cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From asold...@apache.org
Subject svn commit: r1030508 - in /cxf/branches/2.3.x-fixes: ./ common/common/src/main/java/org/apache/cxf/common/security/ rt/core/src/main/java/org/apache/cxf/interceptor/security/ rt/core/src/test/java/org/apache/cxf/interceptor/security/ rt/ws/security/src...
Date Wed, 03 Nov 2010 15:58:36 GMT
Author: asoldano
Date: Wed Nov  3 15:58:35 2010
New Revision: 1030508

URL: http://svn.apache.org/viewvc?rev=1030508&view=rev
Log:
Merged revisions 1022599,1022866,1022884 via svnmerge from 
https://svn.apache.org/repos/asf/cxf/trunk

........
  r1022599 | sergeyb | 2010-10-14 18:22:13 +0200 (Thu, 14 Oct 2010) | 1 line
  
  [CXF-3063] : Initial code for using WSSE tokens for authorization decisions without extending
WSS4JInInterceptor
........
  r1022866 | sergeyb | 2010-10-15 11:29:50 +0200 (Fri, 15 Oct 2010) | 1 line
  
  [CXF-3063] : fixing unit tests
........
  r1022884 | sergeyb | 2010-10-15 13:04:01 +0200 (Fri, 15 Oct 2010) | 1 line
  
  [CXF-3063] : Support for existing custom AbstractUsernameTokenAuthenticating subclasses
........

Added:
    cxf/branches/2.3.x-fixes/common/common/src/main/java/org/apache/cxf/common/security/SecurityToken.java
      - copied unchanged from r1022884, cxf/trunk/common/common/src/main/java/org/apache/cxf/common/security/SecurityToken.java
    cxf/branches/2.3.x-fixes/common/common/src/main/java/org/apache/cxf/common/security/TokenType.java
      - copied unchanged from r1022884, cxf/trunk/common/common/src/main/java/org/apache/cxf/common/security/TokenType.java
    cxf/branches/2.3.x-fixes/common/common/src/main/java/org/apache/cxf/common/security/UsernameToken.java
      - copied unchanged from r1022884, cxf/trunk/common/common/src/main/java/org/apache/cxf/common/security/UsernameToken.java
    cxf/branches/2.3.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractSecurityContextInInterceptor.java
      - copied unchanged from r1022884, cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractSecurityContextInInterceptor.java
    cxf/branches/2.3.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractUsernameTokenInInterceptor.java
      - copied unchanged from r1022884, cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractUsernameTokenInInterceptor.java
    cxf/branches/2.3.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/security/DefaultSecurityContext.java
      - copied unchanged from r1022884, cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/DefaultSecurityContext.java
    cxf/branches/2.3.x-fixes/rt/core/src/test/java/org/apache/cxf/interceptor/security/DefaultSecurityContextTest.java
      - copied unchanged from r1022884, cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/DefaultSecurityContextTest.java
    cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DelegatingCallbackHandler.java
      - copied unchanged from r1022884, cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DelegatingCallbackHandler.java
    cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenProcessorWithoutCallbacks.java
      - copied unchanged from r1022884, cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenProcessorWithoutCallbacks.java
    cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10UsernameAuthorizationLegacyTest.java
      - copied unchanged from r1022884, cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10UsernameAuthorizationLegacyTest.java
    cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/AuthorizedServer2.java
      - copied unchanged from r1022884, cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/AuthorizedServer2.java
    cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/SimpleSubjectCreatingInterceptor.java
      - copied unchanged from r1022884, cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/SimpleSubjectCreatingInterceptor.java
    cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/SimpleUsernameTokenInterceptor.java
      - copied unchanged from r1022884, cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/SimpleUsernameTokenInterceptor.java
    cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server_restricted_authorized_2.xml
      - copied unchanged from r1022884, cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server_restricted_authorized_2.xml
Removed:
    cxf/branches/2.3.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/DefaultSecurityContextTest.java
Modified:
    cxf/branches/2.3.x-fixes/   (props changed)
    cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
    cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java
    cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
    cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
    cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
    cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10Test.java
    cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10UsernameAuthorizationTest.java
    cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client_restricted_unauthorized.xml
    cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server_restricted_authorized.xml

Propchange: cxf/branches/2.3.x-fixes/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Nov  3 15:58:35 2010
@@ -1 +1 @@
-/cxf/trunk:1027274,1027462,1027509,1027553,1027599,1030053,1030189
+/cxf/trunk:1022599-1022884,1027274,1027462,1027509,1027553,1027599,1030053,1030189

Propchange: cxf/branches/2.3.x-fixes/
------------------------------------------------------------------------------
--- svnmerge-integrated (original)
+++ svnmerge-integrated Wed Nov  3 15:58:35 2010
@@ -1 +1 @@
-/cxf/trunk:1-1022129,1022154,1022194,1022401-1022402,1022911,1023068,1023121,1023597-1026352,1026549,1026551,1027244,1027269,1027274,1027462,1027509,1027553,1027599,1028170,1029943,1030053,1030189
+/cxf/trunk:1-1022129,1022154,1022194,1022401-1022402,1022599-1022884,1022911,1023068,1023121,1023597-1026352,1026549,1026551,1027244,1027269,1027274,1027462,1027509,1027553,1027599,1028170,1029943,1030053,1030189

Modified: cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?rev=1030508&r1=1030507&r2=1030508&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
(original)
+++ cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
Wed Nov  3 15:58:35 2010
@@ -31,6 +31,7 @@ public final class SecurityConstants {
     public static final String USERNAME = "ws-security.username";
     public static final String PASSWORD = "ws-security.password";
     public static final String VALIDATE_PASSWORD = "ws-security.validate.password";
+    public static final String USERNAME_TOKEN_NO_CALLBACKS = "ws-security.ut.no-callbacks";
     
     public static final String CALLBACK_HANDLER = "ws-security.callback-handler";
     

Modified: cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java?rev=1030508&r1=1030507&r2=1030508&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java
(original)
+++ cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java
Wed Nov  3 15:58:35 2010
@@ -22,33 +22,28 @@ import java.io.IOException;
 import java.security.Principal;
 import java.util.HashMap;
 import java.util.Map;
-import java.util.Vector;
-import java.util.logging.Level;
 import java.util.logging.Logger;
 
 import javax.security.auth.Subject;
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.UnsupportedCallbackException;
 import javax.xml.namespace.QName;
 
-import org.w3c.dom.Element;
-
+import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.common.security.SecurityToken;
+import org.apache.cxf.common.security.UsernameToken;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.interceptor.security.DefaultSecurityContext;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.phase.PhaseInterceptorChain;
 import org.apache.cxf.security.SecurityContext;
 import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDocInfo;
 import org.apache.ws.security.WSPasswordCallback;
-import org.apache.ws.security.WSSConfig;
 import org.apache.ws.security.WSSecurityEngine;
-import org.apache.ws.security.WSSecurityEngineResult;
 import org.apache.ws.security.WSSecurityException;
 import org.apache.ws.security.WSUsernameTokenPrincipal;
-import org.apache.ws.security.components.crypto.Crypto;
 import org.apache.ws.security.handler.RequestData;
-import org.apache.ws.security.message.token.UsernameToken;
 import org.apache.ws.security.processor.Processor;
 
 
@@ -69,8 +64,7 @@ import org.apache.ws.security.processor.
  * an application is expected to provide a password callback handler for decrypting the token
only.     
  *
  */
-public abstract class AbstractUsernameTokenAuthenticatingInterceptor extends WSS4JInInterceptor

-    implements Processor {
+public abstract class AbstractUsernameTokenAuthenticatingInterceptor extends WSS4JInInterceptor
{
     
     private static final Logger LOG = 
         LogUtils.getL7dLogger(AbstractUsernameTokenAuthenticatingInterceptor.class);
@@ -78,11 +72,12 @@ public abstract class AbstractUsernameTo
     private boolean supportDigestPasswords;
     
     public AbstractUsernameTokenAuthenticatingInterceptor() {
-        super();
+        this(new HashMap<String, Object>());
     }
     
     public AbstractUsernameTokenAuthenticatingInterceptor(Map<String, Object> properties)
{
         super(properties);
+        getAfter().add(PolicyBasedWSS4JInInterceptor.class.getName());
     }
     
     public void setSupportDigestPasswords(boolean support) {
@@ -94,6 +89,23 @@ public abstract class AbstractUsernameTo
     }
     
     @Override
+    public void handleMessage(SoapMessage msg) throws Fault {
+        SecurityToken token = msg.get(SecurityToken.class);
+        SecurityContext context = msg.get(SecurityContext.class);
+        if (token == null || context == null || context.getUserPrincipal() == null) {
+            super.handleMessage(msg);
+            return;
+        }
+        UsernameToken ut = (UsernameToken)token;
+        
+        Subject subject = createSubject(ut.getName(), ut.getPassword(), ut.isHashed(),
+                                        ut.getNonce(), ut.getCreatedTime());
+        
+        SecurityContext sc = doCreateSecurityContext(context.getUserPrincipal(), subject);
+        msg.put(SecurityContext.class, sc);
+    }
+    
+    @Override
     protected SecurityContext createSecurityContext(final Principal p) {
         Message msg = PhaseInterceptorChain.getCurrentMessage();
         if (msg == null) {
@@ -130,11 +142,15 @@ public abstract class AbstractUsernameTo
         try {
             subject = createSubject(name, password, isDigest, nonce, created);
         } catch (Exception ex) {
-            throw new WSSecurityException("Failed Authentication : Subject has not been created",
ex);
+            String errorMessage = "Failed Authentication : Subject has not been created";
+            LOG.severe(errorMessage);
+            throw new WSSecurityException(errorMessage, ex);
         }
         if (subject == null || subject.getPrincipals().size() == 0
             || !subject.getPrincipals().iterator().next().getName().equals(name)) {
-            throw new WSSecurityException("Failed Authentication : Invalid Subject");
+            String errorMessage = "Failed Authentication : Invalid Subject";
+            LOG.severe(errorMessage);
+            throw new WSSecurityException(errorMessage);
         }
         msg.put(Subject.class, subject);
     }
@@ -164,7 +180,7 @@ public abstract class AbstractUsernameTo
      * 
      */
     @Override
-    protected CallbackHandler getCallback(RequestData reqData, int doAction) 
+    protected CallbackHandler getCallback(RequestData reqData, int doAction, boolean utNoCallbacks)

         throws WSSecurityException {
         
         // Given that a custom UT processor is used for dealing with digests 
@@ -174,63 +190,46 @@ public abstract class AbstractUsernameTo
         if ((doAction & WSConstants.UT) != 0) {
             CallbackHandler pwdCallback = null;
             try {
-                pwdCallback = super.getCallback(reqData, doAction);
+                pwdCallback = super.getCallback(reqData, doAction, false);
             } catch (Exception ex) {
                 // ignore
             }
-            return new DelegatingCallbackHandler(pwdCallback);
+            return new SubjectCreatingCallbackHandler(pwdCallback);
         }
         
-        return super.getCallback(reqData, doAction);
+        return super.getCallback(reqData, doAction, false);
     }
     
     @Override 
-    protected WSSecurityEngine getSecurityEngine() {
+    protected WSSecurityEngine getSecurityEngine(boolean utNoCallbacks) {
         if (!supportDigestPasswords) {
-            return super.getSecurityEngine();
+            return super.getSecurityEngine(true);
         }
         Map<QName, Object> profiles = new HashMap<QName, Object>(3);
-        profiles.put(new QName(WSConstants.WSSE_NS, WSConstants.USERNAME_TOKEN_LN), this);
-        profiles.put(new QName(WSConstants.WSSE11_NS, WSConstants.USERNAME_TOKEN_LN), this);
+        
+        Processor processor = new CustomUsernameTokenProcessor();
+        profiles.put(new QName(WSConstants.WSSE_NS, WSConstants.USERNAME_TOKEN_LN), processor);
+        profiles.put(new QName(WSConstants.WSSE11_NS, WSConstants.USERNAME_TOKEN_LN), processor);
         return createSecurityEngine(profiles);
     }
     
-    public void handleToken(Element elem, 
-                            Crypto crypto, 
-                            Crypto decCrypto, 
-                            CallbackHandler cb, 
-                            WSDocInfo wsDocInfo, 
-                            Vector returnResults, 
-                            WSSConfig config) throws WSSecurityException {
-        new CustomUsernameTokenProcessor().handleToken(elem, crypto, decCrypto, cb, wsDocInfo,

-                                                       returnResults, config);
-    }
-    
-    
-    protected class DelegatingCallbackHandler implements CallbackHandler {
+    protected class SubjectCreatingCallbackHandler extends DelegatingCallbackHandler {
 
-        private CallbackHandler pwdHandler;
-        
-        public DelegatingCallbackHandler(CallbackHandler pwdHandler) {
-            this.pwdHandler = pwdHandler;
+        public SubjectCreatingCallbackHandler(CallbackHandler pwdHandler) {
+            super(pwdHandler);
         }
         
-        public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
{
-            for (Callback c : callbacks) {
-                if (c instanceof WSPasswordCallback) {
-                    WSPasswordCallback pc = (WSPasswordCallback)c;
-                    if (WSConstants.PASSWORD_TEXT.equals(pc.getPasswordType()) 
-                        && pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN)
{
-                        AbstractUsernameTokenAuthenticatingInterceptor.this.setSubject(
-                            pc.getIdentifier(), pc.getPassword(), false, null, null);
-                    } else if (pwdHandler != null) {
-                        pwdHandler.handle(callbacks);
-                    }
-                }
+        @Override
+        protected void handleCallback(Callback c) throws IOException {
+            if (c instanceof WSPasswordCallback) {
+                WSPasswordCallback pc = (WSPasswordCallback)c;
+                if (WSConstants.PASSWORD_TEXT.equals(pc.getPasswordType()) 
+                    && pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN)
{
+                    AbstractUsernameTokenAuthenticatingInterceptor.this.setSubject(
+                        pc.getIdentifier(), pc.getPassword(), false, null, null);
+                } 
             }
-            
         }
-        
     }
     
     /**
@@ -239,56 +238,18 @@ public abstract class AbstractUsernameTo
      * override its handleUsernameToken only. 
      *
      */
-    private class CustomUsernameTokenProcessor implements Processor {
-        
-        private String utId;
-        private UsernameToken ut;
-        
-        @SuppressWarnings("unchecked")
-        public void handleToken(Element elem, Crypto crypto, Crypto decCrypto, CallbackHandler
cb, 
-            WSDocInfo wsDocInfo, Vector returnResults, WSSConfig wsc) throws WSSecurityException
{
-            if (LOG.isLoggable(Level.FINE)) {
-                LOG.fine("Found UsernameToken list element");
-            }
-            
-            Principal principal = handleUsernameToken((Element) elem, cb);
-            returnResults.add(
-                0, 
-                new WSSecurityEngineResult(WSConstants.UT, principal, null, null, null)
-            );
-            utId = ut.getID();
-        }
+    protected class CustomUsernameTokenProcessor extends UsernameTokenProcessorWithoutCallbacks
{
         
-        private WSUsernameTokenPrincipal handleUsernameToken(
-            Element token, CallbackHandler cb) throws WSSecurityException {
-            //
-            // Parse the UsernameToken element
-            //
-            ut = new UsernameToken(token, false);
-            String user = ut.getName();
-            String password = ut.getPassword();
-            String nonce = ut.getNonce();
-            String createdTime = ut.getCreated();
-            String pwType = ut.getPasswordType();
-            if (LOG.isLoggable(Level.FINE)) {
-                LOG.fine("UsernameToken user " + user);
-                LOG.fine("UsernameToken password " + password);
-            }
-            
+        @Override
+        protected WSUsernameTokenPrincipal createPrincipal(String user, 
+                                                           String password,
+                                                           boolean isHashed,
+                                                           String nonce,
+                                                           String createdTime,
+                                                           String pwType) throws WSSecurityException
{
             AbstractUsernameTokenAuthenticatingInterceptor.this.setSubject(
-                user, password, ut.isHashed(), nonce, createdTime);    
-            
-            WSUsernameTokenPrincipal principal = new WSUsernameTokenPrincipal(user, ut.isHashed());
-            principal.setNonce(nonce);
-            principal.setPassword(password);
-            principal.setCreatedTime(createdTime);
-            principal.setPasswordType(pwType);
-
-            return principal;
-        }
-
-        public String getId() {
-            return utId;
+                 user, password, isHashed, nonce, createdTime);
+            return super.createPrincipal(user, password, isHashed, nonce, createdTime, pwType);
         }
     }
     

Modified: cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1030508&r1=1030507&r2=1030508&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
(original)
+++ cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Wed Nov  3 15:58:35 2010
@@ -455,7 +455,7 @@ public class PolicyBasedWSS4JInIntercept
     }
     
     protected void doResults(SoapMessage msg, String actor, 
-                             SOAPMessage doc, Vector results) 
+                             SOAPMessage doc, Vector results, boolean utWithCallbacks) 
         throws SOAPException, XMLStreamException, WSSecurityException {
         
         AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
@@ -502,12 +502,15 @@ public class PolicyBasedWSS4JInIntercept
                     for (AssertionInfo ai : ais) {
                         ai.setAsserted(true);
                     }
-                    WSUsernameTokenPrincipal princ 
-                        = (WSUsernameTokenPrincipal)wser.get(WSSecurityEngineResult.TAG_PRINCIPAL);
-                    for (AssertionInfo ai : ais) {
-                        UsernameToken tok = (UsernameToken)ai.getAssertion();
-                        if (tok.isHashPassword() != princ.isPasswordDigest()) {
-                            ai.setNotAsserted("Password hashing policy not enforced");
+                    
+                    if (utWithCallbacks) {
+                        WSUsernameTokenPrincipal princ 
+                            = (WSUsernameTokenPrincipal)wser.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+                        for (AssertionInfo ai : ais) {
+                            UsernameToken tok = (UsernameToken)ai.getAssertion();
+                            if (tok.isHashPassword() != princ.isPasswordDigest()) {
+                                ai.setNotAsserted("Password hashing policy not enforced");
+                            }
                         }
                     }
                 }
@@ -557,7 +560,7 @@ public class PolicyBasedWSS4JInIntercept
             assertPolicy(aim, SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
         }
         
-        super.doResults(msg, actor, doc, results);
+        super.doResults(msg, actor, doc, results, utWithCallbacks);
     }
     private void assertHeadersExists(AssertionInfoMap aim, SoapMessage msg, SOAPMessage doc)

         throws SOAPException {

Modified: cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java?rev=1030508&r1=1030507&r2=1030508&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
(original)
+++ cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
Wed Nov  3 15:58:35 2010
@@ -45,6 +45,7 @@ import org.apache.cxf.headers.Header;
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.interceptor.security.DefaultSecurityContext;
 import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.phase.Phase;
 import org.apache.cxf.security.SecurityContext;

Modified: cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1030508&r1=1030507&r2=1030508&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
(original)
+++ cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
Wed Nov  3 15:58:35 2010
@@ -21,6 +21,7 @@ package org.apache.cxf.ws.security.wss4j
 import java.io.IOException;
 import java.security.Principal;
 import java.security.cert.X509Certificate;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Vector;
@@ -46,9 +47,11 @@ import org.apache.cxf.binding.soap.saaj.
 import org.apache.cxf.common.classloader.ClassLoaderUtils;
 import org.apache.cxf.common.i18n.Message;
 import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.common.security.UsernameToken;
 import org.apache.cxf.endpoint.Endpoint;
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.phase.Phase;
 import org.apache.cxf.security.SecurityContext;
 import org.apache.cxf.staxutils.StaxUtils;
@@ -149,13 +152,17 @@ public class WSS4JInInterceptor extends 
             return;
         }
         msg.put(SECURITY_PROCESSED, Boolean.TRUE);
+        
+        boolean utWithCallbacks = 
+            !MessageUtils.getContextualBoolean(msg, SecurityConstants.USERNAME_TOKEN_NO_CALLBACKS,
false);
+        
         WSSConfig config = (WSSConfig)msg.getContextualProperty(WSSConfig.class.getName());

         WSSecurityEngine engine;
         if (config != null) {
             engine = new WSSecurityEngine();
             engine.setWssConfig(config);
         } else {
-            engine = getSecurityEngine();
+            engine = getSecurityEngine(utWithCallbacks);
         }
         
         SOAPMessage doc = getSOAPMessage(msg);
@@ -192,7 +199,7 @@ public class WSS4JInInterceptor extends 
 
             String actor = (String)getOption(WSHandlerConstants.ACTOR);
 
-            CallbackHandler cbHandler = getCallback(reqData, doAction);
+            CallbackHandler cbHandler = getCallback(reqData, doAction, utWithCallbacks);
 
             /*
              * Get and check the Signature specific parameters first because
@@ -225,7 +232,7 @@ public class WSS4JInInterceptor extends 
                 checkSignatures(msg, reqData, wsResult);
                 checkTimestamps(msg, reqData, wsResult);
                 checkActions(msg, reqData, wsResult, actions);
-                doResults(msg, actor, doc, wsResult);
+                doResults(msg, actor, doc, wsResult, utWithCallbacks);
             } else { // no security header found
                 // Create an empty result vector to pass into the required validation
                 // methods.
@@ -360,8 +367,14 @@ public class WSS4JInInterceptor extends 
     protected void computeAction(SoapMessage msg, RequestData reqData) {
         
     }
+
     protected void doResults(SoapMessage msg, String actor, SOAPMessage doc, Vector wsResult)
         throws SOAPException, XMLStreamException, WSSecurityException {
+        doResults(msg, actor, doc, wsResult, false);
+    }
+
+    protected void doResults(SoapMessage msg, String actor, SOAPMessage doc, Vector wsResult,

+        boolean utWithCallbacks) throws SOAPException, XMLStreamException, WSSecurityException
{
         /*
          * All ok up to this point. Now construct and setup the security result
          * structure. The service may fetch this and check it.
@@ -405,7 +418,18 @@ public class WSS4JInInterceptor extends 
         for (WSSecurityEngineResult o : CastUtils.cast(wsResult, WSSecurityEngineResult.class))
{
             final Principal p = (Principal)o.get(WSSecurityEngineResult.TAG_PRINCIPAL);
             if (p != null) {
-                msg.put(PRINCIPAL_RESULT, p);                   
+                msg.put(PRINCIPAL_RESULT, p);
+                if (!utWithCallbacks && p instanceof WSUsernameTokenPrincipal) {
+                    WSUsernameTokenPrincipal utp = (WSUsernameTokenPrincipal)p;
+                    msg.put(org.apache.cxf.common.security.SecurityToken.class, 
+                            new UsernameToken(utp.getName(),
+                                              utp.getPassword(),
+                                              utp.getPasswordType(),
+                                              utp.isPasswordDigest(),
+                                              utp.getNonce(),
+                                              utp.getCreatedTime()));
+                    
+                }
                 SecurityContext sc = msg.get(SecurityContext.class);
                 if (sc == null || sc.getUserPrincipal() == null) {
                     msg.put(SecurityContext.class, createSecurityContext(p));
@@ -477,6 +501,21 @@ public class WSS4JInInterceptor extends 
         
     }
 
+    protected CallbackHandler getCallback(RequestData reqData, int doAction, boolean utWithCallbacks)

+        throws WSSecurityException {
+        if (!utWithCallbacks && (doAction & WSConstants.UT) != 0) {
+            CallbackHandler pwdCallback = null;
+            try {
+                pwdCallback = getCallback(reqData, doAction);
+            } catch (Exception ex) {
+                // ignore
+            }
+            return new DelegatingCallbackHandler(pwdCallback);
+        } else {
+            return getCallback(reqData, doAction);
+        }
+    }
+    
     protected CallbackHandler getCallback(RequestData reqData, int doAction) throws WSSecurityException
{
         /*
          * To check a UsernameToken or to decrypt an encrypted message we need a
@@ -535,11 +574,19 @@ public class WSS4JInInterceptor extends 
      * TODO the WSHandler base class defines secEngine to be static, which
      * is really bad, because the engine has mutable state on it.
      */
-    protected WSSecurityEngine
-    getSecurityEngine() {
+    protected WSSecurityEngine getSecurityEngine(boolean utWithCallbacks) {
         if (secEngineOverride != null) {
             return secEngineOverride;
         }
+        
+        if (!utWithCallbacks) {
+            Map<QName, Object> profiles = new HashMap<QName, Object>(3);
+            Processor processor = new UsernameTokenProcessorWithoutCallbacks();
+            profiles.put(new QName(WSConstants.WSSE_NS, WSConstants.USERNAME_TOKEN_LN), processor);
+            profiles.put(new QName(WSConstants.WSSE11_NS, WSConstants.USERNAME_TOKEN_LN),
processor);
+            return createSecurityEngine(profiles);
+        }
+        
         return secEngine;
     }
 

Modified: cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10Test.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10Test.java?rev=1030508&r1=1030507&r2=1030508&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10Test.java
(original)
+++ cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10Test.java
Wed Nov  3 15:58:35 2010
@@ -28,9 +28,14 @@ import javax.xml.namespace.QName;
 import org.apache.cxf.Bus;
 import org.apache.cxf.BusFactory;
 import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.frontend.ClientProxy;
 import org.apache.cxf.systest.ws.wssec10.server.Server;
 import org.apache.cxf.systest.ws.wssec11.WSSecurity11Common;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.cxf.transport.http.HTTPConduit;
+import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
+
 import org.junit.BeforeClass;
 import org.junit.Test;
 
@@ -95,7 +100,16 @@ public class WSSecurity10Test extends Ab
                     ),
                     IPingService.class
                 );
+         
+            Client cl = ClientProxy.getClient(port);
             
+            HTTPConduit http = (HTTPConduit) cl.getConduit();
+             
+            HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
+            httpClientPolicy.setConnectionTimeout(0);
+            httpClientPolicy.setReceiveTimeout(0);
+             
+            http.setClient(httpClientPolicy);
             final String output = port.echo(INPUT);
             assertEquals(INPUT, output);
         }

Modified: cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10UsernameAuthorizationTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10UsernameAuthorizationTest.java?rev=1030508&r1=1030507&r2=1030508&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10UsernameAuthorizationTest.java
(original)
+++ cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10UsernameAuthorizationTest.java
Wed Nov  3 15:58:35 2010
@@ -42,6 +42,7 @@ import wssec.wssec10.PingService;
  *
  */
 public class WSSecurity10UsernameAuthorizationTest extends AbstractBusClientServerTestBase
{
+    static final String SSL_PORT = allocatePort(AuthorizedServer.class, 1);
     static final String PORT = allocatePort(AuthorizedServer.class);
 
     private static final String INPUT = "foo";
@@ -58,9 +59,9 @@ public class WSSecurity10UsernameAuthori
     }
 
     @Test
-    public void testClientServerAuthorized() {
+    public void testClientServerUTOnlyAuthorized() {
 
-        IPingService port = getPort(
+        IPingService port = getUTOnlyPort(
             "org/apache/cxf/systest/ws/wssec10/client/client_restricted.xml", false);
         
         final String output = port.echo(INPUT);
@@ -68,9 +69,9 @@ public class WSSecurity10UsernameAuthori
     }
     
     @Test
-    public void testClientServerUnauthorized() {
+    public void testClientServerUTOnlyUnauthorized() {
 
-        IPingService port = getPort(
+        IPingService port = getUTOnlyPort(
             "org/apache/cxf/systest/ws/wssec10/client/client_restricted_unauthorized.xml",
true);
         
         try {
@@ -81,7 +82,48 @@ public class WSSecurity10UsernameAuthori
         }
     }
     
-    private static IPingService getPort(String configName, boolean hashed) {
+    @Test
+    public void testClientServerComplexPolicyAuthorized() {
+
+        IPingService port = getComplexPolicyPort(
+            "org/apache/cxf/systest/ws/wssec10/client/client_restricted.xml");
+        
+        final String output = port.echo(INPUT);
+        assertEquals(INPUT, output);
+    }
+    
+    @Test
+    public void testClientServerComplexPolicyUnauthorized() {
+
+        IPingService port = getComplexPolicyPort(
+            "org/apache/cxf/systest/ws/wssec10/client/client_restricted_unauthorized.xml");
+        
+        try {
+            port.echo(INPUT);
+            fail("Frank is unauthorized");
+        } catch (Exception ex) {
+            assertEquals("Unauthorized", ex.getMessage());
+        }
+    }
+    
+    private static IPingService getComplexPolicyPort(String configName) {
+        Bus bus = new SpringBusFactory().createBus(configName);
+        
+        BusFactory.setDefaultBus(bus);
+        BusFactory.setThreadDefaultBus(bus);
+        PingService svc = new PingService(getWsdlLocation("UserNameOverTransport"));
+        final IPingService port = 
+            svc.getPort(
+                new QName(
+                    "http://WSSec/wssec10",
+                    "UserNameOverTransport" + "_IPingService"
+                ),
+                IPingService.class
+            );
+        return port;
+    }
+    
+    private static IPingService getUTOnlyPort(String configName, boolean hashed) {
         Bus bus = new SpringBusFactory().createBus(configName);
         
         BusFactory.setDefaultBus(bus);
@@ -109,4 +151,19 @@ public class WSSecurity10UsernameAuthori
     }
 
     
+    private static URL getWsdlLocation(String portPrefix) {
+        try {
+            if ("UserNameOverTransport".equals(portPrefix)) {
+                return new URL("https://localhost:" + SSL_PORT + "/" + portPrefix + "?wsdl");
+            } else if ("MutualCertificate10SignEncrypt".equals(portPrefix)) {
+                return new URL("http://localhost:" + PORT + "/" + portPrefix + "?wsdl");
+            } else if ("MutualCertificate10SignEncryptRsa15TripleDes".equals(portPrefix))
{
+                return new URL("http://localhost:" + PORT + "/" + portPrefix + "?wsdl");
+            }
+        } catch (MalformedURLException mue) {
+            return null;
+        }
+        return null;
+    }
+    
 }

Modified: cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client_restricted_unauthorized.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client_restricted_unauthorized.xml?rev=1030508&r1=1030507&r2=1030508&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client_restricted_unauthorized.xml
(original)
+++ cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client_restricted_unauthorized.xml
Wed Nov  3 15:58:35 2010
@@ -47,4 +47,21 @@
         </jaxws:properties>
     </jaxws:client>
 
+    <jaxws:client name="{http://WSSec/wssec10}UserNameOverTransport_IPingService" createdFromAPI="true">
+        <jaxws:properties>
+            <entry key="ws-security.username" value="Frank"/>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
+        </jaxws:properties>
+    </jaxws:client>
+    
+    <http:conduit name="https://.*/UserNameOverTransport.*">
+        <http:tlsClientParameters disableCNCheck="true">
+            <sec:keyManagers keyPassword="password">
+                <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/wssec10/certs/restricted/alice.jks"/>
+            </sec:keyManagers>
+            <sec:trustManagers>
+                <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/wssec10/certs/restricted/bob.jks"/>
+            </sec:trustManagers>
+        </http:tlsClientParameters>
+    </http:conduit>
 </beans>

Modified: cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server_restricted_authorized.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server_restricted_authorized.xml?rev=1030508&r1=1030507&r2=1030508&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server_restricted_authorized.xml
(original)
+++ cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server_restricted_authorized.xml
Wed Nov  3 15:58:35 2010
@@ -39,6 +39,34 @@
     ">
     <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
     
+    <!-- -->
+    <!-- Any services listening on port 9001 must use the following -->
+    <!-- Transport Layer Security (TLS) settings -->
+    <!-- -->
+    <httpj:engine-factory id="tls-settings">
+        <httpj:engine port="${testutil.ports.AuthorizedServer.1}">
+            <httpj:tlsServerParameters>
+                <sec:keyManagers keyPassword="password">
+                    <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/wssec10/certs/restricted/bob.jks"/>
+                </sec:keyManagers>
+                <sec:trustManagers>
+                    <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/wssec10/certs/restricted/alice.jks"/>
+                </sec:trustManagers> 
+
+                <!--
+                <sec:cipherSuitesFilter>
+                    <sec:include>.*_EXPORT_.*</sec:include>
+                    <sec:include>.*_EXPORT1024_.*</sec:include>
+                    <sec:include>.*_WITH_DES_.*</sec:include>
+                    <sec:include>.*_WITH_NULL_.*</sec:include>
+                    <sec:exclude>.*_DH_anon_.*</sec:exclude>
+                </sec:cipherSuitesFilter>
+                <sec:clientAuthentication want="true" required="true"/>
+                -->
+            </httpj:tlsServerParameters>
+        </httpj:engine>
+    </httpj:engine-factory>
+    
     <cxf:bus>
         <cxf:features>
             <p:policies/>
@@ -53,7 +81,7 @@
 
     <bean id="customUTInterceptor" class="org.apache.cxf.systest.ws.wssec10.server.CustomUsernameTokenInterceptor"/>
 
-
+    <bean id="simpleUTInterceptor" class="org.apache.cxf.systest.ws.wssec10.server.SimpleUsernameTokenInterceptor"/>
     <bean id="authorizationInterceptor" class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor">
         <property name="methodRolesMap">
             <map>
@@ -90,4 +118,30 @@
      
     </jaxws:endpoint>
     
+    <!-- -->
+    <!-- Scenario 3.1 -->
+    <!-- -->
+    <jaxws:endpoint 
+       id="UserNameOverTransport"
+       address="https://localhost:${testutil.ports.AuthorizedServer.1}/UserNameOverTransport"

+       serviceName="interop:PingService"
+       endpointName="interop:UserNameOverTransport_IPingService"
+       implementor="org.apache.cxf.systest.ws.wssec10.server.UserNameOverTransportRestricted"
+       depends-on="tls-settings">
+        
+       <jaxws:properties>
+            <entry key="ws-security.username" value="Alice"/>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.wssec10.server.UTPasswordCallback"/>
+            
+            <!-- new property -->
+            <entry key="ws-security.ut.no-callbacks" value="true"/>
+        </jaxws:properties> 
+
+        <jaxws:inInterceptors>
+            <ref bean="simpleUTInterceptor"/>
+            <ref bean="authorizationInterceptor"/>
+       </jaxws:inInterceptors> 
+     
+    </jaxws:endpoint>
+        
 </beans>



Mime
View raw message