cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf git commit: A slight refactor of role parsing in the STS
Date Tue, 16 Dec 2014 17:04:33 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 716531d62 -> b37a59a6a


A slight refactor of role parsing in the STS


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/b37a59a6
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/b37a59a6
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/b37a59a6

Branch: refs/heads/master
Commit: b37a59a6aff032c3a36ed64ef425cac81d90adad
Parents: 716531d
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue Dec 16 17:04:14 2014 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Tue Dec 16 17:04:26 2014 +0000

----------------------------------------------------------------------
 .../token/validator/DefaultSAMLRoleParser.java  | 47 +----------
 .../validator/DefaultSubjectRoleParser.java     | 87 ++++++++++++++++++++
 .../cxf/sts/token/validator/SAMLRoleParser.java |  2 +-
 .../sts/token/validator/SubjectRoleParser.java  | 40 +++++++++
 .../token/validator/UsernameTokenValidator.java | 16 +++-
 5 files changed, 146 insertions(+), 46 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/b37a59a6/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/DefaultSAMLRoleParser.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/DefaultSAMLRoleParser.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/DefaultSAMLRoleParser.java
index 5a336d5..b76cce9 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/DefaultSAMLRoleParser.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/DefaultSAMLRoleParser.java
@@ -23,8 +23,6 @@ import java.util.Set;
 
 import javax.security.auth.Subject;
 
-import org.apache.cxf.interceptor.security.DefaultSecurityContext;
-import org.apache.cxf.interceptor.security.RolePrefixSecurityContextImpl;
 import org.apache.cxf.rt.security.claims.ClaimCollection;
 import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
 import org.apache.cxf.rt.security.saml.SAMLUtils;
@@ -33,8 +31,7 @@ import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 /**
  * A default implementation to extract roles from a SAML Assertion
  */
-public class DefaultSAMLRoleParser implements SAMLRoleParser {
-    
+public class DefaultSAMLRoleParser extends DefaultSubjectRoleParser implements SAMLRoleParser
{
     /**
      * This configuration tag specifies the default attribute name where the roles are present
      * The default is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role".
@@ -43,8 +40,6 @@ public class DefaultSAMLRoleParser implements SAMLRoleParser {
         "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
     
     private boolean useJaasSubject = true;
-    private String roleClassifier;
-    private String roleClassifierType = "prefix";
     private String roleAttributeName = SAML_ROLE_ATTRIBUTENAME_DEFAULT;
 
     /**
@@ -58,13 +53,7 @@ public class DefaultSAMLRoleParser implements SAMLRoleParser {
         Principal principal, Subject subject, SamlAssertionWrapper assertion
     ) {
         if (subject != null && useJaasSubject) {
-            if (roleClassifier != null && !"".equals(roleClassifier)) {
-                RolePrefixSecurityContextImpl securityContext =
-                    new RolePrefixSecurityContextImpl(subject, roleClassifier, roleClassifierType);
-                return securityContext.getUserRoles();
-            } else {
-                return new DefaultSecurityContext(principal, subject).getUserRoles();
-            }
+            return super.parseRolesFromSubject(principal, subject);
         }
         
         ClaimCollection claims = SAMLUtils.getClaims(assertion);
@@ -90,36 +79,6 @@ public class DefaultSAMLRoleParser implements SAMLRoleParser {
         this.useJaasSubject = useJaasSubject;
     }
 
-    public String getRoleClassifier() {
-        return roleClassifier;
-    }
-
-    /**
-     * Set the Subject Role Classifier to use. If this value is not specified, then it tries
to
-     * get roles from the supplied JAAS Subject (if not null) using the DefaultSecurityContext

-     * in cxf-rt-core. Otherwise it uses this value in combination with the 
-     * SUBJECT_ROLE_CLASSIFIER_TYPE to get the roles from the Subject.
-     * @param roleClassifier the Subject Role Classifier to use
-     */
-    public void setRoleClassifier(String roleClassifier) {
-        this.roleClassifier = roleClassifier;
-    }
-
-    public String getRoleClassifierType() {
-        return roleClassifierType;
-    }
-
-    /**
-     * Set the Subject Role Classifier Type to use. Currently accepted values are "prefix"
or 
-     * "classname". Must be used in conjunction with the SUBJECT_ROLE_CLASSIFIER. The default

-     * value is "prefix".
-     * @param roleClassifierType the Subject Role Classifier Type to use
-     */
-    public void setRoleClassifierType(String roleClassifierType) {
-        this.roleClassifierType = roleClassifierType;
-    }
-    
-    
     public String getRoleAttributeName() {
         return roleAttributeName;
     }
@@ -132,5 +91,5 @@ public class DefaultSAMLRoleParser implements SAMLRoleParser {
     public void setRoleAttributeName(String roleAttributeName) {
         this.roleAttributeName = roleAttributeName;
     }
-
+    
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf/blob/b37a59a6/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/DefaultSubjectRoleParser.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/DefaultSubjectRoleParser.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/DefaultSubjectRoleParser.java
new file mode 100644
index 0000000..c629d83
--- /dev/null
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/DefaultSubjectRoleParser.java
@@ -0,0 +1,87 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.sts.token.validator;
+
+import java.security.Principal;
+import java.util.Collections;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+
+import org.apache.cxf.interceptor.security.DefaultSecurityContext;
+import org.apache.cxf.interceptor.security.RolePrefixSecurityContextImpl;
+
+/**
+ * A default implementation to extract roles from a Subject
+ */
+public class DefaultSubjectRoleParser implements SubjectRoleParser {
+    
+    private String roleClassifier;
+    private String roleClassifierType = "prefix";
+
+    /**
+     * Return the set of User/Principal roles from the Subject.
+     * @param principal the optional Principal 
+     * @param subject the JAAS Subject
+     * @return the set of User/Principal roles from the Subject.
+     */
+    public Set<Principal> parseRolesFromSubject(Principal principal, Subject subject)
{
+        if (subject != null) {
+            if (roleClassifier != null && !"".equals(roleClassifier)) {
+                RolePrefixSecurityContextImpl securityContext =
+                    new RolePrefixSecurityContextImpl(subject, roleClassifier, roleClassifierType);
+                return securityContext.getUserRoles();
+            } else {
+                return new DefaultSecurityContext(principal, subject).getUserRoles();
+            }
+        }
+        
+        return Collections.emptySet();
+    }
+    
+    public String getRoleClassifier() {
+        return roleClassifier;
+    }
+
+    /**
+     * Set the Subject Role Classifier to use. If this value is not specified, then it tries
to
+     * get roles from the supplied JAAS Subject (if not null) using the DefaultSecurityContext

+     * in cxf-rt-core. Otherwise it uses this value in combination with the 
+     * SUBJECT_ROLE_CLASSIFIER_TYPE to get the roles from the Subject.
+     * @param roleClassifier the Subject Role Classifier to use
+     */
+    public void setRoleClassifier(String roleClassifier) {
+        this.roleClassifier = roleClassifier;
+    }
+
+    public String getRoleClassifierType() {
+        return roleClassifierType;
+    }
+
+    /**
+     * Set the Subject Role Classifier Type to use. Currently accepted values are "prefix"
or 
+     * "classname". Must be used in conjunction with the SUBJECT_ROLE_CLASSIFIER. The default

+     * value is "prefix".
+     * @param roleClassifierType the Subject Role Classifier Type to use
+     */
+    public void setRoleClassifierType(String roleClassifierType) {
+        this.roleClassifierType = roleClassifierType;
+    }
+    
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf/blob/b37a59a6/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLRoleParser.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLRoleParser.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLRoleParser.java
index fd21120..93e84ff 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLRoleParser.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLRoleParser.java
@@ -29,7 +29,7 @@ import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 /**
  * This interface defines a way to extract roles from a SAML Assertion
  */
-public interface SAMLRoleParser {
+public interface SAMLRoleParser extends SubjectRoleParser {
     
     /**
      * Return the set of User/Principal roles from the Assertion.

http://git-wip-us.apache.org/repos/asf/cxf/blob/b37a59a6/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SubjectRoleParser.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SubjectRoleParser.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SubjectRoleParser.java
new file mode 100644
index 0000000..cc92189
--- /dev/null
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SubjectRoleParser.java
@@ -0,0 +1,40 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.sts.token.validator;
+
+import java.security.Principal;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+
+
+/**
+ * This interface defines a way to extract roles from a JAAS Subject
+ */
+public interface SubjectRoleParser {
+    
+    /**
+     * Return the set of User/Principal roles from the Subject.
+     * @param principal the optional Principal 
+     * @param subject the JAAS Subject
+     * @return the set of User/Principal roles from the Subject.
+     */
+    Set<Principal> parseRolesFromSubject(Principal principal, Subject subject);
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/b37a59a6/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java
index 317d698..b748f6a 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java
@@ -33,7 +33,6 @@ import javax.xml.bind.Marshaller;
 
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
-
 import org.apache.cxf.common.jaxb.JAXBContextCache;
 import org.apache.cxf.common.jaxb.JAXBContextCache.CachedContextAndSchemas;
 import org.apache.cxf.common.logging.LogUtils;
@@ -71,6 +70,7 @@ public class UsernameTokenValidator implements TokenValidator {
     private Validator validator = new org.apache.wss4j.dom.validate.UsernameTokenValidator();
     
     private UsernameTokenRealmCodec usernameTokenRealmCodec;
+    private SubjectRoleParser roleParser = new DefaultSubjectRoleParser();
     
     /**
      * Set the WSS4J Validator instance to use to validate the token.
@@ -194,6 +194,12 @@ public class UsernameTokenValidator implements TokenValidator {
                 credential.setUsernametoken(ut);
                 credential = validator.validate(credential, requestData);
                 principal = credential.getPrincipal();
+                if (credential.getSubject() != null && roleParser != null) {
+                    // Parse roles from the validated token
+                    Set<Principal> roles = 
+                        roleParser.parseRolesFromSubject(principal, credential.getSubject());
+                    response.setRoles(roles);
+                }
             }
            
             if (principal == null) {
@@ -263,5 +269,13 @@ public class UsernameTokenValidator implements TokenValidator {
         principal.setPasswordType(passwordType);
         return principal;
     }
+
+    public SubjectRoleParser getRoleParser() {
+        return roleParser;
+    }
+
+    public void setRoleParser(SubjectRoleParser roleParser) {
+        this.roleParser = roleParser;
+    }
     
 }


Mime
View raw message