cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject git commit: Fixing the STS JAAS LoginModule to work in a container
Date Fri, 31 Oct 2014 12:20:59 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes e29275a20 -> f46a9bcb9


Fixing the STS JAAS LoginModule to work in a container


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/f46a9bcb
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/f46a9bcb
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/f46a9bcb

Branch: refs/heads/3.0.x-fixes
Commit: f46a9bcb9de8a3c02a9a78a1e27c8b84f205c10e
Parents: e29275a
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Oct 31 12:19:30 2014 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Oct 31 12:20:46 2014 +0000

----------------------------------------------------------------------
 .../apache/cxf/rt/security/saml/SAMLUtils.java  |  5 +-
 .../security/tokenstore/TokenStoreFactory.java  |  2 +-
 .../cxf/ws/security/trust/STSLoginModule.java   | 85 ++++++++++++++++----
 .../ws/security/trust/STSTokenValidator.java    | 49 ++++++++---
 4 files changed, 112 insertions(+), 29 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/f46a9bcb/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java b/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java
index ac0fcde..69c3a6d 100644
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java
+++ b/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java
@@ -25,8 +25,7 @@ import java.util.List;
 import java.util.Set;
 
 import org.w3c.dom.Element;
-
-import org.apache.cxf.common.security.SimplePrincipal;
+import org.apache.cxf.common.security.SimpleGroup;
 import org.apache.cxf.rt.security.claims.Claim;
 import org.apache.cxf.rt.security.claims.ClaimCollection;
 import org.apache.cxf.rt.security.claims.SAMLClaim;
@@ -118,7 +117,7 @@ public final class SAMLUtils {
                     || claim instanceof SAMLClaim && nameFormat.equals(((SAMLClaim)claim).getNameFormat())))
{
                 for (Object claimValue : claim.getValues()) {
                     if (claimValue instanceof String) {
-                        roles.add(new SimplePrincipal((String)claimValue));
+                        roles.add(new SimpleGroup((String)claimValue));
                     }
                 }
                 if (claim.getValues().size() > 1) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/f46a9bcb/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStoreFactory.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStoreFactory.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStoreFactory.java
index 0f44989..c34d21f 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStoreFactory.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStoreFactory.java
@@ -46,7 +46,7 @@ public abstract class TokenStoreFactory {
         }
     }
     
-    protected static synchronized boolean isEhCacheInstalled() {
+    public static synchronized boolean isEhCacheInstalled() {
         return ehCacheInstalled;
     }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/f46a9bcb/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java
index f4f83eb..5d634ab 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java
@@ -20,6 +20,8 @@
 package org.apache.cxf.ws.security.trust;
 
 import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
 import java.security.Principal;
 import java.util.Collections;
 import java.util.HashMap;
@@ -39,14 +41,22 @@ import javax.security.auth.login.LoginException;
 import javax.security.auth.spi.LoginModule;
 
 import org.w3c.dom.Document;
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusException;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.common.classloader.ClassLoaderUtils;
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.security.SimplePrincipal;
+import org.apache.cxf.endpoint.EndpointException;
 import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.phase.PhaseInterceptorChain;
 import org.apache.cxf.rt.security.claims.ClaimCollection;
 import org.apache.cxf.rt.security.saml.SAMLUtils;
 import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.tokenstore.EHCacheTokenStore;
+import org.apache.cxf.ws.security.tokenstore.TokenStore;
+import org.apache.cxf.ws.security.tokenstore.TokenStoreFactory;
 import org.apache.cxf.ws.security.trust.claims.RoleClaimsCallbackHandler;
 import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
@@ -106,8 +116,10 @@ public class STSLoginModule implements LoginModule {
     public static final String WS_TRUST_NAMESPACE = "ws.trust.namespace";
     
     private static final Logger LOG = LogUtils.getL7dLogger(STSLoginModule.class);
+    private static final String TOKEN_STORE_KEY = "sts.login.module.tokenstore";
     
-    private Set<Principal> principals = new HashSet<Principal>();
+    private Set<Principal> roles = new HashSet<Principal>();
+    private Principal userPrincipal;
     private Subject subject;
     private CallbackHandler callbackHandler;
     private boolean requireRoles;
@@ -182,7 +194,8 @@ public class STSLoginModule implements LoginModule {
         }
         String password = new String(tmpPassword);
         
-        principals = new HashSet<Principal>();
+        roles = new HashSet<Principal>();
+        userPrincipal = null;
         
         STSTokenValidator validator = new STSTokenValidator(true);
         validator.setUseIssueBinding(requireRoles);
@@ -195,16 +208,24 @@ public class STSLoginModule implements LoginModule {
             
             RequestData data = new RequestData();
             Message message = PhaseInterceptorChain.getCurrentMessage();
-            configureSTSClient(message);
             
-            data.setMsgContext(message);
+            STSClient stsClient = configureSTSClient(message);
+            if (message != null) {
+                message.setContextualProperty(SecurityConstants.STS_CLIENT, stsClient);
+                data.setMsgContext(message);
+            } else {
+                TokenStore tokenStore = configureTokenStore(message);
+                validator.setStsClient(stsClient);
+                validator.setTokenStore(tokenStore);
+            }
+            
             credential = validator.validate(credential, data);
 
             // Add user principal
-            principals.add(new SimplePrincipal(user));
+            userPrincipal = new SimplePrincipal(user);
             
             // Add roles if a SAML Assertion was returned from the STS
-            principals.addAll(getRoles(message, credential));
+            roles.addAll(getRoles(message, credential));
         } catch (Exception e) {
             LOG.log(Level.INFO, "User " + user + " authentication failed", e);
             throw new LoginException("User " + user + " authentication failed: " + e.getMessage());
@@ -213,8 +234,15 @@ public class STSLoginModule implements LoginModule {
         return true;
     }
     
-    private void configureSTSClient(Message msg) {
-        STSClient c = STSUtils.getClient(msg, "sts");
+    private STSClient configureSTSClient(Message msg) throws BusException, EndpointException
{
+        STSClient c = null;
+        if (msg == null) {
+            Bus bus = BusFactory.getDefaultBus(true);
+            c = new STSClient(bus);
+        } else {
+            c = STSUtils.getClient(msg, "sts");
+        }
+        
         if (wsdlLocation != null) {
             c.setWsdlLocation(wsdlLocation);
         }
@@ -243,7 +271,28 @@ public class STSLoginModule implements LoginModule {
             c.setClaimsCallbackHandler(new RoleClaimsCallbackHandler());
         }
         
-        msg.setContextualProperty(SecurityConstants.STS_CLIENT, c);
+        return c;
+    }
+    
+    private TokenStore configureTokenStore(Message msg) throws MalformedURLException {
+        if (msg != null) {
+            return STSTokenValidator.getTokenStore(msg);
+        }
+        
+        if (TokenStoreFactory.isEhCacheInstalled()) {
+            String cfg = "cxf-ehcache.xml";
+            URL url = null;
+            if (url == null) {
+                url = ClassLoaderUtils.getResource(cfg, STSLoginModule.class);
+            }
+            if (url == null) {
+                url = new URL(cfg);
+            }
+            if (url != null) {
+                return new EHCacheTokenStore(TOKEN_STORE_KEY, BusFactory.getDefaultBus(),
url);
+            }
+        }
+        return null;
     }
 
     private UsernameToken convertToToken(String username, String password) 
@@ -263,8 +312,11 @@ public class STSLoginModule implements LoginModule {
             samlAssertion = credential.getSamlAssertion();
         }
         if (samlAssertion != null) {
-            String roleAttributeName = 
-                (String)msg.getContextualProperty(SecurityConstants.SAML_ROLE_ATTRIBUTENAME);
+            String roleAttributeName = null;
+            if (msg != null) {
+                roleAttributeName = 
+                    (String)msg.getContextualProperty(SecurityConstants.SAML_ROLE_ATTRIBUTENAME);
+            }
             if (roleAttributeName == null || roleAttributeName.length() == 0) {
                 roleAttributeName = WSS4JInInterceptor.SAML_ROLE_ATTRIBUTENAME_DEFAULT;
             }
@@ -280,10 +332,11 @@ public class STSLoginModule implements LoginModule {
     
     @Override
     public boolean commit() throws LoginException {
-        if (principals.isEmpty()) {
+        if (userPrincipal == null) {
             return false;
         }
-        subject.getPrincipals().addAll(principals);
+        subject.getPrincipals().add(userPrincipal);
+        subject.getPrincipals().addAll(roles);
         return true;
     }
 
@@ -294,8 +347,10 @@ public class STSLoginModule implements LoginModule {
 
     @Override
     public boolean logout() throws LoginException {
-        subject.getPrincipals().removeAll(principals);
-        principals.clear();
+        subject.getPrincipals().remove(userPrincipal);
+        subject.getPrincipals().removeAll(roles);
+        roles.clear();
+        userPrincipal = null;
         return true;
     }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/f46a9bcb/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java
index 4f001f7..f58e12e 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java
@@ -52,6 +52,8 @@ public class STSTokenValidator implements Validator {
     private STSSamlAssertionValidator samlValidator = new STSSamlAssertionValidator();
     private boolean alwaysValidateToSts;
     private boolean useIssueBinding;
+    private STSClient stsClient;
+    private TokenStore tokenStore;
     
     public STSTokenValidator() {
     }
@@ -98,9 +100,12 @@ public class STSTokenValidator implements Validator {
             }
             token.setToken(tokenElement);
             
-            TokenStore tokenStore = getTokenStore(message);
-            if (tokenStore != null && hash != 0) {
-                SecurityToken transformedToken = getTransformedToken(tokenStore, hash);
+            TokenStore ts = getTokenStore(message);
+            if (ts == null) {
+                ts = tokenStore;
+            }
+            if (ts != null && hash != 0) {
+                SecurityToken transformedToken = getTransformedToken(ts, hash);
                 if (transformedToken != null && !transformedToken.isExpired()) {
                     SamlAssertionWrapper assertion = new SamlAssertionWrapper(transformedToken.getToken());
                     credential.setPrincipal(new SAMLTokenPrincipalImpl(assertion));
@@ -110,7 +115,11 @@ public class STSTokenValidator implements Validator {
             }
             token.setTokenHash(hash);
             
-            STSClient c = STSUtils.getClient(message, "sts");
+            STSClient c = stsClient;
+            if (c == null) {
+                c = STSUtils.getClient(message, "sts");
+            }
+            
             synchronized (c) {
                 System.setProperty("noprint", "true");
                 
@@ -130,10 +139,10 @@ public class STSTokenValidator implements Validator {
                     SamlAssertionWrapper assertion = new SamlAssertionWrapper(returnedToken.getToken());
                     credential.setTransformedToken(assertion);
                     credential.setPrincipal(new SAMLTokenPrincipalImpl(assertion));
-                    if (hash != 0) {
-                        tokenStore.add(returnedToken);
+                    if (hash != 0 && ts != null) {
+                        ts.add(returnedToken);
                         token.setTransformedTokenIdentifier(returnedToken.getId());
-                        tokenStore.add(Integer.toString(hash), token);
+                        ts.add(Integer.toString(hash), token);
                     }
                 }
                 return credential;
@@ -146,6 +155,10 @@ public class STSTokenValidator implements Validator {
     }
     
     static final TokenStore getTokenStore(Message message) {
+        if (message == null) {
+            return null;
+        }
+        
         EndpointInfo info = message.getExchange().get(Endpoint.class).getEndpointInfo();
         synchronized (info) {
             TokenStore tokenStore = 
@@ -182,12 +195,12 @@ public class STSTokenValidator implements Validator {
         return false;
     }
 
-    private SecurityToken getTransformedToken(TokenStore tokenStore, int hash) {
-        SecurityToken recoveredToken = tokenStore.getToken(Integer.toString(hash));
+    private SecurityToken getTransformedToken(TokenStore ts, int hash) {
+        SecurityToken recoveredToken = ts.getToken(Integer.toString(hash));
         if (recoveredToken != null && recoveredToken.getTokenHash() == hash) {
             String transformedTokenId = recoveredToken.getTransformedTokenIdentifier();
             if (transformedTokenId != null) {
-                return tokenStore.getToken(transformedTokenId);
+                return ts.getToken(transformedTokenId);
             }
         }
         return null;
@@ -201,6 +214,22 @@ public class STSTokenValidator implements Validator {
         this.useIssueBinding = useIssueBinding;
     }
     
+    public STSClient getStsClient() {
+        return stsClient;
+    }
+
+    public void setStsClient(STSClient stsClient) {
+        this.stsClient = stsClient;
+    }
+
+    public TokenStore getTokenStore() {
+        return tokenStore;
+    }
+
+    public void setTokenStore(TokenStore tokenStore) {
+        this.tokenStore = tokenStore;
+    }
+
     private static class ElementCallbackHandler implements CallbackHandler {
         
         private final Element tokenElement;


Mime
View raw message