Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6231011D57 for ; Fri, 8 Aug 2014 10:22:24 +0000 (UTC) Received: (qmail 48208 invoked by uid 500); 8 Aug 2014 10:22:24 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 48017 invoked by uid 500); 8 Aug 2014 10:22:24 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 47992 invoked by uid 99); 8 Aug 2014 10:22:24 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Aug 2014 10:22:24 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id DD88594C614; Fri, 8 Aug 2014 10:22:23 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: coheigea@apache.org To: commits@cxf.apache.org Date: Fri, 08 Aug 2014 10:22:24 -0000 Message-Id: <7a34a3af48ad43ef916dce238c749f90@git.apache.org> In-Reply-To: <9f6c13f25dc04f74bf0d66599a2e355c@git.apache.org> References: <9f6c13f25dc04f74bf0d66599a2e355c@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [2/3] git commit: Add a way to enable credential delegation via a property Add a way to enable credential delegation via a property Conflicts: rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/5bc0ba9a Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/5bc0ba9a Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/5bc0ba9a Branch: refs/heads/2.7.x-fixes Commit: 5bc0ba9a44e0f308b617042757e8258b303535e4 Parents: 6c27ad0 Author: Colm O hEigeartaigh Authored: Fri Aug 8 11:16:35 2014 +0100 Committer: Colm O hEigeartaigh Committed: Fri Aug 8 11:19:34 2014 +0100 ---------------------------------------------------------------------- .../cxf/ws/security/SecurityConstants.java | 27 +++++++++++++++++++- .../cxf/ws/security/kerberos/KerberosUtils.java | 7 +++++ 2 files changed, 33 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/5bc0ba9a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java index adc932d..b563c5d 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java @@ -201,6 +201,31 @@ public final class SecurityConstants { public static final String VALIDATE_SAML_SUBJECT_CONFIRMATION = "ws-security.validate.saml.subject.conf"; +<<<<<<< HEAD +======= + /** + * Whether to enable streaming WS-Security. If set to false (the default), the old DOM + * implementation is used. If set to true, the new streaming (StAX) implementation is used. + */ + public static final String ENABLE_STREAMING_SECURITY = + "ws-security.enable.streaming"; + + /** + * Whether to return the security error message to the client, and not one of the default error + * QNames. The default is false. + */ + public static final String RETURN_SECURITY_ERROR = "ws-security.return.security.error"; + + /** + * Whether to use credential delegation or not in the KerberosClient. If this is set to "true", + * then it tries to get a GSSCredential Object from the Message Context using the + * DELEGATED_CREDENTIAL configuration tag below, and then use this to obtain a service ticket. + * The default is "false". + */ + public static final String KERBEROS_USE_CREDENTIAL_DELEGATION = + "ws-security.kerberos.use.credential.delegation"; + +>>>>>>> e86ad8d... Add a way to enable credential delegation via a property // // Non-boolean WS-Security Configuration parameters // @@ -565,7 +590,7 @@ public final class SecurityConstants { TOKEN, TOKEN_ID, SUBJECT_ROLE_CLASSIFIER, SUBJECT_ROLE_CLASSIFIER_TYPE, MUST_UNDERSTAND, ASYMMETRIC_SIGNATURE_ALGORITHM, ENABLE_SAML_ONE_TIME_USE_CACHE, SAML_ONE_TIME_USE_CACHE_INSTANCE, CACHE_IDENTIFIER, CACHE_ISSUED_TOKEN_IN_ENDPOINT, PREFER_WSMEX_OVER_STS_CLIENT_CONFIG, - DELEGATED_CREDENTIAL + DELEGATED_CREDENTIAL, KERBEROS_USE_CREDENTIAL_DELEGATION })); ALL_PROPERTIES = Collections.unmodifiableSet(s); } http://git-wip-us.apache.org/repos/asf/cxf/blob/5bc0ba9a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosUtils.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosUtils.java index 63a7287..42f4794 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosUtils.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosUtils.java @@ -23,6 +23,7 @@ import javax.security.auth.callback.CallbackHandler; import org.apache.cxf.common.classloader.ClassLoaderUtils; import org.apache.cxf.message.Message; +import org.apache.cxf.message.MessageUtils; import org.apache.cxf.ws.security.SecurityConstants; /** @@ -48,9 +49,15 @@ public final class KerberosUtils { getCallbackHandler( message.getContextualProperty(SecurityConstants.CALLBACK_HANDLER) ); + boolean useCredentialDelegation = + MessageUtils.getContextualBoolean(message, + SecurityConstants.KERBEROS_USE_CREDENTIAL_DELEGATION, + false); + client.setContextName(jaasContext); client.setServiceName(kerberosSpn); client.setCallbackHandler(callbackHandler); + client.setUseDelegatedCredential(useCredentialDelegation); } return client; }