Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id EF5E7175A7 for ; Thu, 22 Jan 2015 15:15:45 +0000 (UTC) Received: (qmail 21812 invoked by uid 500); 22 Jan 2015 15:15:46 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 21753 invoked by uid 500); 22 Jan 2015 15:15:46 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 21744 invoked by uid 99); 22 Jan 2015 15:15:45 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 Jan 2015 15:15:45 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id D37EEE03A3; Thu, 22 Jan 2015 15:15:45 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: coheigea@apache.org To: commits@cxf.apache.org Message-Id: <0d5442fcd00a46998ee27a12ae780ea3@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: cxf git commit: Also send KeyType, KeySize + Renewal Semantics in a WS-Trust Validate request when the TokenType is not "Status" Date: Thu, 22 Jan 2015 15:15:45 +0000 (UTC) Repository: cxf Updated Branches: refs/heads/master e074211ab -> 762b011a8 Also send KeyType, KeySize + Renewal Semantics in a WS-Trust Validate request when the TokenType is not "Status" Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/762b011a Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/762b011a Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/762b011a Branch: refs/heads/master Commit: 762b011a8e45eb0905f5dd30f5891e2d54609bca Parents: e074211 Author: Colm O hEigeartaigh Authored: Thu Jan 22 15:14:39 2015 +0000 Committer: Colm O hEigeartaigh Committed: Thu Jan 22 15:14:39 2015 +0000 ---------------------------------------------------------------------- .../ws/security/trust/AbstractSTSClient.java | 103 +++++++++++++------ .../apache/cxf/ws/security/trust/STSClient.java | 23 +++-- 2 files changed, 89 insertions(+), 37 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/762b011a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java index 9dd2262..21298b2 100755 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java @@ -841,16 +841,7 @@ public abstract class AbstractSTSClient implements Configurable, InterceptorProv } // Write out renewal semantics - if (sendRenewing) { - writer.writeStartElement("wst", "Renewing", namespace); - if (!allowRenewing) { - writer.writeAttribute(null, "Allow", "false"); - } - if (allowRenewing && allowRenewingAfterExpiry) { - writer.writeAttribute(null, "OK", "true"); - } - writer.writeEndElement(); - } + writeRenewalSemantics(writer); writer.writeEndElement(); @@ -1053,16 +1044,7 @@ public abstract class AbstractSTSClient implements Configurable, InterceptorProv writer.writeEndElement(); // Write out renewal semantics - if (sendRenewing) { - writer.writeStartElement("wst", "Renewing", namespace); - if (!allowRenewing) { - writer.writeAttribute(null, "Allow", "false"); - } - if (allowRenewing && allowRenewingAfterExpiry) { - writer.writeAttribute(null, "OK", "true"); - } - writer.writeEndElement(); - } + writeRenewalSemantics(writer); writer.writeEndElement(); @@ -1126,19 +1108,82 @@ public abstract class AbstractSTSClient implements Configurable, InterceptorProv writer.writeCharacters(tokentype); writer.writeEndElement(); - addClaims(writer); + if (tokentype.endsWith("/RSTR/Status")) { + addClaims(writer); - writer.writeStartElement("wst", "ValidateTarget", namespace); + writer.writeStartElement("wst", "ValidateTarget", namespace); - Element el = tok.getToken(); - StaxUtils.copy(el, writer); + Element el = tok.getToken(); + StaxUtils.copy(el, writer); - writer.writeEndElement(); - writer.writeEndElement(); + writer.writeEndElement(); + writer.writeEndElement(); - Object o[] = client.invoke(boi, new DOMSource(writer.getDocument().getDocumentElement())); - - return new STSResponse((DOMSource)o[0], null); + Object o[] = client.invoke(boi, new DOMSource(writer.getDocument().getDocumentElement())); + + return new STSResponse((DOMSource)o[0], null); + } else { + if (enableLifetime) { + addLifetime(writer); + } + + // Default to Bearer KeyType + String keyTypeTemplate = keyType; + if (keyTypeTemplate == null) { + keyTypeTemplate = namespace + "/Bearer"; + } + keyTypeTemplate = writeKeyType(writer, keyTypeTemplate); + + byte[] requestorEntropy = null; + X509Certificate cert = null; + Crypto crypto = null; + + if (keySize <= 0) { + keySize = 256; + } + if (keyTypeTemplate != null && keyTypeTemplate.endsWith("SymmetricKey")) { + requestorEntropy = writeElementsForRSTSymmetricKey(writer, false); + } else if (keyTypeTemplate != null && keyTypeTemplate.endsWith("PublicKey")) { + // Use the given cert, or else get it from a Crypto instance + if (useKeyCertificate != null) { + cert = useKeyCertificate; + } else { + crypto = createCrypto(false); + cert = getCert(crypto); + } + writeElementsForRSTPublicKey(writer, cert); + } + + writeRenewalSemantics(writer); + + addClaims(writer); + + writer.writeStartElement("wst", "ValidateTarget", namespace); + + Element el = tok.getToken(); + StaxUtils.copy(el, writer); + + writer.writeEndElement(); + writer.writeEndElement(); + + Object o[] = client.invoke(boi, new DOMSource(writer.getDocument().getDocumentElement())); + + return new STSResponse((DOMSource)o[0], requestorEntropy, cert, crypto); + } + } + + private void writeRenewalSemantics(XMLStreamWriter writer) throws XMLStreamException { + // Write out renewal semantics + if (sendRenewing) { + writer.writeStartElement("wst", "Renewing", namespace); + if (!allowRenewing) { + writer.writeAttribute(null, "Allow", "false"); + } + if (allowRenewing && allowRenewingAfterExpiry) { + writer.writeAttribute(null, "OK", "true"); + } + writer.writeEndElement(); + } } /** http://git-wip-us.apache.org/repos/asf/cxf/blob/762b011a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java index 41b926d..afdaaea 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java @@ -28,7 +28,6 @@ import org.w3c.dom.Element; import org.apache.cxf.Bus; import org.apache.cxf.common.logging.LogUtils; -import org.apache.cxf.common.util.StringUtils; import org.apache.cxf.helpers.DOMUtils; import org.apache.cxf.interceptor.Fault; import org.apache.cxf.ws.security.tokenstore.SecurityToken; @@ -127,14 +126,22 @@ public class STSClient extends AbstractSTSClient { reason = DOMUtils.getContent(e2); } } else if ("RequestedSecurityToken".equals(el.getLocalName())) { - Element requestedSecurityTokenElement = DOMUtils.getFirstElement(el); - String id = findID(null, null, requestedSecurityTokenElement); - if (StringUtils.isEmpty(id)) { - throw new TrustException("NO_ID", LOG); + SecurityToken token = + createSecurityToken(getDocumentElement(response.getResponse()), response.getEntropy()); + + if (response.getCert() != null) { + token.setX509Certificate(response.getCert(), response.getCrypto()); + } + if (token.getTokenType() == null) { + String tokenTypeFromTemplate = getTokenTypeFromTemplate(); + if (tokenTypeFromTemplate != null) { + token.setTokenType(tokenTypeFromTemplate); + } else if (tokenType != null) { + token.setTokenType(tokenType); + } } - SecurityToken requestedSecurityToken = new SecurityToken(id); - requestedSecurityToken.setToken(requestedSecurityTokenElement); - tokens.add(requestedSecurityToken); + + tokens.add(token); } el = DOMUtils.getNextElement(el); }