cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1497374 - in /cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security: policy/interceptors/KerberosTokenInterceptorProvider.java wss4j/policyhandlers/SymmetricBindingHandler.java
Date Thu, 27 Jun 2013 14:30:40 GMT
Author: coheigea
Date: Thu Jun 27 14:30:37 2013
New Revision: 1497374

URL: http://svn.apache.org/r1497374
Log:
[CXF-5098] - References to Kerberos Tokens are not created correctly in responses


Conflicts:
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java

Modified:
    cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
    cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java

Modified: cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java?rev=1497374&r1=1497373&r2=1497374&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
(original)
+++ cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
Thu Jun 27 14:30:37 2013
@@ -48,10 +48,13 @@ import org.apache.cxf.ws.security.wss4j.
 import org.apache.cxf.ws.security.wss4j.policyvalidators.KerberosTokenPolicyValidator;
 import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
 import org.apache.ws.security.handler.WSHandlerConstants;
 import org.apache.ws.security.handler.WSHandlerResult;
 import org.apache.ws.security.message.token.BinarySecurity;
 import org.apache.ws.security.message.token.KerberosSecurity;
+import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.xml.security.utils.Base64;
 
 /**
  * 
@@ -127,6 +130,11 @@ public class KerberosTokenInterceptorPro
                         message.getExchange().put(SecurityConstants.TOKEN_ID, 
                                                   tok.getId());
                         getTokenStore(message).add(tok);
+                        
+                        // Create another cache entry with the SHA1 Identifier as the key
for easy retrieval
+                        if (tok.getSHA1() != null) {
+                            getTokenStore(message).add(tok.getSHA1(), tok);
+                        }
                     }
                 } else {
                     //server side should be checked on the way in
@@ -213,6 +221,12 @@ public class KerberosTokenInterceptorPro
         SecurityToken token = new SecurityToken(binarySecurityToken.getID());
         token.setToken(binarySecurityToken.getElement());
         token.setTokenType(binarySecurityToken.getValueType());
+        byte[] tokenBytes = binarySecurityToken.getToken();
+        try {
+            token.setSHA1(Base64.encode(WSSecurityUtil.generateDigest(tokenBytes)));
+        } catch (WSSecurityException e) {
+            // Just consume this for now as it isn't critical...
+        }
         return token;
     }
         

Modified: cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java?rev=1497374&r1=1497373&r2=1497374&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
(original)
+++ cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
Thu Jun 27 14:30:37 2013
@@ -421,10 +421,17 @@ public class SymmetricBindingHandler ext
                 // attached use key identifier as defined in WSS1.1 section
                 // 7.7 Encrypted Key reference
                 SecurityTokenReference tokenRef = new SecurityTokenReference(saaj.getSOAPPart());
-                tokenRef.setKeyIdentifierEncKeySHA1(encrTok.getSHA1());
                 String tokenType = encrTok.getTokenType();
-                if (tokenType == null) {
-                    tokenType = WSConstants.WSS_ENC_KEY_VALUE_TYPE;
+                if (encrToken instanceof KerberosToken) {
+                    tokenRef.setKeyIdentifier(WSConstants.WSS_KRB_KI_VALUE_TYPE, encrTok.getSHA1(),
true);
+                    if (tokenType == null) {
+                        tokenType = WSConstants.WSS_GSS_KRB_V5_AP_REQ;
+                    }
+                } else {
+                    tokenRef.setKeyIdentifierEncKeySHA1(encrTok.getSHA1());
+                    if (tokenType == null) {
+                        tokenType = WSConstants.WSS_ENC_KEY_VALUE_TYPE;
+                    }
                 }
                 tokenRef.addTokenType(tokenType);
                 dkEncr.setExternalKey(encrTok.getSecret(), tokenRef.getElement());
@@ -569,6 +576,9 @@ public class SymmetricBindingHandler ext
                         }
                     } else if (encrToken instanceof UsernameToken) {
                         encr.setCustomReferenceValue(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
+                    } else if (encrToken instanceof KerberosToken && !isRequestor())
{
+                        encr.setCustomReferenceValue(WSConstants.WSS_KRB_KI_VALUE_TYPE);
+                        encr.setEncKeyId(encrTok.getSHA1());
                     } else if (!isRequestor()) {
                         if (encrTok.getSHA1() != null) {
                             encr.setCustomReferenceValue(encrTok.getSHA1());
@@ -633,10 +643,17 @@ public class SymmetricBindingHandler ext
             // 7.7 Encrypted Key reference
             SecurityTokenReference tokenRef = new SecurityTokenReference(doc);
             if (tok.getSHA1() != null) {
-                tokenRef.setKeyIdentifierEncKeySHA1(tok.getSHA1());
                 String tokenType = tok.getTokenType();
-                if (tokenType == null) {
-                    tokenType = WSConstants.WSS_ENC_KEY_VALUE_TYPE;
+                if (policyToken instanceof KerberosToken) {
+                    tokenRef.setKeyIdentifier(WSConstants.WSS_KRB_KI_VALUE_TYPE, tok.getSHA1(),
true);
+                    if (tokenType == null) {
+                        tokenType = WSConstants.WSS_GSS_KRB_V5_AP_REQ;
+                    }
+                } else {
+                    tokenRef.setKeyIdentifierEncKeySHA1(tok.getSHA1());
+                    if (tokenType == null) {
+                        tokenType = WSConstants.WSS_ENC_KEY_VALUE_TYPE;
+                    }
                 }
                 tokenRef.addTokenType(tokenType);
             }
@@ -729,6 +746,7 @@ public class SymmetricBindingHandler ext
             // be used in the wsse:Reference in ds:KeyInfo
             int type = included ? WSConstants.CUSTOM_SYMM_SIGNING 
                 : WSConstants.CUSTOM_SYMM_SIGNING_DIRECT;
+            String sigTokId = tok.getId();
             if (policyToken instanceof X509Token) {
                 if (isRequestor()) {
                     sig.setCustomTokenValueType(
@@ -743,6 +761,15 @@ public class SymmetricBindingHandler ext
             } else if (policyToken instanceof UsernameToken) {
                 sig.setCustomTokenValueType(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
                 sig.setKeyIdentifierType(type);
+            } else if (policyToken instanceof KerberosToken) {
+                if (isRequestor()) {
+                    sig.setCustomTokenValueType(tok.getTokenType());
+                    sig.setKeyIdentifierType(type);
+                } else {
+                    sig.setCustomTokenValueType(WSConstants.WSS_KRB_KI_VALUE_TYPE);
+                    sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+                    sigTokId = tok.getSHA1();
+                }
             } else {
                 //Setting the AttachedReference or the UnattachedReference according to the
flag
                 Element ref;
@@ -774,7 +801,6 @@ public class SymmetricBindingHandler ext
                 }
             }
             
-            String sigTokId;
             if (included) {
                 sigTokId = tok.getWsuId();
                 if (sigTokId == null) {
@@ -787,8 +813,6 @@ public class SymmetricBindingHandler ext
                 if (sigTokId.startsWith("#")) {
                     sigTokId = sigTokId.substring(1);
                 }
-            } else {
-                sigTokId = tok.getId();
             }
                       
             if (included && sbinding.isTokenProtection()) {



Mime
View raw message