cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1130157 - in /cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j: policyhandlers/SymmetricBindingHandler.java policyvalidators/AbstractSamlPolicyValidator.java
Date Wed, 01 Jun 2011 14:11:31 GMT
Author: coheigea
Date: Wed Jun  1 14:11:31 2011
New Revision: 1130157

URL: http://svn.apache.org/viewvc?rev=1130157&view=rev
Log:
[CXF-3524] - Support Derived Keys with the Symmetric Binding + SAML Assertions

Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java?rev=1130157&r1=1130156&r2=1130157&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
Wed Jun  1 14:11:31 2011
@@ -393,15 +393,13 @@ public class SymmetricBindingHandler ext
                 dkEncr.setExternalKey(
                     encrTok.getSecret(), cloneElement(encrTok.getUnattachedReference())
                 );
-            } else if (!isRequestor()) { 
+            } else if (!isRequestor() && encrTok.getSHA1() != null) {
                 // If the Encrypted key used to create the derived key is not
                 // attached use key identifier as defined in WSS1.1 section
                 // 7.7 Encrypted Key reference
                 SecurityTokenReference tokenRef = new SecurityTokenReference(saaj.getSOAPPart());
-                if (encrTok.getSHA1() != null) {
-                    tokenRef.setKeyIdentifierEncKeySHA1(encrTok.getSHA1());
-                    tokenRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
-                }
+                tokenRef.setKeyIdentifierEncKeySHA1(encrTok.getSHA1());
+                tokenRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
                 dkEncr.setExternalKey(encrTok.getSecret(), tokenRef.getElement());
             } else {
                 if (attached) {
@@ -426,7 +424,18 @@ public class SymmetricBindingHandler ext
                 dkEncr.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#"
                         + WSConstants.ENC_KEY_VALUE_TYPE);
             } else {
-                dkEncr.setCustomValueType(encrTok.getTokenType());
+                String tokenType = encrTok.getTokenType();
+                if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
+                    || WSConstants.SAML_NS.equals(tokenType)) {
+                    dkEncr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+                    dkEncr.setCustomValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
+                } else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
+                    || WSConstants.SAML2_NS.equals(tokenType)) {
+                    dkEncr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+                    dkEncr.setCustomValueType(WSConstants.WSS_SAML2_KI_VALUE_TYPE);
+                } else {
+                    dkEncr.setCustomValueType(tokenType);
+                }
             }
             
             dkEncr.setSymmetricEncAlgorithm(sbinding.getAlgorithmSuite().getEncryption());
@@ -568,7 +577,7 @@ public class SymmetricBindingHandler ext
         
         if (ref != null) {
             dkSign.setExternalKey(tok.getSecret(), cloneElement(ref));
-        } else if (!isRequestor() && policyToken.isDerivedKeys()) { 
+        } else if (!isRequestor() && policyToken.isDerivedKeys() && tok.getSHA1()
!= null) {            
             // If the Encrypted key used to create the derived key is not
             // attached use key identifier as defined in WSS1.1 section
             // 7.7 Encrypted Key reference
@@ -592,7 +601,18 @@ public class SymmetricBindingHandler ext
             //Set the value type of the reference
             dkSign.setCustomValueType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
         } else {
-            dkSign.setCustomValueType(tok.getTokenType());
+            String tokenType = tok.getTokenType();
+            if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
+                || WSConstants.SAML_NS.equals(tokenType)) {
+                dkSign.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+                dkSign.setCustomValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
+            } else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
+                || WSConstants.SAML2_NS.equals(tokenType)) {
+                dkSign.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+                dkSign.setCustomValueType(WSConstants.WSS_SAML2_KI_VALUE_TYPE);
+            } else {
+                dkSign.setCustomValueType(tokenType);
+            }
         }
         
         try {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java?rev=1130157&r1=1130156&r2=1130157&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
Wed Jun  1 14:11:31 2011
@@ -19,12 +19,14 @@
 
 package org.apache.cxf.ws.security.wss4j.policyvalidators;
 
+import java.security.Principal;
 import java.security.PublicKey;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.List;
 
+import org.apache.ws.security.WSDerivedKeyTokenPrincipal;
 import org.apache.ws.security.WSSecurityEngineResult;
 import org.apache.ws.security.saml.SAMLKeyInfo;
 import org.apache.ws.security.saml.ext.AssertionWrapper;
@@ -109,12 +111,33 @@ public abstract class AbstractSamlPolicy
             if (publicKey != null && publicKey.equals(subjectPublicKey)) {
                 return true;
             }
-            if (secretKey != null && subjectSecretKey != null
-                && Arrays.equals(secretKey, subjectSecretKey)) {
+            if (checkSecretKey(secretKey, subjectSecretKey, signedResult)) {
                 return true;
             }
         }
         return false;
     }
     
+    private boolean checkSecretKey(
+        byte[] secretKey,
+        byte[] subjectSecretKey,
+        WSSecurityEngineResult signedResult
+    ) {
+        if (secretKey != null && subjectSecretKey != null) {
+            if (Arrays.equals(secretKey, subjectSecretKey)) {
+                return true;
+            } else {
+                Principal principal =
+                    (Principal)signedResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+                if (principal instanceof WSDerivedKeyTokenPrincipal) {
+                    secretKey = ((WSDerivedKeyTokenPrincipal)principal).getSecret();
+                    if (Arrays.equals(secretKey, subjectSecretKey)) {
+                        return true;
+                    }
+                }
+            }
+        }
+        return false;
+    }
+
 }



Mime
View raw message