cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1149227 - in /cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security: ./ policy/ policy/builders/ policy/model/ wss4j/ wss4j/policyhandlers/ wss4j/policyvalidators/
Date Thu, 21 Jul 2011 15:37:08 GMT
Author: coheigea
Date: Thu Jul 21 15:37:07 2011
New Revision: 1149227

URL: http://svn.apache.org/viewvc?rev=1149227&view=rev
Log:
Added support for the Kerberos Token Profile

Added:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/KerberosTokenBuilder.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/KerberosToken.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?rev=1149227&r1=1149226&r2=1149227&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
Thu Jul 21 15:37:07 2011
@@ -40,6 +40,7 @@ public final class SecurityConstants {
     
     public static final String CALLBACK_HANDLER = "ws-security.callback-handler";
     public static final String SAML_CALLBACK_HANDLER = "ws-security.saml-callback-handler";
+    public static final String BST_CALLBACK_HANDLER = "ws-security.bst-callback-handler";
     
     public static final String SIGNATURE_USERNAME = "ws-security.signature.username";
     public static final String SIGNATURE_PROPERTIES = "ws-security.signature.properties";
@@ -120,7 +121,8 @@ public final class SecurityConstants {
             STS_TOKEN_ACT_AS, STS_TOKEN_USERNAME, STS_TOKEN_USE_CERT_FOR_KEYINFO,
             SAML1_TOKEN_VALIDATOR, SAML2_TOKEN_VALIDATOR, TIMESTAMP_TOKEN_VALIDATOR,
             SIGNATURE_TOKEN_VALIDATOR, IS_BSP_COMPLIANT, TIMESTAMP_FUTURE_TTL,
-            BST_TOKEN_VALIDATOR, SAML_CALLBACK_HANDLER, STS_TOKEN_ON_BEHALF_OF
+            BST_TOKEN_VALIDATOR, SAML_CALLBACK_HANDLER, STS_TOKEN_ON_BEHALF_OF,
+            BST_CALLBACK_HANDLER
         }));
         ALL_PROPERTIES = Collections.unmodifiableSet(s);
     }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java?rev=1149227&r1=1149226&r2=1149227&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java
Thu Jul 21 15:37:07 2011
@@ -104,6 +104,9 @@ public final class SP11Constants extends
     
     public static final QName SAML_TOKEN = new QName(SP11Constants.SP_NS,
             SPConstants.SAML_TOKEN , SP11Constants.SP_PREFIX);
+    
+    public static final QName KERBEROS_TOKEN = new QName(SP12Constants.SP_NS,
+            SPConstants.KERBEROS_TOKEN, SP11Constants.SP_PREFIX);
 
     public static final QName WSS_USERNAME_TOKEN10 = new QName(SP11Constants.SP_NS,
             SPConstants.USERNAME_TOKEN10 , SP11Constants.SP_PREFIX);
@@ -384,6 +387,9 @@ public final class SP11Constants extends
     public QName getSamlToken() {
         return SAML_TOKEN;
     }
+    public QName getKerberosToken() {
+        return KERBEROS_TOKEN;
+    }
     public QName getX509Token() {
         return X509_TOKEN;
     }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java?rev=1149227&r1=1149226&r2=1149227&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java
Thu Jul 21 15:37:07 2011
@@ -127,6 +127,9 @@ public final class SP12Constants extends
     public static final QName SAML_TOKEN = new QName(SP12Constants.SP_NS,
             SPConstants.SAML_TOKEN, SP12Constants.SP_PREFIX);
     
+    public static final QName KERBEROS_TOKEN = new QName(SP12Constants.SP_NS,
+            SPConstants.KERBEROS_TOKEN, SP12Constants.SP_PREFIX);
+    
     public static final QName KEYVALUE_TOKEN = new QName(SP12Constants.SP_NS,
                                                          SPConstants.KEYVALUE_TOKEN ,
                                                          SP12Constants.SP_PREFIX);
@@ -446,6 +449,9 @@ public final class SP12Constants extends
     public QName getSamlToken() {
         return SAML_TOKEN;
     }
+    public QName getKerberosToken() {
+        return KERBEROS_TOKEN;
+    }
     public QName getKeyValueToken() {
         return KEYVALUE_TOKEN;
     }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java?rev=1149227&r1=1149226&r2=1149227&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
Thu Jul 21 15:37:07 2011
@@ -125,6 +125,8 @@ public abstract class SPConstants {
     public static final String USERNAME_TOKEN = "UsernameToken";
     
     public static final String SAML_TOKEN = "SamlToken";
+    
+    public static final String KERBEROS_TOKEN = "KerberosToken";
 
     public static final String KEYVALUE_TOKEN = "KeyValueToken";
     
@@ -138,6 +140,10 @@ public abstract class SPConstants {
     
     public static final String SAML_20_TOKEN_11 = "WssSamlV20Token11";
     
+    public static final String KERBEROS_V5_AP_REQ_TOKEN_11 = "WssKerberosV5ApReqToken11";
+    
+    public static final String KERBEROS_GSS_V5_AP_REQ_TOKEN_11 = "WssGssKerberosV5ApReqToken11";
+    
     public static final String TRANSPORT_TOKEN = "TransportToken";
     
     public static final String HTTPS_TOKEN = "HttpsToken";
@@ -449,6 +455,7 @@ public abstract class SPConstants {
     public abstract QName getTransportToken();
     public abstract QName getUserNameToken();
     public abstract QName getSamlToken();
+    public abstract QName getKerberosToken();
     public abstract QName getX509Token();
     
     public abstract QName getSupportingTokens();

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java?rev=1149227&r1=1149226&r2=1149227&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
Thu Jul 21 15:37:07 2011
@@ -40,6 +40,7 @@ import org.apache.cxf.ws.security.policy
 import org.apache.cxf.ws.security.policy.builders.HttpsTokenBuilder;
 import org.apache.cxf.ws.security.policy.builders.InitiatorTokenBuilder;
 import org.apache.cxf.ws.security.policy.builders.IssuedTokenBuilder;
+import org.apache.cxf.ws.security.policy.builders.KerberosTokenBuilder;
 import org.apache.cxf.ws.security.policy.builders.KeyValueTokenBuilder;
 import org.apache.cxf.ws.security.policy.builders.LayoutBuilder;
 import org.apache.cxf.ws.security.policy.builders.ProtectionTokenBuilder;
@@ -105,6 +106,7 @@ public final class WSSecurityPolicyLoade
         reg.registerBuilder(new RequiredElementsBuilder());
         reg.registerBuilder(new RequiredPartsBuilder());
         reg.registerBuilder(new SamlTokenBuilder(pbuild));
+        reg.registerBuilder(new KerberosTokenBuilder(pbuild));
         reg.registerBuilder(new SecureConversationTokenBuilder(pbuild));
         reg.registerBuilder(new SecurityContextTokenBuilder());
         reg.registerBuilder(new SignedElementsBuilder());

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/KerberosTokenBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/KerberosTokenBuilder.java?rev=1149227&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/KerberosTokenBuilder.java
(added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/KerberosTokenBuilder.java
Thu Jul 21 15:37:07 2011
@@ -0,0 +1,90 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.ws.security.policy.builders;
+
+
+import javax.xml.namespace.QName;
+
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.ws.policy.PolicyBuilder;
+import org.apache.cxf.ws.policy.PolicyConstants;
+import org.apache.cxf.ws.security.policy.SP11Constants;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.cxf.ws.security.policy.model.KerberosToken;
+import org.apache.neethi.Assertion;
+import org.apache.neethi.AssertionBuilderFactory;
+import org.apache.neethi.builders.AssertionBuilder;
+
+
+public class KerberosTokenBuilder implements AssertionBuilder<Element> {
+
+    PolicyBuilder builder;
+    public KerberosTokenBuilder(PolicyBuilder b) {
+        builder = b;
+    }
+    
+    public Assertion build(Element element, AssertionBuilderFactory factory) {
+        
+        SPConstants consts = SP11Constants.SP_NS.equals(element.getNamespaceURI())
+            ? SP11Constants.INSTANCE : SP12Constants.INSTANCE;
+
+        KerberosToken kerberosToken = new KerberosToken(consts);
+        kerberosToken.setOptional(PolicyConstants.isOptional(element));
+        kerberosToken.setIgnorable(PolicyConstants.isIgnorable(element));
+
+        String attribute = element.getAttributeNS(element.getNamespaceURI(), SPConstants.ATTR_INCLUDE_TOKEN);
+        if (attribute != null) {
+            kerberosToken.setInclusion(consts.getInclusionFromAttributeValue(attribute));
+        }
+        
+        Element child = DOMUtils.getFirstElement(element);
+        while (child != null) {
+            String ln = child.getLocalName();
+            if (org.apache.neethi.Constants.ELEM_POLICY.equals(ln)) {
+                NodeList policyChildren = child.getChildNodes();
+                if (policyChildren != null) {
+                    for (int i = 0; i < policyChildren.getLength(); i++) {
+                        Node policyChild = policyChildren.item(i);
+                        if (policyChild instanceof Element) {
+                            QName qname = 
+                                new QName(policyChild.getNamespaceURI(), policyChild.getLocalName());
+                            String localpart = qname.getLocalPart();
+                            if (SPConstants.KERBEROS_V5_AP_REQ_TOKEN_11.equals(localpart))
{
+                                kerberosToken.setV5ApReqToken11(true);
+                            } else if (SPConstants.KERBEROS_GSS_V5_AP_REQ_TOKEN_11.equals(localpart))
{
+                                kerberosToken.setGssV5ApReqToken11(true);
+                            }
+                        }
+                    }
+                }
+            }
+            child = DOMUtils.getNextElement(child);
+        }
+        return kerberosToken;
+    }
+
+    public QName[] getKnownElements() {
+        return new QName[]{SP11Constants.KERBEROS_TOKEN, SP12Constants.KERBEROS_TOKEN};
+    }
+}

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/KerberosToken.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/KerberosToken.java?rev=1149227&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/KerberosToken.java
(added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/KerberosToken.java
Thu Jul 21 15:37:07 2011
@@ -0,0 +1,129 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.ws.security.policy.model;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamWriter;
+
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.SPConstants;
+
+public class KerberosToken extends Token {
+    private boolean requireKeyIdentifierReference;
+    private boolean useV5ApReqToken11;
+    private boolean useGssV5ApReqToken11;
+
+    public KerberosToken(SPConstants version) {
+        super(version);
+    }
+
+    /**
+     * @return Returns the requireKeyIdentifierReference.
+     */
+    public boolean isRequireKeyIdentifierReference() {
+        return requireKeyIdentifierReference;
+    }
+
+    /**
+     * @param requireKeyIdentifierReference The requireKeyIdentifierReference to set.
+     */
+    public void setRequireKeyIdentifierReference(boolean requireKeyIdentifierReference) {
+        this.requireKeyIdentifierReference = requireKeyIdentifierReference;
+    }
+    
+    public boolean isV5ApReqToken11() {
+        return useV5ApReqToken11;
+    }
+
+    public void setV5ApReqToken11(boolean v5ApReqToken11) {
+        this.useV5ApReqToken11 = v5ApReqToken11;
+    }
+
+    public boolean isGssV5ApReqToken11() {
+        return useGssV5ApReqToken11;
+    }
+
+    public void setGssV5ApReqToken11(boolean gssV5ApReqToken11) {
+        this.useGssV5ApReqToken11 = gssV5ApReqToken11;
+    }
+    
+    public QName getName() {
+        return SP12Constants.INSTANCE.getKerberosToken();
+    }
+
+    public void serialize(XMLStreamWriter writer) throws XMLStreamException {
+        QName name = constants.getSamlToken();
+        String localname = name.getLocalPart();
+        String namespaceURI = name.getNamespaceURI();
+
+        String prefix = writer.getPrefix(namespaceURI);
+        if (prefix == null) {
+            prefix = name.getPrefix();
+            writer.setPrefix(prefix, namespaceURI);
+        }
+
+        // <sp:KerberosToken
+        writer.writeStartElement(prefix, localname, namespaceURI);
+
+        writer.writeNamespace(prefix, namespaceURI);
+
+        String inclusion;
+
+        inclusion = constants.getAttributeValueFromInclusion(getInclusion());
+
+        if (inclusion != null) {
+            writer.writeAttribute(prefix, namespaceURI, SPConstants.ATTR_INCLUDE_TOKEN, inclusion);
+        }
+
+        String pPrefix = writer.getPrefix(SPConstants.POLICY.getNamespaceURI());
+        if (pPrefix == null) {
+            pPrefix = SPConstants.POLICY.getPrefix();
+            writer.setPrefix(SPConstants.POLICY.getPrefix(), SPConstants.POLICY.getNamespaceURI());
+        }
+
+        // <wsp:Policy>
+        writer.writeStartElement(pPrefix, SPConstants.POLICY.getLocalPart(), SPConstants.POLICY
+                                 .getNamespaceURI());
+
+        if (isRequireKeyIdentifierReference()) {
+            // <sp:RequireKeyIdentifierReference />
+            writer.writeStartElement(prefix, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE,
namespaceURI);
+            writer.writeEndElement();
+        }
+
+        if (isV5ApReqToken11()) {
+            // <sp:WssKerberosV5ApReqToken11 />
+            writer.writeStartElement(prefix, SPConstants.KERBEROS_V5_AP_REQ_TOKEN_11, namespaceURI);
+            writer.writeEndElement();
+        } else if (isGssV5ApReqToken11()) {
+            // <sp:WssGssKerberosV5ApReqToken11 />
+            writer.writeStartElement(prefix, SPConstants.KERBEROS_GSS_V5_AP_REQ_TOKEN_11,
namespaceURI);
+            writer.writeEndElement();
+        }
+
+        // </wsp:Policy>
+        writer.writeEndElement();
+
+
+        writer.writeEndElement();
+        // </sp:KerberosToken>
+
+    }
+}

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1149227&r1=1149226&r2=1149227&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Thu Jul 21 15:37:07 2011
@@ -74,6 +74,7 @@ import org.apache.cxf.ws.security.policy
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope;
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.KerberosTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.UsernameTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.X509TokenPolicyValidator;
@@ -624,6 +625,10 @@ public class PolicyBasedWSS4JInIntercept
         X509TokenPolicyValidator x509Validator = new X509TokenPolicyValidator(msg, results);
         x509Validator.validatePolicy(aim);
         
+        KerberosTokenPolicyValidator kerberosValidator = 
+            new KerberosTokenPolicyValidator(msg, results);
+        kerberosValidator.validatePolicy(aim);
+        
         //REVISIT - probably can verify some of these like if UT is encrypted and/or signed,
etc...
         assertPolicy(aim, SP12Constants.SIGNED_SUPPORTING_TOKENS);
         assertPolicy(aim, SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1149227&r1=1149226&r2=1149227&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
Thu Jul 21 15:37:07 2011
@@ -79,6 +79,7 @@ import org.apache.cxf.ws.security.policy
 import org.apache.cxf.ws.security.policy.model.ContentEncryptedElements;
 import org.apache.cxf.ws.security.policy.model.Header;
 import org.apache.cxf.ws.security.policy.model.IssuedToken;
+import org.apache.cxf.ws.security.policy.model.KerberosToken;
 import org.apache.cxf.ws.security.policy.model.KeyValueToken;
 import org.apache.cxf.ws.security.policy.model.Layout;
 import org.apache.cxf.ws.security.policy.model.SamlToken;
@@ -118,6 +119,7 @@ import org.apache.ws.security.message.WS
 import org.apache.ws.security.message.WSSecSignatureConfirmation;
 import org.apache.ws.security.message.WSSecTimestamp;
 import org.apache.ws.security.message.WSSecUsernameToken;
+import org.apache.ws.security.message.token.BinarySecurity;
 import org.apache.ws.security.message.token.SecurityTokenReference;
 import org.apache.ws.security.saml.ext.AssertionWrapper;
 import org.apache.ws.security.saml.ext.SAMLParms;
@@ -567,6 +569,10 @@ public abstract class AbstractBindingBui
                     addSupportingElement(assertionWrapper.toDOM(saaj.getSOAPPart()));
                     ret.put(token, assertionWrapper);
                 }
+            } else if (token instanceof KerberosToken) {
+                BinarySecurity binarySecurity = addKerberosToken((KerberosToken)token);
+                addSupportingElement(cloneElement(binarySecurity.getElement()));
+                ret.put(token, binarySecurity);
             }
         }
         return ret;
@@ -618,6 +624,10 @@ public abstract class AbstractBindingBui
                 WSSecUsernameToken unt = (WSSecUsernameToken)tempTok;
                 part = new WSEncryptionPart(unt.getId());
                 part.setElement(unt.getUsernameTokenElement());
+            } else if (tempTok instanceof BinarySecurity) {
+                BinarySecurity bst = (BinarySecurity)tempTok;
+                part = new WSEncryptionPart(bst.getID());
+                part.setElement(bst.getElement());
             } else if (tempTok instanceof AssertionWrapper) {
                 boolean selfSignAssertion = 
                     MessageUtils.getContextualBoolean(
@@ -846,6 +856,42 @@ public abstract class AbstractBindingBui
         return assertion;
     }
     
+    protected BinarySecurity addKerberosToken(KerberosToken token) throws WSSecurityException
{
+        AssertionInfo info = null;
+        Collection<AssertionInfo> ais = aim.getAssertionInfo(token.getName());
+        for (AssertionInfo ai : ais) {
+            if (ai.getAssertion() == token) {
+                info = ai;
+                if (!isRequestor()) {
+                    info.setAsserted(true);
+                    return null;
+                }
+            }
+        }
+        
+        //
+        // Get the BST (Kerberos) CallbackHandler
+        //
+        Object o = message.getContextualProperty(SecurityConstants.BST_CALLBACK_HANDLER);
+    
+        CallbackHandler handler = null;
+        if (o instanceof CallbackHandler) {
+            handler = (CallbackHandler)o;
+        } else if (o instanceof String) {
+            try {
+                handler = (CallbackHandler)ClassLoaderUtils
+                    .loadClass((String)o, this.getClass()).newInstance();
+            } catch (Exception e) {
+                handler = null;
+            }
+        }
+        if (handler == null) {
+            policyNotAsserted(token, "No BST CallbackHandler available");
+            return null;
+        }
+        return new BinarySecurity(handler);
+    }
+    
     public String getPassword(String userName, Assertion info, int type) {
         //Then try to get the password from the given callback handler
         Object o = message.getContextualProperty(SecurityConstants.CALLBACK_HANDLER);

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java?rev=1149227&r1=1149226&r2=1149227&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
Thu Jul 21 15:37:07 2011
@@ -38,6 +38,7 @@ import org.apache.cxf.ws.security.policy
 import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
 import org.apache.cxf.ws.security.policy.model.Header;
 import org.apache.cxf.ws.security.policy.model.IssuedToken;
+import org.apache.cxf.ws.security.policy.model.KerberosToken;
 import org.apache.cxf.ws.security.policy.model.KeyValueToken;
 import org.apache.cxf.ws.security.policy.model.SamlToken;
 import org.apache.cxf.ws.security.policy.model.SecureConversationToken;
@@ -62,6 +63,7 @@ import org.apache.ws.security.message.WS
 import org.apache.ws.security.message.WSSecSignature;
 import org.apache.ws.security.message.WSSecTimestamp;
 import org.apache.ws.security.message.WSSecUsernameToken;
+import org.apache.ws.security.message.token.BinarySecurity;
 import org.apache.ws.security.message.token.SecurityTokenReference;
 import org.apache.ws.security.saml.ext.AssertionWrapper;
 
@@ -102,6 +104,9 @@ public class TransportBindingHandler ext
                 if (assertionWrapper != null) {
                     addSupportingElement(assertionWrapper.toDOM(saaj.getSOAPPart()));
                 }
+            } else if (token instanceof KerberosToken) {
+                BinarySecurity binarySecurity = addKerberosToken((KerberosToken)token);
+                addSupportingElement(cloneElement(binarySecurity.getElement()));
             } else {
                 //REVISIT - not supported for signed.  Exception?
             }

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java?rev=1149227&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
(added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
Thu Jul 21 15:37:07 2011
@@ -0,0 +1,106 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.model.KerberosToken;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.message.token.BinarySecurity;
+import org.apache.ws.security.message.token.KerberosSecurity;
+import org.apache.ws.security.util.WSSecurityUtil;
+
+/**
+ * Validate a WSSecurityEngineResult corresponding to the processing of a Kerberos Token
+ * against the appropriate policy.
+ */
+public class KerberosTokenPolicyValidator extends AbstractTokenPolicyValidator {
+    
+    private List<WSSecurityEngineResult> bstResults;
+    private Message message;
+
+    public KerberosTokenPolicyValidator(
+        Message message,
+        List<WSSecurityEngineResult> results
+    ) {
+        this.message = message;
+        bstResults = new ArrayList<WSSecurityEngineResult>();
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.BST, bstResults);
+    }
+    
+    public boolean validatePolicy(
+        AssertionInfoMap aim
+    ) {
+        Collection<AssertionInfo> krbAis = aim.get(SP12Constants.KERBEROS_TOKEN);
+        if (krbAis != null && !krbAis.isEmpty()) {
+            for (AssertionInfo ai : krbAis) {
+                KerberosToken kerberosTokenPolicy = (KerberosToken)ai.getAssertion();
+                ai.setAsserted(true);
+                
+                if (!isTokenRequired(kerberosTokenPolicy, message)) {
+                    continue;
+                }
+                
+                if (bstResults.isEmpty()) {
+                    ai.setNotAsserted(
+                        "The received token does not match the token inclusion requirement"
+                    );
+                    return false;
+                }
+                
+                if (!checkToken(kerberosTokenPolicy)) {
+                    ai.setNotAsserted("An incorrect Kerberos Token Type is detected");
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
+    
+    private boolean checkToken(KerberosToken kerberosTokenPolicy) {
+        if (!bstResults.isEmpty()) {
+            boolean isV5ApReq = kerberosTokenPolicy.isV5ApReqToken11();
+            boolean isGssV5ApReq = kerberosTokenPolicy.isGssV5ApReqToken11();
+            
+            for (WSSecurityEngineResult result : bstResults) {
+                BinarySecurity binarySecurityToken = 
+                    (BinarySecurity)result.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+                if (binarySecurityToken instanceof KerberosSecurity) {
+                    if (isV5ApReq && ((KerberosSecurity)binarySecurityToken).isV5ApReq())
{
+                        return true;
+                    } else if (isGssV5ApReq 
+                        && ((KerberosSecurity)binarySecurityToken).isGssV5ApReq())
{
+                        return true;
+                    } else if (!isV5ApReq && !isGssV5ApReq) {
+                        return true;
+                    }
+                }
+            }
+        }
+        return false;
+    }
+}



Mime
View raw message