cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject svn commit: r1362715 - in /cxf/branches/2.6.x-fixes: ./ api/src/main/java/org/apache/cxf/common/security/ rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/ rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/ systests/jaxrs...
Date Tue, 17 Jul 2012 23:00:55 GMT
Author: sergeyb
Date: Tue Jul 17 23:00:54 2012
New Revision: 1362715

URL: http://svn.apache.org/viewvc?rev=1362715&view=rev
Log:
Merged revisions 1362686,1362711 via svnmerge from 
https://svn.apache.org/repos/asf/cxf/trunk

........
  r1362686 | sergeyb | 2012-07-17 23:14:35 +0100 (Tue, 17 Jul 2012) | 1 line
  
  [CXF-4430] SpnegoAuthSupplier updates, also adding Kerberos interceptor and filter
........
  r1362711 | sergeyb | 2012-07-17 23:55:30 +0100 (Tue, 17 Jul 2012) | 1 line
  
  [CXF-4430] Updating the filter to check if the user name is null, optionally removing the
realm when setting up a security context
........

Added:
    cxf/branches/2.6.x-fixes/api/src/main/java/org/apache/cxf/common/security/SimpleSecurityContext.java
      - copied unchanged from r1362686, cxf/trunk/api/src/main/java/org/apache/cxf/common/security/SimpleSecurityContext.java
    cxf/branches/2.6.x-fixes/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthOutInterceptor.java
      - copied unchanged from r1362686, cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthOutInterceptor.java
    cxf/branches/2.6.x-fixes/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java
      - copied, changed from r1362686, cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java
    cxf/branches/2.6.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java
      - copied unchanged from r1362686, cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java
    cxf/branches/2.6.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/BookKerberosServer.java
      - copied unchanged from r1362686, cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/BookKerberosServer.java
    cxf/branches/2.6.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSKerberosBookTest.java
      - copied unchanged from r1362686, cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSKerberosBookTest.java
    cxf/branches/2.6.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberos.cfg
      - copied unchanged from r1362686, cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberos.cfg
    cxf/branches/2.6.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberosClient.xml
      - copied unchanged from r1362686, cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberosClient.xml
Modified:
    cxf/branches/2.6.x-fixes/   (props changed)
    cxf/branches/2.6.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/SpnegoAuthSupplier.java

Propchange: cxf/branches/2.6.x-fixes/
------------------------------------------------------------------------------
  Merged /cxf/trunk:r1362686,1362711

Propchange: cxf/branches/2.6.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.

Copied: cxf/branches/2.6.x-fixes/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java
(from r1362686, cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java)
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java?p2=cxf/branches/2.6.x-fixes/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java&p1=cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java&r1=1362686&r2=1362715&rev=1362715&view=diff
==============================================================================
--- cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java
(original)
+++ cxf/branches/2.6.x-fixes/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java
Tue Jul 17 23:00:54 2012
@@ -58,6 +58,7 @@ public class KerberosAuthenticationFilte
     private String loginContextName;
     private String servicePrincipalName;
     private String realm;
+    private boolean keepUserPrincipalRealm = true;
     
     public Response handleRequest(Message m, ClassResourceInfo resourceClass) {
         
@@ -80,8 +81,21 @@ public class KerberosAuthenticationFilte
 
             Subject.doAs(serviceSubject, new ValidateServiceTicketAction(gssContext, serviceTicket));
             
-            final String clientName = gssContext.getSrcName().toString();            
-            m.put(SecurityContext.class, new SimpleSecurityContext(clientName));
+            GSSName srcName = gssContext.getSrcName();
+            if (srcName == null) {
+                throw new WebApplicationException(getFaultResponse());
+            }
+            
+            String userName = srcName.toString();
+            if (!keepUserPrincipalRealm) {
+                int index = userName.lastIndexOf('@');
+                if (index > 0) {
+                    userName = userName.substring(0, index);
+                    //TODO: still provide a complete user name via KerberosPrincipal
+                }
+            }
+            m.put(SecurityContext.class, new SimpleSecurityContext(userName));
+            
             
         } catch (LoginException e) {
             throw new WebApplicationException(getFaultResponse());
@@ -167,6 +181,11 @@ public class KerberosAuthenticationFilte
         this.callbackHandler = callbackHandler;
     }
 
+    
+    public void setKeepUserPrincipalRealm(boolean keep) {
+        this.keepUserPrincipalRealm = keep;
+    }
+
     private final class ValidateServiceTicketAction implements PrivilegedExceptionAction<byte[]>
{
         private final GSSContext context;
         private final byte[] token;

Modified: cxf/branches/2.6.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/SpnegoAuthSupplier.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/SpnegoAuthSupplier.java?rev=1362715&r1=1362714&r2=1362715&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/SpnegoAuthSupplier.java
(original)
+++ cxf/branches/2.6.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/SpnegoAuthSupplier.java
Tue Jul 17 23:00:54 2012
@@ -19,42 +19,13 @@
 package org.apache.cxf.transport.http.auth;
 
 import java.net.URL;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
-import java.util.logging.Level;
-import java.util.logging.Logger;
-
-import javax.security.auth.Subject;
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.NameCallback;
-import javax.security.auth.callback.PasswordCallback;
-import javax.security.auth.login.LoginContext;
-import javax.security.auth.login.LoginException;
 
-import org.apache.cxf.common.logging.LogUtils;
-import org.apache.cxf.common.util.Base64Utility;
 import org.apache.cxf.configuration.security.AuthorizationPolicy;
 import org.apache.cxf.message.Message;
-import org.ietf.jgss.GSSContext;
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.GSSManager;
-import org.ietf.jgss.GSSName;
-import org.ietf.jgss.Oid;
-
-public class SpnegoAuthSupplier implements HttpAuthSupplier {
-    /**
-     * Can be set on the jaxws:properties. If set to true then the kerberos oid is used
-     * instead of the default spnego OID
-     */
-    private static final String PROPERTY_USE_KERBEROS_OID = "auth.spnego.useKerberosOid";
-    private static final String KERBEROS_OID = "1.2.840.113554.1.2.2";
-    private static final String SPNEGO_OID = "1.3.6.1.5.5.2";
 
-    private static final Logger LOG = LogUtils.getL7dLogger(SpnegoAuthSupplier.class);
+public class SpnegoAuthSupplier extends AbstractSpnegoAuthSupplier 
+    implements HttpAuthSupplier {
 
-    private LoginContext lc;
-    
     public boolean requiresRequestCaching() {
         return false;
     }
@@ -63,117 +34,7 @@ public class SpnegoAuthSupplier implemen
                                     URL currentURL,
                                     Message message,
                                     String fullHeader) {
-        if (!HttpAuthHeader.AUTH_TYPE_NEGOTIATE.equals(authPolicy.getAuthorizationType()))
{
-            return null;
-        }
-        try {
-            String spn = "HTTP/" + currentURL.getHost();
-            LOG.fine("Adding authorization service ticket for service principal name: " +
spn);
-            
-            String userKerbOidSt = (String)message.getContextualProperty(PROPERTY_USE_KERBEROS_OID);
-            boolean useKerberosOid = "true".equals(userKerbOidSt);
-            Oid oid = new Oid(useKerberosOid ? KERBEROS_OID : SPNEGO_OID);
-
-            byte[] token = getToken(authPolicy, spn, oid);
-            return HttpAuthHeader.AUTH_TYPE_NEGOTIATE + " " + Base64Utility.encode(token);
-        } catch (LoginException e) {
-            throw new RuntimeException(e.getMessage(), e);
-        } catch (GSSException e) {
-            throw new RuntimeException(e.getMessage(), e);
-        }
-    }
-
-    /**
-     * Create and return service ticket token
-     * 
-     * @param authPolicy
-     * @param context
-     * @return
-     * @throws GSSException
-     * @throws LoginException
-     */
-    private byte[] getToken(AuthorizationPolicy authPolicy, final GSSContext context) throws
GSSException,
-            LoginException {
-        final byte[] token = new byte[0];
-
-        if (authPolicy.getUserName() == null || authPolicy.getUserName().trim().length()
== 0) {
-            return context.initSecContext(token, 0, token.length);
-        }
-
-        if (lc == null) {
-            lc = new LoginContext(authPolicy.getAuthorization(), getUsernamePasswordHandler(
-                authPolicy.getUserName(), authPolicy.getPassword()));
-            lc.login();
-        }
-
-        try {
-            return (byte[])Subject.doAs(lc.getSubject(), new CreateServiceTicketAction(context,
token));
-        } catch (PrivilegedActionException e) {
-            if (e.getCause() instanceof GSSException) {
-                throw (GSSException) e.getCause();
-            }
-            LOG.log(Level.SEVERE, "initSecContext", e);
-            return null;
-        }
-    }
-
-    /**
-     * Create and return a service ticket token for a given service principal
-     * name
-     * 
-     * @param authPolicy
-     * @param spn
-     * @return service ticket token
-     * @throws GSSException
-     * @throws LoginException
-     */
-    private byte[] getToken(AuthorizationPolicy authPolicy, String spn, Oid oid) throws GSSException,

-        LoginException {
-        GSSManager manager = GSSManager.getInstance();
-        GSSName serverName = manager.createName(spn, null);
-
-        GSSContext context = manager
-                .createContext(serverName.canonicalize(oid), oid, null, GSSContext.DEFAULT_LIFETIME);
-        // TODO Do we need mutual auth. Will the code we have really work with
-        // mutual auth?
-        context.requestMutualAuth(true);
-        // TODO Credential delegation could be a security hole if it was not
-        // intended. Both settings should be configurable
-        context.requestCredDeleg(true);
-
-        return getToken(authPolicy, context);
-    }
-
-    private final class CreateServiceTicketAction implements PrivilegedExceptionAction<byte[]>
{
-        private final GSSContext context;
-        private final byte[] token;
-
-        private CreateServiceTicketAction(GSSContext context, byte[] token) {
-            this.context = context;
-            this.token = token;
-        }
-
-        public byte[] run() throws GSSException {
-            return context.initSecContext(token, 0, token.length);
-        }
-    }
-    
-    public static CallbackHandler getUsernamePasswordHandler(final String username, final
String password) {
-        final CallbackHandler handler = new CallbackHandler() {
-
-            public void handle(final Callback[] callback) {
-                for (int i = 0; i < callback.length; i++) {
-                    if (callback[i] instanceof NameCallback) {
-                        final NameCallback nameCallback = (NameCallback) callback[i];
-                        nameCallback.setName(username);
-                    } else if (callback[i] instanceof PasswordCallback) {
-                        final PasswordCallback passCallback = (PasswordCallback) callback[i];
-                        passCallback.setPassword(password.toCharArray());
-                    }
-                }
-            }
-        };
-        return handler;
+        return super.getAuthorization(authPolicy, currentURL, message);
     }
 
 }



Mime
View raw message