cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject git commit: Add certificate path validation for X.509 tokens in the STS
Date Mon, 26 May 2014 13:26:53 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 1944d3d83 -> cf0575568


Add certificate path validation for X.509 tokens in the STS


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/cf057556
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/cf057556
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/cf057556

Branch: refs/heads/master
Commit: cf05755689b3dcc2d47f00213fe8cc5efad350c0
Parents: 1944d3d
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Mon May 26 14:26:15 2014 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Mon May 26 14:26:15 2014 +0100

----------------------------------------------------------------------
 .../cxf/sts/token/realm/CertConstraintsParser.java    |  4 ++++
 .../cxf/sts/token/validator/SAMLTokenValidator.java   |  1 +
 .../cxf/sts/token/validator/X509TokenValidator.java   | 14 +++++++++++++-
 3 files changed, 18 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/cf057556/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/realm/CertConstraintsParser.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/realm/CertConstraintsParser.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/realm/CertConstraintsParser.java
index 1eeb075..2f93f3b 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/realm/CertConstraintsParser.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/realm/CertConstraintsParser.java
@@ -59,6 +59,10 @@ public class CertConstraintsParser {
         }
     }
     
+    public Collection<Pattern> getCompiledSubjectContraints() {
+        return subjectDNPatterns;
+    }
+    
     /**
      * @return      true if the certificate's SubjectDN matches the constraints defined in
the
      *              subject DNConstraints; false, otherwise. The certificate subject DN only

http://git-wip-us.apache.org/repos/asf/cxf/blob/cf057556/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
index 000f77c..823e379 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
@@ -165,6 +165,7 @@ public class SAMLTokenValidator implements TokenValidator {
             requestData.setWssConfig(wssConfig);
             requestData.setCallbackHandler(callbackHandler);
             requestData.setMsgContext(tokenParameters.getWebServiceContext().getMessageContext());
+            requestData.setSubjectCertConstraints(certConstraints.getCompiledSubjectContraints());
 
             WSDocInfo docInfo = new WSDocInfo(validateTargetElement.getOwnerDocument());
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/cf057556/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/X509TokenValidator.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/X509TokenValidator.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/X509TokenValidator.java
index 17b8cf9..6b3847c 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/X509TokenValidator.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/X509TokenValidator.java
@@ -19,6 +19,7 @@
 package org.apache.cxf.sts.token.validator;
 
 import java.security.cert.X509Certificate;
+import java.util.List;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
@@ -26,12 +27,12 @@ import javax.security.auth.callback.CallbackHandler;
 
 import org.w3c.dom.Document;
 import org.w3c.dom.Text;
-
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.sts.STSPropertiesMBean;
 import org.apache.cxf.sts.request.ReceivedToken;
 import org.apache.cxf.sts.request.ReceivedToken.STATE;
+import org.apache.cxf.sts.token.realm.CertConstraintsParser;
 import org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.ext.WSSecurityException;
@@ -57,8 +58,18 @@ public class X509TokenValidator implements TokenValidator {
     private static final Logger LOG = LogUtils.getL7dLogger(X509TokenValidator.class);
     
     private Validator validator = new SignatureTrustValidator();
+    
+    private CertConstraintsParser certConstraints = new CertConstraintsParser();
 
     /**
+     * Set a list of Strings corresponding to regular expression constraints on the subject
DN
+     * of a certificate
+     */
+    public void setSubjectConstraints(List<String> subjectConstraints) {
+        certConstraints.setSubjectConstraints(subjectConstraints);
+    }
+    
+    /**
      * Set the WSS4J Validator instance to use to validate the token.
      * @param validator the WSS4J Validator instance to use to validate the token
      */
@@ -101,6 +112,7 @@ public class X509TokenValidator implements TokenValidator {
         requestData.setWssConfig(WSSConfig.getNewInstance());
         requestData.setCallbackHandler(callbackHandler);
         requestData.setMsgContext(tokenParameters.getWebServiceContext().getMessageContext());
+        requestData.setSubjectCertConstraints(certConstraints.getCompiledSubjectContraints());
 
         TokenValidatorResponse response = new TokenValidatorResponse();
         ReceivedToken validateTarget = tokenParameters.getToken();


Mime
View raw message