Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C29D7174B9 for ; Fri, 27 Feb 2015 15:04:57 +0000 (UTC) Received: (qmail 82576 invoked by uid 500); 27 Feb 2015 15:04:57 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 82379 invoked by uid 500); 27 Feb 2015 15:04:57 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 82369 invoked by uid 99); 27 Feb 2015 15:04:57 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 27 Feb 2015 15:04:57 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 46CEBDF97F; Fri, 27 Feb 2015 15:04:57 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: coheigea@apache.org To: commits@cxf.apache.org Date: Fri, 27 Feb 2015 15:04:58 -0000 Message-Id: <1f1a52cbe25d43b18010fbf77461cdda@git.apache.org> In-Reply-To: <9d1ac5dd37ea4bbbae6c979b117e0433@git.apache.org> References: <9d1ac5dd37ea4bbbae6c979b117e0433@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [2/2] cxf git commit: [CXF-6272] - SCT Renew in Secure Conversation. Thanks to Freddy Exposito for the patch. - Also added a unit test. - Also explicitly removed the token to be renewed from the cache first [CXF-6272] - SCT Renew in Secure Conversation. Thanks to Freddy Exposito for the patch. - Also added a unit test. - Also explicitly removed the token to be renewed from the cache first Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/53c9848b Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/53c9848b Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/53c9848b Branch: refs/heads/3.0.x-fixes Commit: 53c9848bfcd464f2e2db5449d8f1d1d1ce5a7991 Parents: e57a012 Author: Colm O hEigeartaigh Authored: Fri Feb 27 14:25:03 2015 +0000 Committer: Colm O hEigeartaigh Committed: Fri Feb 27 15:04:50 2015 +0000 ---------------------------------------------------------------------- .../policy/interceptors/STSInvoker.java | 28 ++++--- .../SecureConversationInInterceptor.java | 77 ++++++++++++++------ .../SpnegoContextTokenInInterceptor.java | 14 +++- .../apache/cxf/ws/security/trust/STSUtils.java | 43 ++++++++++- .../cxf/systest/ws/wssc/WSSCUnitTest.java | 35 +++++++++ 5 files changed, 162 insertions(+), 35 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/53c9848b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSInvoker.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSInvoker.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSInvoker.java index e2ea19a..a4ecd86 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSInvoker.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSInvoker.java @@ -84,7 +84,7 @@ abstract class STSInvoker implements Invoker { } String namespace = requestEl.getNamespaceURI(); String prefix = requestEl.getPrefix(); - SecurityToken cancelToken = null; + SecurityToken cancelOrRenewToken = null; if ("RequestSecurityToken".equals(requestEl.getLocalName())) { try { String requestType = null; @@ -96,8 +96,8 @@ abstract class STSInvoker implements Invoker { if (namespace.equals(el.getNamespaceURI())) { if ("RequestType".equals(localName)) { requestType = el.getTextContent(); - } else if ("CancelTarget".equals(localName)) { - cancelToken = findCancelToken(exchange, el); + } else if ("CancelTarget".equals(localName) || "RenewTarget".equals(localName)) { + cancelOrRenewToken = findCancelOrRenewToken(exchange, el); } else if ("BinaryExchange".equals(localName)) { binaryExchange = el; } else if ("TokenType".equals(localName)) { @@ -121,10 +121,10 @@ abstract class STSInvoker implements Invoker { if (requestType.endsWith("/Issue")) { doIssue(requestEl, exchange, binaryExchange, writer, prefix, namespace); } else if (requestType.endsWith("/Cancel")) { - doCancel(exchange, cancelToken, writer, prefix, namespace); - } //else if (requestType.endsWith("/Renew")) { - //REVISIT - implement - //} + doCancel(exchange, cancelOrRenewToken, writer, prefix, namespace); + } else if (requestType.endsWith("/Renew")) { + doRenew(requestEl, exchange, cancelOrRenewToken, binaryExchange, writer, prefix, namespace); + } return new MessageContentsList(new DOMSource(writer.getDocument())); } catch (RuntimeException ex) { @@ -146,9 +146,19 @@ abstract class STSInvoker implements Invoker { String namespace ) throws Exception; + abstract void doRenew( + Element requestEl, + Exchange exchange, + SecurityToken renewToken, + Element binaryExchange, + W3CDOMStreamWriter writer, + String prefix, + String namespace + ) throws Exception; + private void doCancel( Exchange exchange, - SecurityToken cancelToken, + SecurityToken cancelToken, W3CDOMStreamWriter writer, String prefix, String namespace @@ -171,7 +181,7 @@ abstract class STSInvoker implements Invoker { } } - private SecurityToken findCancelToken(Exchange exchange, Element el) throws WSSecurityException { + private SecurityToken findCancelOrRenewToken(Exchange exchange, Element el) throws WSSecurityException { Element childElement = DOMUtils.getFirstElement(el); String uri = ""; if ("SecurityContextToken".equals(childElement.getLocalName())) { http://git-wip-us.apache.org/repos/asf/cxf/blob/53c9848b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java index 6cb52d1..ef97425 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java @@ -62,6 +62,7 @@ import org.apache.neethi.All; import org.apache.neethi.Assertion; import org.apache.neethi.ExactlyOne; import org.apache.neethi.Policy; +import org.apache.wss4j.dom.WSSConfig; import org.apache.wss4j.dom.message.token.SecurityContextToken; import org.apache.wss4j.policy.SP12Constants; import org.apache.wss4j.policy.SPConstants; @@ -172,8 +173,8 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor 512) { keySize = 256; } - + writer.writeStartElement(prefix, "RequestedSecurityToken", namespace); - SecurityContextToken sct = - new SecurityContextToken(NegotiationUtils.getWSCVersion(tokenType), writer.getDocument()); - + SecurityContextToken sct; + if (tokenIdToRenew != null) { + ((TokenStore)exchange.get(Endpoint.class).getEndpointInfo() + .getProperty(TokenStore.class.getName())).remove(tokenIdToRenew); + sct = new SecurityContextToken( + NegotiationUtils.getWSCVersion(tokenType), writer.getDocument(), + tokenIdToRenew); + sct.setID(WSSConfig.getNewInstance().getIdAllocator() + .createSecureId("sctId-", sct.getElement())); + } else { + sct = new SecurityContextToken( + NegotiationUtils.getWSCVersion(tokenType), writer.getDocument()); + } + Date created = new Date(); Date expires = new Date(); expires.setTime(created.getTime() + ttl); - + SecurityToken token = new SecurityToken(sct.getIdentifier(), created, expires); token.setToken(sct.getElement()); token.setTokenType(sct.getTokenType()); - + writer.getCurrentNode().appendChild(sct.getElement()); - writer.writeEndElement(); - + writer.writeEndElement(); + writer.writeStartElement(prefix, "RequestedAttachedReference", namespace); token.setAttachedReference( writeSecurityTokenReference(writer, "#" + sct.getID(), tokenType) ); writer.writeEndElement(); - + writer.writeStartElement(prefix, "RequestedUnattachedReference", namespace); token.setUnattachedReference( writeSecurityTokenReference(writer, sct.getIdentifier(), tokenType) ); writer.writeEndElement(); - + writeLifetime(writer, created, expires, prefix, namespace); byte[] secret = writeProofToken(prefix, namespace, writer, clientEntropy, keySize); - + token.setSecret(secret); - + SecurityContext sc = exchange.getInMessage().get(SecurityContext.class); if (sc != null) { token.setSecurityContext(sc); } - + // Get Bootstrap Token SecurityToken bootstrapToken = getBootstrapToken(exchange.getInMessage()); if (bootstrapToken != null) { @@ -392,11 +427,11 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor properties = new HashMap(); + properties.put("ws-security.encryption.username", "bob"); + TokenCallbackHandler callbackHandler = new TokenCallbackHandler(); + properties.put("ws-security.callback-handler", callbackHandler); + properties.put("ws-security.signature.properties", "alice.properties"); + properties.put("ws-security.encryption.properties", "bob.properties"); + stsClient.setProperties(properties); + + SecurityToken securityToken = + stsClient.requestSecurityToken("http://localhost:" + PORT2 + "/" + "DoubleItSymmetric"); + assertNotNull(securityToken); + callbackHandler.setSecurityToken(securityToken); + + assertNotNull(stsClient.renewSecurityToken(securityToken)); + } // mock up a SymmetricBinding policy to talk to the STS private Policy createSymmetricBindingPolicy() {