cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject git commit: [CXF-6048] - Support roles in the AuthPolicyValidatingInterceptor
Date Mon, 13 Oct 2014 15:28:25 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes d14382ca5 -> 588ab66d8


[CXF-6048] - Support roles in the AuthPolicyValidatingInterceptor


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/588ab66d
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/588ab66d
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/588ab66d

Branch: refs/heads/3.0.x-fixes
Commit: 588ab66d81542398b1ec54cf30884ce3a3742a29
Parents: d14382c
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Mon Oct 13 16:23:57 2014 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Mon Oct 13 16:24:44 2014 +0100

----------------------------------------------------------------------
 .../trust/AuthPolicyValidatingInterceptor.java  | 45 ++++++++++++++++++--
 .../ws/security/wss4j/WSS4JInInterceptor.java   |  4 +-
 2 files changed, 43 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/588ab66d/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
index ac1f6a6..4bdccc1 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
@@ -20,9 +20,11 @@ package org.apache.cxf.ws.security.trust;
 
 import java.security.Principal;
 import java.util.ResourceBundle;
+import java.util.Set;
 import java.util.logging.Logger;
 
 import org.w3c.dom.Document;
+
 import org.apache.cxf.common.i18n.BundleUtils;
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.configuration.security.AuthorizationPolicy;
@@ -31,8 +33,14 @@ import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.phase.AbstractPhaseInterceptor;
 import org.apache.cxf.phase.Phase;
+import org.apache.cxf.rt.security.claims.ClaimCollection;
+import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
+import org.apache.cxf.rt.security.saml.SAMLUtils;
 import org.apache.cxf.security.SecurityContext;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
 import org.apache.wss4j.common.principal.WSUsernameTokenPrincipalImpl;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.handler.RequestData;
 import org.apache.wss4j.dom.message.token.UsernameToken;
@@ -82,14 +90,16 @@ public class AuthPolicyValidatingInterceptor extends AbstractPhaseInterceptor<Me
             credential = validator.validate(credential, data);
             
             // Create a Principal/SecurityContext
-            Principal p = null;
+            SecurityContext sc = null;
             if (credential != null && credential.getPrincipal() != null) {
-                p = credential.getPrincipal();
+                sc = createSecurityContext(message, credential);
             } else {
-                p = new WSUsernameTokenPrincipalImpl(policy.getUserName(), false);
+                Principal p = new WSUsernameTokenPrincipalImpl(policy.getUserName(), false);
                 ((WSUsernameTokenPrincipalImpl)p).setPassword(policy.getPassword());
+                sc = createSecurityContext(p);
             }
-            message.put(SecurityContext.class, createSecurityContext(p));
+            
+            message.put(SecurityContext.class, sc);
         } catch (Exception ex) {
             throw new Fault(ex);
         }
@@ -118,6 +128,33 @@ public class AuthPolicyValidatingInterceptor extends AbstractPhaseInterceptor<Me
             }
         };
     }
+    
+    protected SecurityContext createSecurityContext(Message msg, Credential credential) {
+        SamlAssertionWrapper samlAssertion = credential.getTransformedToken();
+        if (samlAssertion == null) {
+            samlAssertion = credential.getSamlAssertion();
+        }
+        if (samlAssertion != null) {
+            String roleAttributeName = 
+                (String)msg.getContextualProperty(SecurityConstants.SAML_ROLE_ATTRIBUTENAME);
+            if (roleAttributeName == null || roleAttributeName.length() == 0) {
+                roleAttributeName = WSS4JInInterceptor.SAML_ROLE_ATTRIBUTENAME_DEFAULT;
+            }
+
+            ClaimCollection claims = 
+                SAMLUtils.getClaims((SamlAssertionWrapper)samlAssertion);
+            Set<Principal> roles = 
+                SAMLUtils.parseRolesFromClaims(claims, roleAttributeName, null);
+
+            SAMLSecurityContext context = 
+                new SAMLSecurityContext(credential.getPrincipal(), roles, claims);
+            context.setIssuer(SAMLUtils.getIssuer(samlAssertion));
+            context.setAssertionElement(SAMLUtils.getAssertionElement(samlAssertion));
+            return context;
+        } else {
+            return createSecurityContext(credential.getPrincipal());
+        }
+    }
 
     public void setValidator(Validator validator) {
         this.validator = validator;

http://git-wip-us.apache.org/repos/asf/cxf/blob/588ab66d/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
index 7b3a66b..014361f 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
@@ -583,9 +583,9 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
             if (!utWithCallbacks) {
                 WSS4JTokenConverter.convertToken(msg, p);
             }
-            Object receivedAssertion = wsResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+            Object receivedAssertion = wsResult.get(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN);
             if (receivedAssertion == null) {
-                receivedAssertion = wsResult.get(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN);
+                receivedAssertion = wsResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
             }
             if (wsResult.get(WSSecurityEngineResult.TAG_DELEGATION_CREDENTIAL) != null) {
                 msg.put(SecurityConstants.DELEGATED_CREDENTIAL, 


Mime
View raw message