cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1537125 - in /cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts: operation/AbstractOperation.java operation/TokenIssueOperation.java token/canceller/SCTCanceller.java
Date Wed, 30 Oct 2013 15:12:02 GMT
Author: coheigea
Date: Wed Oct 30 15:12:01 2013
New Revision: 1537125

URL: http://svn.apache.org/r1537125
Log:
Added some functionality to the STS to get it working with streaming WS-Security

Modified:
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java?rev=1537125&r1=1537124&r2=1537125&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
Wed Oct 30 15:12:01 2013
@@ -85,6 +85,12 @@ import org.apache.wss4j.dom.handler.WSHa
 import org.apache.wss4j.dom.message.WSSecEncrypt;
 import org.apache.wss4j.dom.message.WSSecEncryptedKey;
 import org.apache.wss4j.dom.util.XmlSchemaDateFormat;
+import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
+import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent;
+import org.apache.xml.security.stax.securityEvent.SecurityEvent;
+import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
+import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
 
 /**
  * This abstract class contains some common functionality for different operations.
@@ -532,6 +538,7 @@ public abstract class AbstractOperation 
         @SuppressWarnings("unchecked")
         List<WSHandlerResult> results = 
             (List<WSHandlerResult>) context.get(WSHandlerConstants.RECV_RESULTS);
+        // DOM
         if (results != null) {
             for (WSHandlerResult rResult : results) {
                 List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();
@@ -548,6 +555,31 @@ public abstract class AbstractOperation 
                 }
             }
         }
+        
+        // Streaming
+        @SuppressWarnings("unchecked")
+        final List<SecurityEvent> incomingEventList = 
+            (List<SecurityEvent>) context.get(SecurityEvent.class.getName() + ".in");
+        if (incomingEventList != null) {
+            for (SecurityEvent incomingEvent : incomingEventList) {
+                if (WSSecurityEventConstants.SignedPart == incomingEvent.getSecurityEventType()
+                    || WSSecurityEventConstants.SignedElement 
+                        == incomingEvent.getSecurityEventType()) {
+                    org.apache.xml.security.stax.securityToken.SecurityToken token = 
+                        ((AbstractSecuredElementSecurityEvent)incomingEvent).getSecurityToken();
+                    try {
+                        if (token != null && token.getX509Certificates() != null
+                            && token.getX509Certificates().length > 0) {
+                            return token.getX509Certificates()[0];
+                        }
+                    } catch (XMLSecurityException ex) {
+                        LOG.log(Level.FINE, ex.getMessage(), ex);
+                        return null;
+                    }
+                }
+            }
+        }
+        
         return null;
     }
     
@@ -718,4 +750,24 @@ public abstract class AbstractOperation 
             eventPublisher.handleSTSEvent(event);
         }
     }
+    
+    protected static org.apache.xml.security.stax.securityToken.SecurityToken 
+    findInboundSecurityToken(
+        SecurityEventConstants.Event event,
+        MessageContext messageContext
+    ) throws XMLSecurityException {
+        @SuppressWarnings("unchecked")
+        final List<SecurityEvent> incomingEventList = 
+            (List<SecurityEvent>) messageContext.get(SecurityEvent.class.getName()
+ ".in");
+        if (incomingEventList != null) {
+            for (SecurityEvent incomingEvent : incomingEventList) {
+                if (event == incomingEvent.getSecurityEventType()) {
+                    org.apache.xml.security.stax.securityToken.SecurityToken token = 
+                        ((TokenSecurityEvent<?>)incomingEvent).getSecurityToken();
+                    return token;
+                }
+            }
+        }
+        return null;
+    }
 }

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java?rev=1537125&r1=1537124&r2=1537125&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
Wed Oct 30 15:12:01 2013
@@ -387,23 +387,35 @@ public class TokenIssueOperation extends
         final List<WSHandlerResult> handlerResults = 
             CastUtils.cast((List<?>) messageContext.get(WSHandlerConstants.RECV_RESULTS));
 
+        // Try DOM results first
         if (handlerResults != null && handlerResults.size() > 0) {
             WSHandlerResult handlerResult = handlerResults.get(0);
             List<WSSecurityEngineResult> engineResults = handlerResult.getResults();
 
             for (WSSecurityEngineResult engineResult : engineResults) {
-                /*
-                   Integer actInt = (Integer)engineResult.get(WSSecurityEngineResult.TAG_ACTION);
-                    String id = (String)engineResult.get(WSSecurityEngineResult.TAG_ID);
-                    Element tokenElement = 
-                        (Element)engineResult.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
-                 */
                 Object token = engineResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
                 if (token instanceof SamlAssertionWrapper) {
                     return (SamlAssertionWrapper)token;
                 }
             }
         }
+        
+        // Now try steaming results
+        /*
+         * TODO Uncomment this after we release a beta/RC
+        try {
+            org.apache.xml.security.stax.securityToken.SecurityToken securityToken = 
+                findInboundSecurityToken(WSSecurityEventConstants.SamlToken, messageContext);
+            if (securityToken instanceof SamlSecurityToken
+                && ((SamlSecurityToken)securityToken).getSamlAssertionWrapper() !=
null) {
+                return ((SamlSecurityToken)securityToken).getSamlAssertionWrapper();
+            }
+        } catch (XMLSecurityException e) {
+            LOG.log(Level.FINE, e.getMessage(), e);
+            return null;
+        }
+        */
+        
         return null;
     }
 

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java?rev=1537125&r1=1537124&r2=1537125&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
Wed Oct 30 15:12:01 2013
@@ -19,15 +19,16 @@
 
 package org.apache.cxf.sts.token.canceller;
 
+import java.security.Key;
 import java.util.Arrays;
 import java.util.List;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
+import javax.crypto.SecretKey;
 import javax.xml.ws.handler.MessageContext;
 
 import org.w3c.dom.Element;
-
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.sts.request.ReceivedToken;
@@ -41,6 +42,10 @@ import org.apache.wss4j.dom.WSSecurityEn
 import org.apache.wss4j.dom.handler.WSHandlerConstants;
 import org.apache.wss4j.dom.handler.WSHandlerResult;
 import org.apache.wss4j.dom.message.token.SecurityContextToken;
+import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
+import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent;
+import org.apache.xml.security.stax.securityEvent.SecurityEvent;
 
 /**
  * This class cancels a SecurityContextToken.
@@ -118,8 +123,34 @@ public class SCTCanceller implements Tok
     }
     
     private boolean matchKey(TokenCancellerParameters tokenParameters, byte[] secretKey)
{
-        boolean result = false;
         MessageContext messageContext = tokenParameters.getWebServiceContext().getMessageContext();
+
+        if (matchDOMSignatureSecret(messageContext, secretKey)) {
+            return true;
+        }
+        
+        try {
+            if (matchStreamingSignatureSecret(messageContext, secretKey)) {
+                return true;
+            }
+        } catch (XMLSecurityException ex) {
+            LOG.log(Level.FINE, ex.getMessage(), ex);
+            return false;
+        }
+
+        return false;
+    }
+
+    /**
+     * Set whether proof of possession is required or not to cancel a token
+     */
+    public void setVerifyProofOfPossession(boolean verifyProofOfPossession) {
+        this.verifyProofOfPossession = verifyProofOfPossession;
+    }
+    
+    private boolean matchDOMSignatureSecret(
+        MessageContext messageContext, byte[] secretToMatch
+    ) {
         final List<WSHandlerResult> handlerResults = 
             CastUtils.cast((List<?>) messageContext.get(WSHandlerConstants.RECV_RESULTS));
 
@@ -131,7 +162,7 @@ public class SCTCanceller implements Tok
                 Integer action = (Integer)engineResult.get(WSSecurityEngineResult.TAG_ACTION);
                 if (action.equals(WSConstants.SIGN)) {
                     byte[] receivedKey = (byte[])engineResult.get(WSSecurityEngineResult.TAG_SECRET);
-                    if (Arrays.equals(secretKey, receivedKey)) {
+                    if (Arrays.equals(secretToMatch, receivedKey)) {
                         LOG.log(
                             Level.FINE, 
                             "Verification of the proof of possession of the key associated
with "
@@ -142,14 +173,41 @@ public class SCTCanceller implements Tok
                 }
             }
         }
-
-        return result;
+        
+        return false;
     }
-
-    /**
-     * Set whether proof of possession is required or not to cancel a token
-     */
-    public void setVerifyProofOfPossession(boolean verifyProofOfPossession) {
-        this.verifyProofOfPossession = verifyProofOfPossession;
+    
+    private boolean matchStreamingSignatureSecret(
+        MessageContext messageContext, byte[] secretToMatch
+    ) throws XMLSecurityException {
+        @SuppressWarnings("unchecked")
+        final List<SecurityEvent> incomingEventList = 
+            (List<SecurityEvent>) messageContext.get(SecurityEvent.class.getName()
+ ".in");
+        if (incomingEventList != null) {
+            for (SecurityEvent incomingEvent : incomingEventList) {
+                if (WSSecurityEventConstants.SignedPart == incomingEvent.getSecurityEventType()
+                    || WSSecurityEventConstants.SignedElement 
+                        == incomingEvent.getSecurityEventType()) {
+                    org.apache.xml.security.stax.securityToken.SecurityToken token = 
+                        ((AbstractSecuredElementSecurityEvent)incomingEvent).getSecurityToken();
+                    if (token != null && token.getSecretKey() != null) {
+                        for (String key : token.getSecretKey().keySet()) {
+                            Key keyObject = token.getSecretKey().get(key);
+                            if (keyObject instanceof SecretKey
+                                && Arrays.equals(secretToMatch, ((SecretKey)keyObject).getEncoded()))
{
+                                LOG.log(
+                                    Level.FINE, 
+                                    "Verification of the proof of possession of the key associated
with "
+                                    + "the security context successful."
+                                );
+                                return true;
+                            }
+                        }
+                    }
+                }
+            }
+        }
+        
+        return false;
     }
 }



Mime
View raw message