cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject svn commit: r1095410 - in /cxf/trunk/rt/ws/security/src: main/java/org/apache/cxf/ws/security/trust/ test/java/org/apache/cxf/ws/security/trust/
Date Wed, 20 Apr 2011 13:49:05 GMT
Author: sergeyb
Date: Wed Apr 20 13:49:05 2011
New Revision: 1095410

URL: http://svn.apache.org/viewvc?rev=1095410&view=rev
Log:
[CXF-3462] Prototyping the interceptor for validating BasicAuth(and similar creds) with STS

Added:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
  (with props)
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java
  (with props)
Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java?rev=1095410&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
(added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
Wed Apr 20 13:49:05 2011
@@ -0,0 +1,108 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.ws.security.trust;
+
+import java.util.ResourceBundle;
+import java.util.logging.Logger;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import org.apache.cxf.common.i18n.BundleUtils;
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.configuration.security.AuthorizationPolicy;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.phase.AbstractPhaseInterceptor;
+import org.apache.cxf.phase.Phase;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.message.token.UsernameToken;
+import org.apache.ws.security.validate.Credential;
+
+public class AuthPolicyValidatingInterceptor extends AbstractPhaseInterceptor<Message>
{
+
+    private static final ResourceBundle BUNDLE = BundleUtils.getBundle(AuthPolicyValidatingInterceptor.class);
+    private static final Logger LOG = LogUtils.getL7dLogger(AuthPolicyValidatingInterceptor.class);
+    
+    private STSTokenValidator validator;
+    
+    public AuthPolicyValidatingInterceptor() {
+        this(Phase.UNMARSHAL);
+    }
+    
+    public AuthPolicyValidatingInterceptor(String phase) {
+        super(phase);
+    }
+    
+    public void handleMessage(Message message) throws Fault {
+
+        String name = null;
+        String password = null;
+        
+        AuthorizationPolicy policy = (AuthorizationPolicy)message.get(AuthorizationPolicy.class);
+        if (policy == null || policy.getUserName() == null || policy.getPassword() == null)
{
+            org.apache.cxf.common.i18n.Message errorMsg = 
+                new org.apache.cxf.common.i18n.Message("NO_USER_PASSWORD", 
+                                                       BUNDLE, 
+                                                       name, password);
+            LOG.warning(errorMsg.toString());
+            throw new SecurityException(errorMsg.toString());
+        }
+        
+        try {
+            UsernameToken token = convertPolicyToToken(policy);
+            Credential credential = new Credential();
+            credential.setUsernametoken(token);
+            validator.validateWithSTS(credential, message);
+        } catch (Exception ex) {
+            throw new Fault(ex);
+        }
+    }
+
+    protected UsernameToken convertPolicyToToken(AuthorizationPolicy policy) 
+        throws Exception {
+
+        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        DocumentBuilder builder = factory.newDocumentBuilder();
+        Document doc = builder.newDocument();
+        Element utElement = 
+            doc.createElementNS(WSConstants.WSSE_NS, "wsse:" + WSConstants.USERNAME_TOKEN_LN);
+        
+        Element nameElement = 
+            doc.createElementNS(WSConstants.WSSE_NS, "wsse:" + WSConstants.USERNAME_LN);
+        nameElement.setTextContent(policy.getUserName());
+        Element passwordElement = 
+            doc.createElementNS(WSConstants.WSSE_NS, "wsse:" + WSConstants.PASSWORD_LN);
+        passwordElement.setTextContent(policy.getPassword());
+        passwordElement.setAttribute(WSConstants.PASSWORD_TYPE_ATTR, 
+                                     WSConstants.USERNAMETOKEN_NS + "#"  + WSConstants.PASSWORD_TEXT);
+        
+        utElement.appendChild(nameElement);
+        utElement.appendChild(passwordElement);
+        return new UsernameToken(utElement);
+    }
+
+    public void setValidator(STSTokenValidator validator) {
+        this.validator = validator;
+    }
+    
+}

Propchange: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java?rev=1095410&r1=1095409&r2=1095410&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java
Wed Apr 20 13:49:05 2011
@@ -23,6 +23,7 @@ package org.apache.cxf.ws.security.trust
 import java.util.List;
 
 import org.apache.cxf.binding.soap.SoapMessage;
+import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.ws.security.WSSecurityException;
 import org.apache.ws.security.handler.RequestData;
@@ -49,21 +50,20 @@ public class STSTokenValidator implement
     }
     
     public Credential validate(Credential credential, RequestData data) throws WSSecurityException
{
-        SoapMessage m = (SoapMessage)data.getMsgContext();
+        
+        if (isValidatedLocally(credential, data)) {
+            return credential;
+        }
+        
+        return validateWithSTS(credential, (SoapMessage)data.getMsgContext());
+    }
+    
+    public Credential validateWithSTS(Credential credential, Message message) throws WSSecurityException
{
+        
         SecurityToken token = new SecurityToken();
         
         try {
             if (credential.getAssertion() != null) {
-                if (!alwaysValidateToSts) {
-                    //
-                    // Try to validate the Assertion locally first. If trust verification
fails
-                    // then send it off to the STS for validation
-                    //
-                    samlValidator.validate(credential, data);
-                    if (samlValidator.isTrustVerificationSucceeded()) {
-                        return credential;
-                    }
-                }
                 token.setToken(credential.getAssertion().getElement());
             } else if (credential.getUsernametoken() != null) {
                 token.setToken(credential.getUsernametoken().getElement());
@@ -71,7 +71,7 @@ public class STSTokenValidator implement
                 token.setToken(credential.getBinarySecurityToken().getElement());
             }
             
-            STSClient c = STSUtils.getClient(m, "sts");
+            STSClient c = STSUtils.getClient(message, "sts");
             synchronized (c) {
                 System.setProperty("noprint", "true");
                 List<SecurityToken> tokens = c.validateSecurityToken(token);
@@ -88,5 +88,21 @@ public class STSTokenValidator implement
             throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity",
null, e);
         }
     }
+    
+    protected boolean isValidatedLocally(Credential credential, RequestData data) 
+        throws WSSecurityException {
+        
+        if (!alwaysValidateToSts && credential.getAssertion() != null) {
+            try {
+                samlValidator.validate(credential, data);
+                return samlValidator.isTrustVerificationSucceeded();
+            } catch (RuntimeException e) {
+                throw e;
+            } catch (Exception e) {
+                throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity",
null, e);
+            }
+        }
+        return false;
+    }
 
 }

Added: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java?rev=1095410&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java
(added)
+++ cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java
Wed Apr 20 13:49:05 2011
@@ -0,0 +1,73 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.ws.security.trust;
+
+import org.apache.cxf.configuration.security.AuthorizationPolicy;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageImpl;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.message.token.UsernameToken;
+import org.apache.ws.security.validate.Credential;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+public class AuthPolicyValidatingInterceptorTest extends Assert {
+
+    @Test
+    public void testValidateAuthorizationPolicy() throws Exception {
+        AuthPolicyValidatingInterceptor in = new AuthPolicyValidatingInterceptor();
+        TestSTSTokenValidator validator = new TestSTSTokenValidator();
+        in.setValidator(validator);
+        
+        AuthorizationPolicy policy = new AuthorizationPolicy();
+        policy.setUserName("bob");
+        policy.setPassword("pswd");
+        Message message = new MessageImpl();
+        message.put(AuthorizationPolicy.class, policy);
+        
+        in.handleMessage(message);
+        
+        assertTrue(validator.isValidated());
+    }
+    
+    private static class TestSTSTokenValidator extends STSTokenValidator {
+        
+        private boolean validated; 
+        
+        public TestSTSTokenValidator() {
+            super(true);
+        }
+        
+        @Override
+        public Credential validateWithSTS(Credential credential, Message message) 
+            throws WSSecurityException {
+            UsernameToken token = credential.getUsernametoken();
+            if ("bob".equals(token.getName()) && "pswd".equals(token.getPassword()))
{
+                // TODO: mock STS
+                validated = true;
+            }
+            return credential;
+        }
+        
+        public boolean isValidated() {
+            return validated;
+        }
+    }
+}

Propchange: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date



Mime
View raw message