cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/2] cxf git commit: [CXF-6272] - SCT Renew in Secure Conversation. Thanks to Freddy Exposito for the patch. - Also added a unit test. - Also explicitly removed the token to be renewed from the cache first
Date Fri, 27 Feb 2015 15:04:58 GMT
[CXF-6272] - SCT Renew in Secure Conversation. Thanks to Freddy Exposito for the patch.
 - Also added a unit test.
 - Also explicitly removed the token to be renewed from the cache first


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/53c9848b
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/53c9848b
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/53c9848b

Branch: refs/heads/3.0.x-fixes
Commit: 53c9848bfcd464f2e2db5449d8f1d1d1ce5a7991
Parents: e57a012
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Feb 27 14:25:03 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Feb 27 15:04:50 2015 +0000

----------------------------------------------------------------------
 .../policy/interceptors/STSInvoker.java         | 28 ++++---
 .../SecureConversationInInterceptor.java        | 77 ++++++++++++++------
 .../SpnegoContextTokenInInterceptor.java        | 14 +++-
 .../apache/cxf/ws/security/trust/STSUtils.java  | 43 ++++++++++-
 .../cxf/systest/ws/wssc/WSSCUnitTest.java       | 35 +++++++++
 5 files changed, 162 insertions(+), 35 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/53c9848b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSInvoker.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSInvoker.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSInvoker.java
index e2ea19a..a4ecd86 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSInvoker.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSInvoker.java
@@ -84,7 +84,7 @@ abstract class STSInvoker implements Invoker {
         }
         String namespace = requestEl.getNamespaceURI();
         String prefix = requestEl.getPrefix();
-        SecurityToken cancelToken = null;
+        SecurityToken cancelOrRenewToken = null;
         if ("RequestSecurityToken".equals(requestEl.getLocalName())) {
             try {
                 String requestType = null;
@@ -96,8 +96,8 @@ abstract class STSInvoker implements Invoker {
                     if (namespace.equals(el.getNamespaceURI())) {
                         if ("RequestType".equals(localName)) {
                             requestType = el.getTextContent();
-                        } else if ("CancelTarget".equals(localName)) {
-                            cancelToken = findCancelToken(exchange, el);
+                        } else if ("CancelTarget".equals(localName) || "RenewTarget".equals(localName))
{
+                            cancelOrRenewToken = findCancelOrRenewToken(exchange, el);
                         } else if ("BinaryExchange".equals(localName)) {
                             binaryExchange = el;
                         } else if ("TokenType".equals(localName)) {
@@ -121,10 +121,10 @@ abstract class STSInvoker implements Invoker {
                 if (requestType.endsWith("/Issue")) { 
                     doIssue(requestEl, exchange, binaryExchange, writer, prefix, namespace);
                 } else if (requestType.endsWith("/Cancel")) {
-                    doCancel(exchange, cancelToken, writer, prefix, namespace);
-                } //else if (requestType.endsWith("/Renew")) {
-                //REVISIT - implement
-                //}
+                    doCancel(exchange, cancelOrRenewToken, writer, prefix, namespace);
+                } else if (requestType.endsWith("/Renew")) {
+                    doRenew(requestEl, exchange, cancelOrRenewToken, binaryExchange, writer,
prefix, namespace);
+                }
 
                 return new MessageContentsList(new DOMSource(writer.getDocument()));
             } catch (RuntimeException ex) {
@@ -146,9 +146,19 @@ abstract class STSInvoker implements Invoker {
         String namespace
     ) throws Exception;
 
+    abstract void doRenew(
+            Element requestEl,
+            Exchange exchange,
+            SecurityToken renewToken,
+            Element binaryExchange,
+            W3CDOMStreamWriter writer,
+            String prefix,
+            String namespace
+    ) throws Exception;
+
     private void doCancel(
         Exchange exchange, 
-        SecurityToken cancelToken, 
+        SecurityToken cancelToken,
         W3CDOMStreamWriter writer,
         String prefix, 
         String namespace
@@ -171,7 +181,7 @@ abstract class STSInvoker implements Invoker {
         }
     }
 
-    private SecurityToken findCancelToken(Exchange exchange, Element el) throws WSSecurityException
{
+    private SecurityToken findCancelOrRenewToken(Exchange exchange, Element el) throws WSSecurityException
{
         Element childElement = DOMUtils.getFirstElement(el);
         String uri = "";
         if ("SecurityContextToken".equals(childElement.getLocalName())) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/53c9848b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
index 6cb52d1..ef97425 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
@@ -62,6 +62,7 @@ import org.apache.neethi.All;
 import org.apache.neethi.Assertion;
 import org.apache.neethi.ExactlyOne;
 import org.apache.neethi.Policy;
+import org.apache.wss4j.dom.WSSConfig;
 import org.apache.wss4j.dom.message.token.SecurityContextToken;
 import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.SPConstants;
@@ -172,8 +173,8 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
             SecureConversationToken tok = (SecureConversationToken)ais.iterator()
                 .next().getAssertion();
             Policy pol = tok.getBootstrapPolicy().getPolicy();
-            if (s.endsWith("Cancel") || s.endsWith("/Renew")) {
-                //Cancel and Renew just sign with the token
+            if (s.endsWith("Cancel")) {
+                //Cancel just sign with the token
                 Policy p = new Policy();
                 ExactlyOne ea = new ExactlyOne();
                 p.addPolicyComponent(ea);
@@ -314,11 +315,34 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
             String prefix, 
             String namespace
         ) throws Exception {
+            doIssueOrRenew(requestEl, exchange, binaryExchange, writer, prefix, namespace,
null);
+        }
+
+        void doRenew(Element requestEl,
+                     Exchange exchange,
+                     SecurityToken renewToken,
+                     Element binaryExchange,
+                     W3CDOMStreamWriter writer,
+                     String prefix,
+                     String namespace) throws Exception {
+            doIssueOrRenew(requestEl, exchange, binaryExchange, writer, prefix, namespace,
+                    renewToken.getId());
+        }
+
+
+        private void doIssueOrRenew(Element requestEl,
+                               Exchange exchange,
+                               Element binaryExchange,
+                               W3CDOMStreamWriter writer,
+                               String prefix,
+                               String namespace,
+                               String tokenIdToRenew
+        ) throws Exception {
             if (STSUtils.WST_NS_05_12.equals(namespace)) {
                 writer.writeStartElement(prefix, "RequestSecurityTokenResponseCollection",
namespace);
             }
             writer.writeStartElement(prefix, "RequestSecurityTokenResponse", namespace);
-            
+
             byte clientEntropy[] = null;
             int keySize = 256;
             long ttl = 300000L;
@@ -338,53 +362,64 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
                         tokenType = el.getTextContent();
                     }
                 }
-                
+
                 el = DOMUtils.getNextElement(el);
             }
-            
+
             // Check received KeySize
             if (keySize < 128 || keySize > 512) {
                 keySize = 256;
             }
-            
+
             writer.writeStartElement(prefix, "RequestedSecurityToken", namespace);
-            SecurityContextToken sct =
-                new SecurityContextToken(NegotiationUtils.getWSCVersion(tokenType), writer.getDocument());
-            
+            SecurityContextToken sct;
+            if (tokenIdToRenew != null) {
+                ((TokenStore)exchange.get(Endpoint.class).getEndpointInfo()
+                    .getProperty(TokenStore.class.getName())).remove(tokenIdToRenew);
+                sct = new SecurityContextToken(
+                        NegotiationUtils.getWSCVersion(tokenType), writer.getDocument(),
+                        tokenIdToRenew);
+                sct.setID(WSSConfig.getNewInstance().getIdAllocator()
+                        .createSecureId("sctId-", sct.getElement()));
+            } else {
+                sct = new SecurityContextToken(
+                        NegotiationUtils.getWSCVersion(tokenType), writer.getDocument());
+            }
+
             Date created = new Date();
             Date expires = new Date();
             expires.setTime(created.getTime() + ttl);
-            
+
             SecurityToken token = new SecurityToken(sct.getIdentifier(), created, expires);
             token.setToken(sct.getElement());
             token.setTokenType(sct.getTokenType());
-            
+
             writer.getCurrentNode().appendChild(sct.getElement());
-            writer.writeEndElement();        
-            
+            writer.writeEndElement();
+
             writer.writeStartElement(prefix, "RequestedAttachedReference", namespace);
             token.setAttachedReference(
                 writeSecurityTokenReference(writer, "#" + sct.getID(), tokenType)
             );
             writer.writeEndElement();
-            
+
             writer.writeStartElement(prefix, "RequestedUnattachedReference", namespace);
             token.setUnattachedReference(
                 writeSecurityTokenReference(writer, sct.getIdentifier(), tokenType)
             );
             writer.writeEndElement();
-            
+
             writeLifetime(writer, created, expires, prefix, namespace);
 
             byte[] secret = writeProofToken(prefix, namespace, writer, clientEntropy, keySize);
-            
+
             token.setSecret(secret);
-            
+
             SecurityContext sc = exchange.getInMessage().get(SecurityContext.class);
             if (sc != null) {
                 token.setSecurityContext(sc);
             }
-            
+
             // Get Bootstrap Token
             SecurityToken bootstrapToken = getBootstrapToken(exchange.getInMessage());
             if (bootstrapToken != null) {
@@ -392,11 +427,11 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
                 properties.put(SecurityToken.BOOTSTRAP_TOKEN_ID, bootstrapToken.getId());
                 token.setProperties(properties);
             }
-            
+
             ((TokenStore)exchange.get(Endpoint.class).getEndpointInfo()
                     .getProperty(TokenStore.class.getName())).add(token);
-            
-            
+
+
             writer.writeEndElement();
             if (STSUtils.WST_NS_05_12.equals(namespace)) {
                 writer.writeEndElement();

http://git-wip-us.apache.org/repos/asf/cxf/blob/53c9848b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
index 6b76879..c2e9d83 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
@@ -251,7 +251,19 @@ class SpnegoContextTokenInInterceptor extends AbstractPhaseInterceptor<SoapMessa
             ((TokenStore)exchange.get(Endpoint.class).getEndpointInfo()
                     .getProperty(TokenStore.class.getName())).add(token);
         }
-        
+
+        void doRenew(
+                Element requestEl,
+                Exchange exchange,
+                SecurityToken securityToken,
+                Element binaryExchange,
+                W3CDOMStreamWriter writer,
+                String prefix,
+                String namespace
+        ) {
+            //Not implemented
+        }
+
         private SpnegoTokenContext handleBinaryExchange(
             Element binaryExchange,
             Message message,

http://git-wip-us.apache.org/repos/asf/cxf/blob/53c9848b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java
index 20a4434..bc4d830 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java
@@ -244,14 +244,15 @@ public final class STSUtils {
         
         OperationInfo ioi = addIssueOperation(ii, namespace, ns);
         OperationInfo coi = addCancelOperation(ii, namespace, ns);
-        
+        OperationInfo roi = addRenewOperation(ii, namespace, ns);
+
         si.setInterface(ii);
         service = new ServiceImpl(si);
         
         BindingFactoryManager bfm = bus.getExtension(BindingFactoryManager.class);
         BindingFactory bindingFactory = bfm.getBindingFactory(soapVersion);
-        BindingInfo bi = bindingFactory.createBindingInfo(service, 
-                                                          soapVersion, null);
+        BindingInfo bi = bindingFactory.createBindingInfo(service,
+                soapVersion, null);
         si.addBinding(bi);
         if (transportId == null) {
             ConduitInitiatorManager cim = bus.getExtension(ConduitInitiatorManager.class);
@@ -274,7 +275,7 @@ public final class STSUtils {
             boi.addExtensor(soi);
         }
         soi.setAction(namespace + (sc ? "/RST/SCT" : "/RST/Issue"));
-        
+
         boi = bi.getOperation(coi);
         soi = boi.getExtensor(SoapOperationInfo.class);
         if (soi == null) {
@@ -282,6 +283,15 @@ public final class STSUtils {
             boi.addExtensor(soi);
         }
         soi.setAction(namespace + (sc ? "/RST/SCT/Cancel" : "/RST/Cancel"));
+
+        boi = bi.getOperation(roi);
+        soi = boi.getExtensor(SoapOperationInfo.class);
+        if (soi == null) {
+            soi = new SoapOperationInfo();
+            boi.addExtensor(soi);
+        }
+        soi.setAction(namespace + (sc ? "/RST/SCT/Renew" : "/RST/Renew"));
+
         service.setDataBinding(new SourceDataBinding());
         return new EndpointImpl(bus, service, ei);
     }
@@ -332,4 +342,29 @@ public final class STSUtils {
         }
         return oi;
     }
+
+    private static OperationInfo addRenewOperation(InterfaceInfo ii,
+                                                   String namespace,
+                                                   String servNamespace) {
+        OperationInfo oi = ii.addOperation(new QName(servNamespace, "RenewSecurityToken"));
+        MessageInfo mii = oi.createMessage(new QName(servNamespace, "RenewSecurityTokenMsg"),
+                MessageInfo.Type.INPUT);
+        oi.setInput("RenewSecurityTokenMsg", mii);
+        MessagePartInfo mpi = mii.addMessagePart("request");
+        mpi.setElementQName(new QName(namespace, "RequestSecurityToken"));
+
+        MessageInfo mio = oi.createMessage(new QName(servNamespace,
+                        "RenewSecurityTokenResponseMsg"),
+                MessageInfo.Type.OUTPUT);
+        oi.setOutput("RenewSecurityTokenResponseMsg", mio);
+        mpi = mio.addMessagePart("response");
+
+        if (WST_NS_05_02.equals(namespace)) {
+            mpi.setElementQName(new QName(namespace, "RequestSecurityTokenResponse"));
+        } else {
+            mpi.setElementQName(new QName(namespace, "RequestSecurityTokenResponseCollection"));
+        }
+        return oi;
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/53c9848b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCUnitTest.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCUnitTest.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCUnitTest.java
index 9bb608e..675d2c0 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCUnitTest.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCUnitTest.java
@@ -220,6 +220,41 @@ public class WSSCUnitTest extends AbstractBusClientServerTestBase {
         
         assertTrue(stsClient.cancelSecurityToken(securityToken));
     }
+    
+    @Test
+    public void testIssueAndRenewUnitTest() throws Exception {
+        if (test.isStreaming()) {
+            return;
+        }
+        
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = WSSCUnitTest.class.getResource("client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        STSClient stsClient = new STSClient(bus);
+        stsClient.setSecureConv(true);
+        stsClient.setLocation("http://localhost:" + PORT2 + "/" + "DoubleItSymmetric");
+        
+        stsClient.setPolicy(createSymmetricBindingPolicy());
+        
+        Map<String, Object> properties = new HashMap<String, Object>();
+        properties.put("ws-security.encryption.username", "bob");
+        TokenCallbackHandler callbackHandler = new TokenCallbackHandler();
+        properties.put("ws-security.callback-handler", callbackHandler);
+        properties.put("ws-security.signature.properties", "alice.properties");
+        properties.put("ws-security.encryption.properties", "bob.properties");
+        stsClient.setProperties(properties);
+        
+        SecurityToken securityToken = 
+            stsClient.requestSecurityToken("http://localhost:" + PORT2 + "/" + "DoubleItSymmetric");
+        assertNotNull(securityToken);
+        callbackHandler.setSecurityToken(securityToken);
+        
+        assertNotNull(stsClient.renewSecurityToken(securityToken));
+    }
 
     // mock up a SymmetricBinding policy to talk to the STS
     private Policy createSymmetricBindingPolicy() {


Mime
View raw message