cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1150738 - /cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
Date Mon, 25 Jul 2011 15:05:57 GMT
Author: coheigea
Date: Mon Jul 25 15:05:56 2011
New Revision: 1150738

URL: http://svn.apache.org/viewvc?rev=1150738&view=rev
Log:
Store TLS Peer Certificate principal on the message context in the WS-Security layer
 - Also fixing some failing system tests following an update to WSS4J.

Modified:
    cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java

Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java?rev=1150738&r1=1150737&r2=1150738&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
(original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
Mon Jul 25 15:05:56 2011
@@ -20,6 +20,8 @@
 package org.apache.cxf.ws.security.policy.interceptors;
 
 import java.net.HttpURLConnection;
+import java.security.Principal;
+import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.List;
@@ -33,6 +35,7 @@ import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.phase.AbstractPhaseInterceptor;
 import org.apache.cxf.phase.Phase;
+import org.apache.cxf.security.SecurityContext;
 import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.transport.http.MessageTrustDecider;
 import org.apache.cxf.transport.http.URLConnectionInfo;
@@ -164,6 +167,21 @@ public class HttpsTokenInterceptorProvid
                 }
                 if (!isRequestor(message)) {
                     assertHttps(ais, message);
+                    // Store the TLS principal on the message context
+                    SecurityContext sc = message.get(SecurityContext.class);
+                    if (sc == null || sc.getUserPrincipal() == null) {
+                        TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);     

+                        if (tlsInfo != null && tlsInfo.getPeerCertificates() != null

+                                && tlsInfo.getPeerCertificates().length > 0
+                                && (tlsInfo.getPeerCertificates()[0] instanceof X509Certificate)
+                        ) {
+                            X509Certificate cert = (X509Certificate)tlsInfo.getPeerCertificates()[0];
+                            message.put(
+                                SecurityContext.class, createSecurityContext(cert.getSubjectX500Principal())
+                            );
+                        } 
+                    }
+                    
                 } else {
                     //client side should be checked on the way out
                     for (AssertionInfo ai : ais) {
@@ -172,6 +190,7 @@ public class HttpsTokenInterceptorProvid
                 }
             }
         }
+        
         private void assertHttps(Collection<AssertionInfo> ais, Message message) {
             for (AssertionInfo ai : ais) {
                 boolean asserted = true;
@@ -207,5 +226,16 @@ public class HttpsTokenInterceptorProvid
                 ai.setAsserted(asserted);
             }
         }
+        
+        private SecurityContext createSecurityContext(final Principal p) {
+            return new SecurityContext() {
+                public Principal getUserPrincipal() {
+                    return p;
+                }
+                public boolean isUserInRole(String role) {
+                    return false;
+                }
+            };
+        }
     }
 }



Mime
View raw message