Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6B61CC7A5 for ; Thu, 27 Jun 2013 14:31:02 +0000 (UTC) Received: (qmail 98334 invoked by uid 500); 27 Jun 2013 14:31:02 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 98268 invoked by uid 500); 27 Jun 2013 14:31:01 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 98259 invoked by uid 99); 27 Jun 2013 14:31:01 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Jun 2013 14:31:01 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Jun 2013 14:30:59 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 75FFF2388993; Thu, 27 Jun 2013 14:30:40 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1497374 - in /cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security: policy/interceptors/KerberosTokenInterceptorProvider.java wss4j/policyhandlers/SymmetricBindingHandler.java Date: Thu, 27 Jun 2013 14:30:40 -0000 To: commits@cxf.apache.org From: coheigea@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20130627143040.75FFF2388993@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: coheigea Date: Thu Jun 27 14:30:37 2013 New Revision: 1497374 URL: http://svn.apache.org/r1497374 Log: [CXF-5098] - References to Kerberos Tokens are not created correctly in responses Conflicts: rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java Modified: cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java Modified: cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java?rev=1497374&r1=1497373&r2=1497374&view=diff ============================================================================== --- cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java (original) +++ cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java Thu Jun 27 14:30:37 2013 @@ -48,10 +48,13 @@ import org.apache.cxf.ws.security.wss4j. import org.apache.cxf.ws.security.wss4j.policyvalidators.KerberosTokenPolicyValidator; import org.apache.ws.security.WSConstants; import org.apache.ws.security.WSSecurityEngineResult; +import org.apache.ws.security.WSSecurityException; import org.apache.ws.security.handler.WSHandlerConstants; import org.apache.ws.security.handler.WSHandlerResult; import org.apache.ws.security.message.token.BinarySecurity; import org.apache.ws.security.message.token.KerberosSecurity; +import org.apache.ws.security.util.WSSecurityUtil; +import org.apache.xml.security.utils.Base64; /** * @@ -127,6 +130,11 @@ public class KerberosTokenInterceptorPro message.getExchange().put(SecurityConstants.TOKEN_ID, tok.getId()); getTokenStore(message).add(tok); + + // Create another cache entry with the SHA1 Identifier as the key for easy retrieval + if (tok.getSHA1() != null) { + getTokenStore(message).add(tok.getSHA1(), tok); + } } } else { //server side should be checked on the way in @@ -213,6 +221,12 @@ public class KerberosTokenInterceptorPro SecurityToken token = new SecurityToken(binarySecurityToken.getID()); token.setToken(binarySecurityToken.getElement()); token.setTokenType(binarySecurityToken.getValueType()); + byte[] tokenBytes = binarySecurityToken.getToken(); + try { + token.setSHA1(Base64.encode(WSSecurityUtil.generateDigest(tokenBytes))); + } catch (WSSecurityException e) { + // Just consume this for now as it isn't critical... + } return token; } Modified: cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java?rev=1497374&r1=1497373&r2=1497374&view=diff ============================================================================== --- cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java (original) +++ cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java Thu Jun 27 14:30:37 2013 @@ -421,10 +421,17 @@ public class SymmetricBindingHandler ext // attached use key identifier as defined in WSS1.1 section // 7.7 Encrypted Key reference SecurityTokenReference tokenRef = new SecurityTokenReference(saaj.getSOAPPart()); - tokenRef.setKeyIdentifierEncKeySHA1(encrTok.getSHA1()); String tokenType = encrTok.getTokenType(); - if (tokenType == null) { - tokenType = WSConstants.WSS_ENC_KEY_VALUE_TYPE; + if (encrToken instanceof KerberosToken) { + tokenRef.setKeyIdentifier(WSConstants.WSS_KRB_KI_VALUE_TYPE, encrTok.getSHA1(), true); + if (tokenType == null) { + tokenType = WSConstants.WSS_GSS_KRB_V5_AP_REQ; + } + } else { + tokenRef.setKeyIdentifierEncKeySHA1(encrTok.getSHA1()); + if (tokenType == null) { + tokenType = WSConstants.WSS_ENC_KEY_VALUE_TYPE; + } } tokenRef.addTokenType(tokenType); dkEncr.setExternalKey(encrTok.getSecret(), tokenRef.getElement()); @@ -569,6 +576,9 @@ public class SymmetricBindingHandler ext } } else if (encrToken instanceof UsernameToken) { encr.setCustomReferenceValue(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE); + } else if (encrToken instanceof KerberosToken && !isRequestor()) { + encr.setCustomReferenceValue(WSConstants.WSS_KRB_KI_VALUE_TYPE); + encr.setEncKeyId(encrTok.getSHA1()); } else if (!isRequestor()) { if (encrTok.getSHA1() != null) { encr.setCustomReferenceValue(encrTok.getSHA1()); @@ -633,10 +643,17 @@ public class SymmetricBindingHandler ext // 7.7 Encrypted Key reference SecurityTokenReference tokenRef = new SecurityTokenReference(doc); if (tok.getSHA1() != null) { - tokenRef.setKeyIdentifierEncKeySHA1(tok.getSHA1()); String tokenType = tok.getTokenType(); - if (tokenType == null) { - tokenType = WSConstants.WSS_ENC_KEY_VALUE_TYPE; + if (policyToken instanceof KerberosToken) { + tokenRef.setKeyIdentifier(WSConstants.WSS_KRB_KI_VALUE_TYPE, tok.getSHA1(), true); + if (tokenType == null) { + tokenType = WSConstants.WSS_GSS_KRB_V5_AP_REQ; + } + } else { + tokenRef.setKeyIdentifierEncKeySHA1(tok.getSHA1()); + if (tokenType == null) { + tokenType = WSConstants.WSS_ENC_KEY_VALUE_TYPE; + } } tokenRef.addTokenType(tokenType); } @@ -729,6 +746,7 @@ public class SymmetricBindingHandler ext // be used in the wsse:Reference in ds:KeyInfo int type = included ? WSConstants.CUSTOM_SYMM_SIGNING : WSConstants.CUSTOM_SYMM_SIGNING_DIRECT; + String sigTokId = tok.getId(); if (policyToken instanceof X509Token) { if (isRequestor()) { sig.setCustomTokenValueType( @@ -743,6 +761,15 @@ public class SymmetricBindingHandler ext } else if (policyToken instanceof UsernameToken) { sig.setCustomTokenValueType(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE); sig.setKeyIdentifierType(type); + } else if (policyToken instanceof KerberosToken) { + if (isRequestor()) { + sig.setCustomTokenValueType(tok.getTokenType()); + sig.setKeyIdentifierType(type); + } else { + sig.setCustomTokenValueType(WSConstants.WSS_KRB_KI_VALUE_TYPE); + sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); + sigTokId = tok.getSHA1(); + } } else { //Setting the AttachedReference or the UnattachedReference according to the flag Element ref; @@ -774,7 +801,6 @@ public class SymmetricBindingHandler ext } } - String sigTokId; if (included) { sigTokId = tok.getWsuId(); if (sigTokId == null) { @@ -787,8 +813,6 @@ public class SymmetricBindingHandler ext if (sigTokId.startsWith("#")) { sigTokId = sigTokId.substring(1); } - } else { - sigTokId = tok.getId(); } if (included && sbinding.isTokenProtection()) {