cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/3] git commit: Adding a new JAX-RS property to control Kerberos request delegation
Date Wed, 15 Oct 2014 13:44:31 GMT
Adding a new JAX-RS property to control Kerberos request delegation

Conflicts:
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/332bf86d
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/332bf86d
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/332bf86d

Branch: refs/heads/2.7.x-fixes
Commit: 332bf86d45749054123f1373829b6b777e4a8e4f
Parents: 3521316
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Oct 15 14:24:27 2014 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Oct 15 14:32:23 2014 +0100

----------------------------------------------------------------------
 .../cxf/ws/security/SecurityConstants.java      | 40 +++++++++++++++++++-
 .../cxf/ws/security/kerberos/KerberosUtils.java |  6 +++
 2 files changed, 45 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/332bf86d/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
index 5291158..8c0632c 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
@@ -530,10 +530,47 @@ public final class SecurityConstants {
     public static final String STS_TOKEN_ON_BEHALF_OF = "ws-security.sts.token.on-behalf-of";
 
     /**
+<<<<<<< HEAD
      * Set this to "false" in order to remove the SOAP mustUnderstand header from security
headers generated based on
      * a WS-SecurityPolicy.
      *
      * The default value is "true" which included the SOAP mustUnderstand header.
+=======
+     * This is the value in seconds within which a token is considered to be expired by the
+     * client. When a cached token (from a STS) is retrieved by the client, it is considered
+     * to be expired if it will expire in a time less than the value specified by this tag.
+     * This prevents token expiry when the message is en route / being processed by the
+     * service. When the token is found to be expired then it will be renewed via the STS.
+     * 
+     * The default value is 10 (seconds). Specify 0 to avoid this check.
+     */
+    public static final String STS_TOKEN_IMMINENT_EXPIRY_VALUE =
+        "ws-security.sts.token.imminent-expiry-value";
+    
+    //
+    // Kerberos Configuration tags
+    //
+    
+    /**
+     * Whether to request credential delegation or not in the KerberosClient. If this is
set to "true",
+     * then it tries to get a kerberos service ticket that can be used for delegation. The
default
+     * is "false".
+     */
+    public static final String KERBEROS_REQUEST_CREDENTIAL_DELEGATION = 
+        "ws-security.kerberos.request.credential.delegation";
+    
+    /**
+     * Whether to use credential delegation or not in the KerberosClient. If this is set
to "true",
+     * then it tries to get a GSSCredential Object from the Message Context using the 
+     * DELEGATED_CREDENTIAL configuration tag below, and then use this to obtain a service
ticket.
+     * The default is "false".
+     */
+    public static final String KERBEROS_USE_CREDENTIAL_DELEGATION = 
+        "ws-security.kerberos.use.credential.delegation";
+    
+    /**
+     * Whether the Kerberos username is in servicename form or not. The default is "false".
+>>>>>>> 9edc70a... Adding a new JAX-RS property to control Kerberos
request delegation
      */
     public static final String MUST_UNDERSTAND = "ws-security.must-understand";
 
@@ -593,7 +630,8 @@ public final class SecurityConstants {
             ASYMMETRIC_SIGNATURE_ALGORITHM, ENABLE_SAML_ONE_TIME_USE_CACHE, SAML_ONE_TIME_USE_CACHE_INSTANCE,
             CACHE_IDENTIFIER, CACHE_ISSUED_TOKEN_IN_ENDPOINT, PREFER_WSMEX_OVER_STS_CLIENT_CONFIG,
             DELEGATED_CREDENTIAL, KERBEROS_USE_CREDENTIAL_DELEGATION, 
-            KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, STS_TOKEN_IMMINENT_EXPIRY_VALUE
+            KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, STS_TOKEN_IMMINENT_EXPIRY_VALUE,
+            KERBEROS_REQUEST_CREDENTIAL_DELEGATION
         }));
         ALL_PROPERTIES = Collections.unmodifiableSet(s);
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/332bf86d/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosUtils.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosUtils.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosUtils.java
index b739edb..73118cb 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosUtils.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosUtils.java
@@ -59,11 +59,17 @@ public final class KerberosUtils {
                                               SecurityConstants.KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM,

                                               false);
             
+            boolean requestCredentialDelegation = 
+                MessageUtils.getContextualBoolean(message, 
+                                              SecurityConstants.KERBEROS_REQUEST_CREDENTIAL_DELEGATION,

+                                              false);
+            
             client.setContextName(jaasContext);
             client.setServiceName(kerberosSpn);
             client.setCallbackHandler(callbackHandler);
             client.setUseDelegatedCredential(useCredentialDelegation);
             client.setUsernameServiceNameForm(isInServiceNameForm);
+            client.setRequestCredentialDelegation(requestCredentialDelegation);
         }
         return client;
     }


Mime
View raw message