            TrustUtil.getTokenStore(inMsgCtx).add(sctToken);
+            
         } catch (SAMLException e) {
             throw new TrustException("samlConverstionError", e);
         }
 
+        
         // Set the DOM impl to DOOM
         DocumentBuilderFactoryImpl.setDOOMRequired(false);
         return env;
     }
     
     /**
+     * Uses the <code>wst:AppliesTo</code> to figure out the certificate to encrypt
the
+     * secret in the SAML token 
+     * @param request
+     * @param config
+     * @param crypto
+     * @throws WSSecurityException
+     * @return
+     */
+    private X509Certificate getServiceCert(OMElement request, SAMLTokenIssuerConfig config,
Crypto crypto) throws WSSecurityException, TrustException {
+        OMElement appliesToElem = request.getFirstChildWithName(new QName(Constants.WSP_NS,
Constants.APPLIES_TO_LN));
+        if(appliesToElem != null) {
+            //Right now we only expect the service epr address to be here
+            String address = appliesToElem.getText().trim();
+            if(address != null && !"".equals(address)) {
+                //figure out the alias from the config
+                String alias = (String)config.trustedServices.get(address);;
+                return (X509Certificate)crypto.getCertificates(alias)[0];
+            } else {
+                throw new TrustException("samlInvalidAppliesToValue");
+            }
+        } else {
+            //Return the STS cert
+            return (X509Certificate)crypto.getCertificates(config.user)[0];
+        }
+        
+    }
+
+    /**
      * 
      * @param secret
      * @return
      */
-    private SAMLAssertion createAssertion(String secret, Document doc, SAMLTokenIssuerConfig
config) throws TrustException {
-
-        //Create the EncryptedKey
-        WSSecEncryptedKey encryptedKeyBuiler = new WSSecEncryptedKey();
-//        encryptedKeyBuiler.prepare(doc, )
-        
+    private SAMLAssertion createAssertion(Document doc, Element encryptedKeyElem, SAMLTokenIssuerConfig
config) throws TrustException {
         try {
-        
-        String[] confirmationMethods = new String[]{SAMLSubject.CONF_HOLDER_KEY};
-        
-        SAMLSubject subject = new SAMLSubject(null, Arrays.asList(confirmationMethods),
-                null,
-                null);
+            String[] confirmationMethods = new String[]{SAMLSubject.CONF_HOLDER_KEY};
+            
+            Element keyInfoElem = doc.createElementNS(WSConstants.SIG_NS, "KeyInfo");
+            ((OMElement)encryptedKeyElem).declareNamespace(WSConstants.SIG_NS, WSConstants.SIG_PREFIX);
+            ((OMElement)encryptedKeyElem).declareNamespace(WSConstants.ENC_NS, WSConstants.ENC_PREFIX);
+            
+            keyInfoElem.appendChild(encryptedKeyElem);
+            
+            SAMLSubject subject = new SAMLSubject(null, 
+                    Arrays.asList(confirmationMethods),
+                    null,
+                    keyInfoElem);
+            
+            SAMLAttribute attribute = new SAMLAttribute("Name", 
+                    "https://rahas.apache.org", 
+                    null, -1, Arrays.asList(new String[]{"Colombo/Rahas"}));
+            SAMLAttributeStatement attrStmt = new SAMLAttributeStatement(
+                    subject, Arrays.asList(new SAMLAttribute[] { attribute }));
+            
+            SAMLStatement[] statements = {attrStmt};
+            
+            Date notBefore = new Date();
+            Date notAfter = new Date();
+            return new SAMLAssertion("apache_sts", notAfter,
+                    notBefore, null, null, Arrays.asList(statements));
         } catch (SAMLException e) {
             throw new TrustException("samlAssertionCreationError", e);
         }
-        return null;
     }
+    
+    
 
     /*
      * (non-Javadoc)

Modified: webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuerConfig.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuerConfig.java?rev=417952&r1=417951&r2=417952&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuerConfig.java
(original)
+++ webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SAMLTokenIssuerConfig.java
Wed Jun 28 23:58:06 2006
@@ -23,7 +23,6 @@
 
 import javax.xml.namespace.QName;
 
-
 import java.io.FileInputStream;
 import java.util.HashMap;
 import java.util.Iterator;
@@ -39,13 +38,7 @@
      * The QName of the configuration element of the SAMLTokenIssuer
      */
     public final static QName SAML_ISSUER_CONFIG = new QName("saml-issuer-config");
-    
-    /**
-     * Element name to include the .properties file to be used to 
-     * load the SAMLIssuer using WSS4J
-     */
-    private final static QName SAML_PROP_FILE = new QName("samlPropFile");
-    
+        
     /**
      * Element name to include the alias of the private key to sign the response or
      * the issued token
@@ -59,7 +52,6 @@
     private final static QName CRYPTO_PROPERTIES = new QName("cryptoProperties");
     
     private final static QName TRUSTED_SERVICES = new QName("trusted-services");
-    private final static QName TRUST_STORE_CRYPTO_PROPERTIES = new QName("cryptoProperties");
     
     private final static QName SERVICE = new QName("service");
     private final static QName ALIAS = new QName("alias");
@@ -67,7 +59,6 @@
     public final static QName ADD_REQUESTED_ATTACHED_REF = new QName("addRequestedAttachedRef");
     public final static QName ADD_REQUESTED_UNATTACHED_REF = new QName("addRequestedUnattachedRef");
     
-    protected String samlPropFile;
     protected String cryptoPropFile;
     protected String user;
 
@@ -80,23 +71,12 @@
     
     private SAMLTokenIssuerConfig(OMElement elem) throws TrustException {
         
-        //Get the SAML_PROP_FILE
-        OMElement samlPropFileElem = elem.getFirstChildWithName(SAML_PROP_FILE);
-        if(samlPropFileElem != null) {
-            this.samlPropFile = samlPropFileElem.getText().trim();
-        }
-        
-        //If the SAML_PROP_FILE is missing then throw an exception
-        //Without this SAMLtokenIssuer cannot create a SAML token
-        if(this.samlPropFile == null || "".equals(this.samlPropFile)) {
-            throw new TrustException("samlPropFileMissing");
-        }
-        
+        //The alias of the private key 
         OMElement userElem = elem.getFirstChildWithName(USER);
         if(userElem != null) {
             this.user = userElem.getText().trim();
         }
-        
+
         OMElement cryptoPropElem = elem.getFirstChildWithName(CRYPTO_PROPERTIES);
         if(cryptoPropElem != null) {
             this.cryptoPropFile = cryptoPropElem.getText().trim();
@@ -110,16 +90,14 @@
         //Process trusted services
         OMElement trustedServices = elem.getFirstChildWithName(TRUSTED_SERVICES);
         
+        /*
+         * If there are trusted services add them to a list
+         * Only trusts myself to issue tokens to :
+         * In this case the STS is embedded in the service as well and 
+         * the issued token can only be used with that particular service
+         * since the response secret is encrypted by the service's public key
+         */
         if(trustedServices != null) {
-            //Extract the trust store properties
-            OMAttribute trustStorePropertiesAttr = 
-                trustedServices.getAttribute(TRUST_STORE_CRYPTO_PROPERTIES);
-            if(trustStorePropertiesAttr != null) {
-                this.trustStorePropFile = trustStorePropertiesAttr.getAttributeValue();
-            } else {
-                throw new TrustException("samlMissingTustStore");
-            }
-            
             //Now process the trusted services
             Iterator servicesIter = trustedServices.getChildrenWithName(SERVICE);
             while (servicesIter.hasNext()) {
@@ -141,15 +119,8 @@
             //throw an exception when there are no trusted in the list at the 
             //moment
             
-        } else {
-            /*
-             * Only trusts myself to issue tokens to :
-             * In this case the STS is embedded in the service as well and 
-             * the issued token can only be used with that particular service
-             * since the response secret is encrypted by the service's public key
-             */
-            
         }
+            
     }
     
     public static SAMLTokenIssuerConfig load(OMElement elem) throws TrustException {

Modified: webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SCTIssuer.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SCTIssuer.java?rev=417952&r1=417951&r2=417952&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SCTIssuer.java (original)
+++ webservices/axis2/trunk/java/modules/rahas/src/org/apache/rahas/impl/SCTIssuer.java Wed
Jun 28 23:58:06 2006
@@ -207,7 +207,7 @@
         //Store the tokens
         Token sctToken = new Token(sct.getIdentifier(), (OMElement)sct.getElement());
         sctToken.setSecret(secret);
-        this.getTokenStore(msgCtx).add(sctToken);
+        TrustUtil.getTokenStore(msgCtx).add(sctToken);
         
         return env;
     }
@@ -270,7 +270,7 @@
         Token sctToken = new Token(sct.getIdentifier(), (OMElement) sct
                 .getElement());
         sctToken.setSecret(encrKeyBuilder.getEphemeralKey());
-        this.getTokenStore(msgCtx).add(sctToken);
+        TrustUtil.getTokenStore(msgCtx).add(sctToken);
         
         return env;
     }
@@ -291,25 +291,6 @@
      */
     public void setConfigurationElement(OMElement configElement) {
         this.configElement = configElement;
-    }
-    
-    /**
-     * Returns the token store.
-     * If the token store is aleady available in the service context then
-     * fetch it and return it. If not create a new one, hook it up in the 
-     * service context and return it
-     * @param msgCtx
-     * @return
-     */
-    private TokenStorage getTokenStore(MessageContext msgCtx) {
-        String tempKey = TokenStorage.TOKEN_STORAGE_KEY
-                                + msgCtx.getAxisService().getName();
-        TokenStorage storage = (TokenStorage) msgCtx.getProperty(tempKey);
-        if (storage == null) {
-            storage = new SimpleTokenStore();
-            msgCtx.getConfigurationContext().setProperty(tempKey, storage);
-        }
-        return storage;
     }
 
     /**



---------------------------------------------------------------------
To unsubscribe, e-mail: axis-cvs-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-cvs-help@ws.apache.org


Mime
View raw message