cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1439438 - in /cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j: AbstractTokenInterceptor.java KerberosTokenInterceptor.java SamlTokenInterceptor.java UsernameTokenInterceptor.java
Date Mon, 28 Jan 2013 15:01:04 GMT
Author: coheigea
Date: Mon Jan 28 15:01:03 2013
New Revision: 1439438

URL: http://svn.apache.org/viewvc?rev=1439438&view=rev
Log:
Merged revisions 1439427 via  git cherry-pick from
https://svn.apache.org/repos/asf/cxf/branches/2.6.x-fixes

........
  r1439427 | coheigea | 2013-01-28 14:39:15 +0000 (Mon, 28 Jan 2013) | 18 lines

  Merged revisions 1439416 via  git cherry-pick from
  https://svn.apache.org/repos/asf/cxf/branches/2.7.x-fixes

  ........
    r1439416 | coheigea | 2013-01-28 14:16:44 +0000 (Mon, 28 Jan 2013) | 10 lines

    Merged revisions 1439415 via  git cherry-pick from
    https://svn.apache.org/repos/asf/cxf/trunk

    ........
      r1439415 | coheigea | 2013-01-28 14:15:42 +0000 (Mon, 28 Jan 2013) | 2 lines

      Some updates to the token interceptors

    ........

  ........

........

Modified:
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java?rev=1439438&r1=1439437&r2=1439438&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java
Mon Jan 28 15:01:03 2013
@@ -20,7 +20,7 @@
 package org.apache.cxf.ws.security.wss4j;
 
 import java.util.Collection;
-import java.util.HashSet;
+import java.util.Collections;
 import java.util.Set;
 import java.util.logging.Logger;
 
@@ -42,11 +42,13 @@ import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.phase.Phase;
+import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.service.model.EndpointInfo;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.policy.PolicyException;
 import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.SP12Constants;
 import org.apache.cxf.ws.security.policy.model.Token;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
 import org.apache.ws.security.WSConstants;
@@ -58,11 +60,8 @@ import org.apache.ws.security.WSPassword
  */
 public abstract class AbstractTokenInterceptor extends AbstractSoapInterceptor {
     private static final Logger LOG = LogUtils.getL7dLogger(AbstractSoapInterceptor.class);
-    private static final Set<QName> HEADERS = new HashSet<QName>();
-    static {
-        HEADERS.add(new QName(WSConstants.WSSE_NS, "Security"));
-        HEADERS.add(new QName(WSConstants.WSSE11_NS, "Security"));
-    }
+    private static final Set<QName> HEADERS = 
+        Collections.singleton(new QName(WSConstants.WSSE_NS, "Security"));
 
     /**
      * @param p
@@ -109,6 +108,37 @@ public abstract class AbstractTokenInter
     
     protected abstract Token assertTokens(SoapMessage message);
     
+    protected Token assertTokens(SoapMessage message, QName assertion, boolean signed) {
+        AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+        Collection<AssertionInfo> ais = aim.getAssertionInfo(assertion);
+        Token tok = null;
+        for (AssertionInfo ai : ais) {
+            tok = (Token)ai.getAssertion();
+            ai.setAsserted(true);                
+        }
+        ais = aim.getAssertionInfo(SP12Constants.SUPPORTING_TOKENS);
+        for (AssertionInfo ai : ais) {
+            ai.setAsserted(true);
+        }
+        
+        if (signed || isTLSInUse(message)) {
+            ais = aim.getAssertionInfo(SP12Constants.SIGNED_SUPPORTING_TOKENS);
+            for (AssertionInfo ai : ais) {
+                ai.setAsserted(true);
+            }
+        }
+        return tok;
+    }
+    
+    protected boolean isTLSInUse(SoapMessage message) {
+        // See whether TLS is in use or not
+        TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
+        if (tlsInfo != null) {
+            return true;
+        }
+        return false;
+    }
+    
     protected CallbackHandler getCallback(SoapMessage message) {
         //Then try to get the password from the given callback handler
         Object o = message.getContextualProperty(SecurityConstants.CALLBACK_HANDLER);

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java?rev=1439438&r1=1439437&r2=1439438&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java
Mon Jan 28 15:01:03 2013
@@ -21,7 +21,6 @@ package org.apache.cxf.ws.security.wss4j
 
 import java.security.Principal;
 import java.util.ArrayList;
-import java.util.Collection;
 import java.util.List;
 
 import javax.security.auth.callback.CallbackHandler;
@@ -37,14 +36,12 @@ import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.interceptor.security.DefaultSecurityContext;
 import org.apache.cxf.security.SecurityContext;
-import org.apache.cxf.ws.policy.AssertionInfo;
-import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.KerberosToken;
 import org.apache.cxf.ws.security.policy.model.Token;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
+import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSDocInfo;
 import org.apache.ws.security.WSSConfig;
 import org.apache.ws.security.WSSecurityEngineResult;
@@ -75,7 +72,8 @@ public class KerberosTokenInterceptor ex
         Element el = (Element)h.getObject();
         Element child = DOMUtils.getFirstElement(el);
         while (child != null) {
-            if ("BinarySecurityToken".equals(child.getLocalName())) {
+            if (WSConstants.BINARY_TOKEN_LN.equals(child.getLocalName())
+                && WSConstants.WSSE_NS.equals(child.getNamespaceURI())) {
                 try {
                     List<WSSecurityEngineResult> bstResults = processToken(child, message);
                     if (bstResults != null) {
@@ -88,7 +86,7 @@ public class KerberosTokenInterceptor ex
                         WSHandlerResult rResult = new WSHandlerResult(null, bstResults);
                         results.add(0, rResult);
 
-                        assertTokens(message);
+                        assertTokens(message, SP12Constants.KERBEROS_TOKEN, false);
                         
                         Principal principal = 
                             (Principal)bstResults.get(0).get(WSSecurityEngineResult.TAG_PRINCIPAL);
@@ -145,25 +143,9 @@ public class KerberosTokenInterceptor ex
     }
     
     protected Token assertTokens(SoapMessage message) {
-        AssertionInfoMap aim = message.get(AssertionInfoMap.class);
-        Collection<AssertionInfo> ais = aim.getAssertionInfo(SP12Constants.KERBEROS_TOKEN);
-        KerberosToken tok = null;
-        for (AssertionInfo ai : ais) {
-            tok = (KerberosToken)ai.getAssertion();
-            ai.setAsserted(true);                
-        }
-        ais = aim.getAssertionInfo(SP12Constants.SUPPORTING_TOKENS);
-        for (AssertionInfo ai : ais) {
-            ai.setAsserted(true);
-        }
-        ais = aim.getAssertionInfo(SP12Constants.SIGNED_SUPPORTING_TOKENS);
-        for (AssertionInfo ai : ais) {
-            ai.setAsserted(true);
-        }
-        return tok;
+        return assertTokens(message, SP12Constants.KERBEROS_TOKEN, true);
     }
 
-
     protected void addToken(SoapMessage message) {
         SecurityToken securityToken = getSecurityToken(message);
         if (securityToken == null || securityToken.getToken() == null) {

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java?rev=1439438&r1=1439437&r2=1439438&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
Mon Jan 28 15:01:03 2013
@@ -51,6 +51,7 @@ import org.apache.cxf.ws.security.Securi
 import org.apache.cxf.ws.security.policy.SP12Constants;
 import org.apache.cxf.ws.security.policy.model.SamlToken;
 import org.apache.cxf.ws.security.policy.model.Token;
+import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSDocInfo;
 import org.apache.ws.security.WSPasswordCallback;
 import org.apache.ws.security.WSSConfig;
@@ -86,7 +87,9 @@ public class SamlTokenInterceptor extend
         Element el = (Element)h.getObject();
         Element child = DOMUtils.getFirstElement(el);
         while (child != null) {
-            if ("Assertion".equals(child.getLocalName())) {
+            if ("Assertion".equals(child.getLocalName())
+                && (WSConstants.SAML_NS.equals(child.getNamespaceURI())
+                    || WSConstants.SAML2_NS.equals(child.getNamespaceURI()))) {
                 try {
                     List<WSSecurityEngineResult> samlResults = processToken(child,
message);
                     if (samlResults != null) {
@@ -99,7 +102,16 @@ public class SamlTokenInterceptor extend
                         WSHandlerResult rResult = new WSHandlerResult(null, samlResults);
                         results.add(0, rResult);
 
-                        assertTokens(message);
+                        boolean signed = false;
+                        for (WSSecurityEngineResult result : samlResults) {
+                            AssertionWrapper wrapper = 
+                                (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+                            if (wrapper.isSigned()) {
+                                signed = true;
+                                break;
+                            }
+                        }
+                        assertTokens(message, SP12Constants.SAML_TOKEN, signed);
                         
                         Principal principal = 
                             (Principal)samlResults.get(0).get(WSSecurityEngineResult.TAG_PRINCIPAL);
@@ -163,25 +175,9 @@ public class SamlTokenInterceptor extend
     }
 
     protected Token assertTokens(SoapMessage message) {
-        AssertionInfoMap aim = message.get(AssertionInfoMap.class);
-        Collection<AssertionInfo> ais = aim.getAssertionInfo(SP12Constants.SAML_TOKEN);
-        SamlToken tok = null;
-        for (AssertionInfo ai : ais) {
-            tok = (SamlToken)ai.getAssertion();
-            ai.setAsserted(true);                
-        }
-        ais = aim.getAssertionInfo(SP12Constants.SUPPORTING_TOKENS);
-        for (AssertionInfo ai : ais) {
-            ai.setAsserted(true);
-        }
-        ais = aim.getAssertionInfo(SP12Constants.SIGNED_SUPPORTING_TOKENS);
-        for (AssertionInfo ai : ais) {
-            ai.setAsserted(true);
-        }
-        return tok;
+        return assertTokens(message, SP12Constants.SAML_TOKEN, true);
     }
 
-
     protected void addToken(SoapMessage message) {
         WSSConfig.init();
         SamlToken tok = (SamlToken)assertTokens(message);

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java?rev=1439438&r1=1439437&r2=1439438&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
Mon Jan 28 15:01:03 2013
@@ -78,7 +78,8 @@ public class UsernameTokenInterceptor ex
         Element el = (Element)h.getObject();
         Element child = DOMUtils.getFirstElement(el);
         while (child != null) {
-            if (SPConstants.USERNAME_TOKEN.equals(child.getLocalName())) {
+            if (SPConstants.USERNAME_TOKEN.equals(child.getLocalName())
+                && WSConstants.WSSE_NS.equals(child.getNamespaceURI())) {
                 try  {
                     final WSUsernameTokenPrincipal princ = getPrincipal(child, message);
                     if (princ != null) {
@@ -97,7 +98,7 @@ public class UsernameTokenInterceptor ex
                         WSHandlerResult rResult = new WSHandlerResult(null, v);
                         results.add(0, rResult);
 
-                        assertTokens(message, princ);
+                        assertTokens(message, princ, false);
                         message.put(WSS4JInInterceptor.PRINCIPAL_RESULT, princ);        
          
                         
                         SecurityContext sc = message.get(SecurityContext.class);
@@ -205,10 +206,14 @@ public class UsernameTokenInterceptor ex
     }
     
     protected UsernameToken assertTokens(SoapMessage message) {
-        return (UsernameToken)assertTokens(message, null);
+        return (UsernameToken)assertTokens(message, SP12Constants.USERNAME_TOKEN, true);
     }
     
-    private UsernameToken assertTokens(SoapMessage message, WSUsernameTokenPrincipal princ)
{
+    private UsernameToken assertTokens(
+        SoapMessage message, 
+        WSUsernameTokenPrincipal princ,
+        boolean signed
+    ) {
         AssertionInfoMap aim = message.get(AssertionInfoMap.class);
         Collection<AssertionInfo> ais = aim.getAssertionInfo(SP12Constants.USERNAME_TOKEN);
         UsernameToken tok = null;
@@ -227,9 +232,11 @@ public class UsernameTokenInterceptor ex
         for (AssertionInfo ai : ais) {
             ai.setAsserted(true);
         }
-        ais = aim.getAssertionInfo(SP12Constants.SIGNED_SUPPORTING_TOKENS);
-        for (AssertionInfo ai : ais) {
-            ai.setAsserted(true);
+        if (signed || isTLSInUse(message)) {
+            ais = aim.getAssertionInfo(SP12Constants.SIGNED_SUPPORTING_TOKENS);
+            for (AssertionInfo ai : ais) {
+                ai.setAsserted(true);
+            }
         }
         return tok;
     }
@@ -255,7 +262,7 @@ public class UsernameTokenInterceptor ex
     }
 
     protected void addToken(SoapMessage message) {
-        UsernameToken tok = assertTokens(message, null);
+        UsernameToken tok = assertTokens(message);
 
         Header h = findSecurityHeader(message, true);
         WSSecUsernameToken utBuilder = 



Mime
View raw message