cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject git commit: [CXF-5768] - Fallback to "Issue" if "Renew" fails in the STSClient
Date Tue, 27 May 2014 11:17:21 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 779cf32e4 -> 7851f41bb


[CXF-5768] - Fallback to "Issue" if "Renew" fails in the STSClient


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/7851f41b
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/7851f41b
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/7851f41b

Branch: refs/heads/master
Commit: 7851f41bb4ce8f658d9f6a23582d711f08571043
Parents: 779cf32
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue May 27 12:17:02 2014 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Tue May 27 12:17:02 2014 +0100

----------------------------------------------------------------------
 .../cxf/ws/security/SecurityConstants.java      |  7 +++
 .../IssuedTokenInterceptorProvider.java         | 33 ++++++++--
 .../cxf/systest/sts/renew/SAMLRenewTest.java    |  9 +++
 .../apache/cxf/systest/sts/renew/DoubleIt.wsdl  |  3 +
 .../apache/cxf/systest/sts/renew/cxf-client.xml | 65 ++++++++++++++------
 .../cxf/systest/sts/renew/cxf-service.xml       |  6 ++
 .../cxf/systest/sts/renew/cxf-sts-pop.xml       | 11 +++-
 7 files changed, 111 insertions(+), 23 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/7851f41b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
index 993c0c0..3eb12b8 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
@@ -432,6 +432,13 @@ public final class SecurityConstants {
     public static final String STS_TOKEN_DO_CANCEL = "ws-security.sts.token.do.cancel";
     
     /**
+     * Whether to fall back to calling "issue" after failing to renew an expired token. Some
+     * STSs do not support the renew binding, and so we should just issue a new token after
expiry.
+     * The default is true.
+     */
+    public static final String STS_ISSUE_AFTER_FAILED_RENEW = "ws-security.issue.after.failed.renew";
+    
+    /**
      * Set this to "false" to not cache a SecurityToken per proxy object in the 
      * IssuedTokenInterceptorProvider. This should be done if a token is being retrieved
      * from an STS in an intermediary. The default value is "true".

http://git-wip-us.apache.org/repos/asf/cxf/blob/7851f41b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
index 42746ba..c08a078 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
@@ -26,10 +26,13 @@ import java.util.Collection;
 import java.util.List;
 import java.util.Map;
 import java.util.Properties;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 
 import javax.xml.namespace.QName;
 
 import org.w3c.dom.Element;
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.endpoint.Endpoint;
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.interceptor.Fault;
@@ -74,6 +77,8 @@ import org.apache.wss4j.policy.model.Trust13;
  */
 public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorProvider {
     
+    private static final Logger LOG = LogUtils.getL7dLogger(IssuedTokenInterceptorProvider.class);
+    
     private static final long serialVersionUID = -6936475570762840527L;
     private static final String ASSOCIATED_TOKEN = 
         IssuedTokenInterceptorProvider.class.getName() + "-" + "Associated_Token";
@@ -437,10 +442,30 @@ public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorPro
                     
                     client.setTemplate(itok.getRequestSecurityTokenTemplate());
                     return client.renewSecurityToken(tok);
-                } catch (RuntimeException e) {
-                    throw e;
-                } catch (Exception e) {
-                    throw new Fault(e);
+                } catch (RuntimeException ex) {
+                    LOG.log(Level.WARNING, "Error renewing a token", ex);
+                    boolean issueAfterFailedRenew = 
+                        MessageUtils.getContextualBoolean(
+                            message, SecurityConstants.STS_ISSUE_AFTER_FAILED_RENEW, true
+                        );
+                    if (issueAfterFailedRenew) {
+                        // Perhaps the STS does not support renewing, so try to issue a new
token
+                        return issueToken(message, aim, itok);
+                    } else {
+                        throw ex;
+                    }
+                } catch (Exception ex) {
+                    LOG.log(Level.WARNING, "Error renewing a token", ex);
+                    boolean issueAfterFailedRenew = 
+                        MessageUtils.getContextualBoolean(
+                            message, SecurityConstants.STS_ISSUE_AFTER_FAILED_RENEW, true
+                        );
+                    if (issueAfterFailedRenew) {
+                        // Perhaps the STS does not support renewing, so try to issue a new
token
+                        return issueToken(message, aim, itok);
+                    } else {
+                        throw new Fault(ex);
+                    }
                 } finally {
                     client.setTrust((Trust10)null);
                     client.setTrust((Trust13)null);

http://git-wip-us.apache.org/repos/asf/cxf/blob/7851f41b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/SAMLRenewTest.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/SAMLRenewTest.java
b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/SAMLRenewTest.java
index 013ac0b..a2fd15d 100644
--- a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/SAMLRenewTest.java
+++ b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/SAMLRenewTest.java
@@ -100,10 +100,16 @@ public class SAMLRenewTest extends AbstractBusClientServerTestBase {
             service.getPort(saml2PortQName, DoubleItPortType.class);
         updateAddressPort(saml2Port, PORT);
         
+        QName saml2NoRenewPortQName = new QName(NAMESPACE, "DoubleItTransportSaml2NoRenewPort");
+        DoubleItPortType saml2NoRenewPort = 
+            service.getPort(saml2NoRenewPortQName, DoubleItPortType.class);
+        updateAddressPort(saml2NoRenewPort, PORT);
+        
         // Make initial successful invocation(s)
         doubleIt(saml1Port, 25);
         doubleIt(saml1BearerPort, 30);
         doubleIt(saml2Port, 35);
+        doubleIt(saml2NoRenewPort, 35);
         
         // Now sleep to expire the token(s)
         Thread.sleep(8 * 1000);
@@ -129,6 +135,9 @@ public class SAMLRenewTest extends AbstractBusClientServerTestBase {
         stsClient.setTtl(300);
         doubleIt(saml2Port, 35);
         
+        // Renew should fail here, but it should fall back to issue
+        doubleIt(saml2NoRenewPort, 35);
+        
         ((java.io.Closeable)saml1Port).close();
         ((java.io.Closeable)saml1BearerPort).close();
         ((java.io.Closeable)saml2Port).close();

http://git-wip-us.apache.org/repos/asf/cxf/blob/7851f41b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/DoubleIt.wsdl
----------------------------------------------------------------------
diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/DoubleIt.wsdl
b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/DoubleIt.wsdl
index e260471..b586a48 100644
--- a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/DoubleIt.wsdl
+++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/DoubleIt.wsdl
@@ -74,6 +74,9 @@
         <wsdl:port name="DoubleItTransportSaml2Port" binding="tns:DoubleItTransportSaml2Binding">
             <soap:address location="https://localhost:8081/doubleit/services/doubleittransportsaml2"/>
         </wsdl:port>
+        <wsdl:port name="DoubleItTransportSaml2NoRenewPort" binding="tns:DoubleItTransportSaml2Binding">
+            <soap:address location="https://localhost:8081/doubleit/services/doubleittransportsaml2norenew"/>
+        </wsdl:port>
     </wsdl:service>
     <wsp:Policy wsu:Id="DoubleItBindingTransportSaml1Policy">
         <wsp:ExactlyOne>

http://git-wip-us.apache.org/repos/asf/cxf/blob/7851f41b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-client.xml
----------------------------------------------------------------------
diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-client.xml
b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-client.xml
index 5e114ab..482e80e 100644
--- a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-client.xml
+++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-client.xml
@@ -65,32 +65,61 @@
                     <property name="allowRenewingAfterExpiry" value="true"/>
                 </bean>
             </entry>
+            <entry key="ws-security.issue.after.failed.renew" value="false"/>
         </jaxws:properties>
     </jaxws:client>
+    
+    <bean id="saml2STSClient" class="org.apache.cxf.ws.security.trust.STSClient">
+        <constructor-arg ref="cxf"/>
+        <property name="wsdlLocation" value="https://localhost:${testutil.ports.STSServerPOP}/SecurityTokenService/Transport?wsdl"/>
+        <property name="serviceName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"/>
+        <property name="endpointName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port"/>
+        <property name="ttl" value="8"/>
+        <property name="enableLifetime" value="true"/>
+        <property name="allowRenewingAfterExpiry" value="true"/>
+        <property name="properties">
+            <map>
+                <entry key="ws-security.sts.token.username" value="myclientkey"/>
+                <entry key="ws-security.sts.token.properties" value="clientKeystore.properties"/>
+                <entry key="ws-security.sts.token.usecert" value="true"/>
+            </map>
+        </property>
+    </bean>
+                
     <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItTransportSaml2Port"
createdFromAPI="true">
         <jaxws:properties>
             <entry key="ws-security.username" value="alice"/>
             <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
             <entry key="ws-security.signature.properties" value="clientKeystore.properties"/>
             <entry key="ws-security.signature.username" value="myclientkey"/>
-            <entry key="ws-security.sts.client">
-                <bean class="org.apache.cxf.ws.security.trust.STSClient">
-                    <constructor-arg ref="cxf"/>
-                    <property name="wsdlLocation" value="https://localhost:${testutil.ports.STSServerPOP}/SecurityTokenService/Transport?wsdl"/>
-                    <property name="serviceName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"/>
-                    <property name="endpointName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port"/>
-                    <property name="ttl" value="8"/>
-                    <property name="enableLifetime" value="true"/>
-                    <property name="allowRenewingAfterExpiry" value="true"/>
-                    <property name="properties">
-                        <map>
-                            <entry key="ws-security.sts.token.username" value="myclientkey"/>
-                            <entry key="ws-security.sts.token.properties" value="clientKeystore.properties"/>
-                            <entry key="ws-security.sts.token.usecert" value="true"/>
-                        </map>
-                    </property>
-                </bean>
-            </entry>
+            <entry key="ws-security.sts.client" value-ref="saml2STSClient" />
+        </jaxws:properties>
+    </jaxws:client>
+    
+     <bean id="saml2STSNoRenewClient" class="org.apache.cxf.ws.security.trust.STSClient">
+        <constructor-arg ref="cxf"/>
+        <property name="wsdlLocation" value="https://localhost:${testutil.ports.STSServerPOP}/SecurityTokenService/TransportSoap12?wsdl"/>
+        <property name="serviceName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"/>
+        <property name="endpointName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Soap12_Port"/>
+        <property name="ttl" value="8"/>
+        <property name="enableLifetime" value="true"/>
+        <property name="allowRenewingAfterExpiry" value="true"/>
+        <property name="properties">
+            <map>
+                <entry key="ws-security.sts.token.username" value="myclientkey"/>
+                <entry key="ws-security.sts.token.properties" value="clientKeystore.properties"/>
+                <entry key="ws-security.sts.token.usecert" value="true"/>
+            </map>
+        </property>
+    </bean>
+    
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItTransportSaml2NoRenewPort"
createdFromAPI="true">
+        <jaxws:properties>
+            <entry key="ws-security.username" value="alice"/>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
+            <entry key="ws-security.signature.properties" value="clientKeystore.properties"/>
+            <entry key="ws-security.signature.username" value="myclientkey"/>
+            <entry key="ws-security.sts.client" value-ref="saml2STSNoRenewClient" />
         </jaxws:properties>
     </jaxws:client>
     <http:conduit name="https://localhost:.*">

http://git-wip-us.apache.org/repos/asf/cxf/blob/7851f41b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-service.xml
----------------------------------------------------------------------
diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-service.xml
b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-service.xml
index a285dc6..7005af8 100644
--- a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-service.xml
+++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-service.xml
@@ -42,6 +42,12 @@
             <entry key="ws-security.signature.properties" value="serviceKeystore.properties"/>
         </jaxws:properties>
     </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="doubleittransportsaml2norenew"
implementor="org.apache.cxf.systest.sts.common.DoubleItPortTypeImpl" endpointName="s:DoubleItTransportSaml2NoRenewPort"
serviceName="s:DoubleItService" depends-on="ClientAuthHttpsSettings" address="https://localhost:${testutil.ports.Server}/doubleit/services/doubleittransportsaml2norenew"
wsdlLocation="org/apache/cxf/systest/sts/renew/DoubleIt.wsdl">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
+            <entry key="ws-security.signature.properties" value="serviceKeystore.properties"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
     <httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf">
         <httpj:engine port="${testutil.ports.Server}">
             <httpj:tlsServerParameters>

http://git-wip-us.apache.org/repos/asf/cxf/blob/7851f41b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-sts-pop.xml
----------------------------------------------------------------------
diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-sts-pop.xml
b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-sts-pop.xml
index dd92654..d6781c3 100644
--- a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-sts-pop.xml
+++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-sts-pop.xml
@@ -107,7 +107,16 @@
         <property name="encryptionUsername" value="myservicekey"/>
     </bean>
     <jaxws:endpoint xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/" id="localSTS"
implementor="#transportSTSProviderBean" address="https://localhost:${testutil.ports.STSServerPOP}/SecurityTokenService/Transport"
wsdlLocation="src/test/resources/org/apache/cxf/systest/sts/deployment/ws-trust-1.4-service.wsdl"
depends-on="ClientAuthHttpsSettings" serviceName="ns1:SecurityTokenService" endpointName="ns1:Transport_Port">
-        </jaxws:endpoint>
+    </jaxws:endpoint>
+    
+    <bean id="transportSTSProviderNoRenewBean" class="org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider">
+        <property name="issueOperation" ref="transportIssueDelegate"/>
+        <property name="validateOperation" ref="transportValidateDelegate"/>
+    </bean>
+    
+    <jaxws:endpoint xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/" id="noRenewSTS"
implementor="#transportSTSProviderNoRenewBean" address="https://localhost:${testutil.ports.STSServerPOP}/SecurityTokenService/TransportSoap12"
wsdlLocation="src/test/resources/org/apache/cxf/systest/sts/deployment/ws-trust-1.4-service.wsdl"
depends-on="ClientAuthHttpsSettings" serviceName="ns1:SecurityTokenService" endpointName="ns1:Transport_Soap12_Port">
+    </jaxws:endpoint>
+    
     <httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf">
         <httpj:engine port="${testutil.ports.STSServerPOP}">
             <httpj:tlsServerParameters>


Mime
View raw message