cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf-fediz git commit: Some refactoring
Date Thu, 12 Mar 2015 17:08:00 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master beaa1ac70 -> ecd25ab9d


Some refactoring


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/ecd25ab9
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/ecd25ab9
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/ecd25ab9

Branch: refs/heads/master
Commit: ecd25ab9d745c328d462a1e35552b7a1aeaffe7b
Parents: beaa1ac
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Mar 12 17:07:53 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Mar 12 17:07:53 2015 +0000

----------------------------------------------------------------------
 .../service/idp/STSAuthenticationProvider.java  | 303 +++++++++++--------
 .../src/test/resources/idp/security-config.xml  |  11 +-
 2 files changed, 178 insertions(+), 136 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ecd25ab9/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
index 3b4be6a..0a75b63 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
@@ -47,6 +47,7 @@ import org.apache.cxf.helpers.DOMUtils;
 //import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.kerberos.KerberosServiceContext;
 import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
@@ -115,11 +116,7 @@ public class STSAuthenticationProvider implements AuthenticationProvider
{
     
     private boolean requireDelegation;
     
-    private String technicalUser;
-    private String technicalPassword;
     
-    
-    //CHECKSTYLE:OFF
     @Override
     public Authentication authenticate(Authentication authentication) throws AuthenticationException
{
         
@@ -136,144 +133,197 @@ public class STSAuthenticationProvider implements AuthenticationProvider
{
         sts.setServiceQName(new QName(namespace, wsdlService));
         sts.setEndpointQName(new QName(namespace, wsdlEndpoint));
         
-        Principal kerberosPrincipal = null;
+        sts.getProperties().putAll(properties);
+        if (use200502Namespace) {
+            sts.setNamespace(HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_02_TRUST);
+        }
+        
+        if (lifetime != null) {
+            sts.setEnableLifetime(true);
+            sts.setTtl(lifetime.intValue());
+        }
+        
         if (authentication instanceof KerberosServiceRequestToken) {
-            // 
-            // If delegation is required then validate the received token + store the
-            // Delegated Credential so that we can retrieve a new kerberos token for the
-            // STS with it. If delegation is not required, then we just get the received
-            // token + pass it to the STS
-            //
-            if (requireDelegation) {
-                kerberosPrincipal = 
-                    validateKerberosToken((KerberosServiceRequestToken)authentication, sts);
-                if (kerberosPrincipal == null) {
-                    return null;
-                }
-            } else {
-                PassThroughKerberosClient kerberosClient = new PassThroughKerberosClient();
-                kerberosClient.setToken(((KerberosServiceRequestToken)authentication).getToken());
-                sts.getProperties().put(SecurityConstants.KERBEROS_CLIENT, kerberosClient);
-            }
+            return handleKerberos((KerberosServiceRequestToken)authentication, sts);
         } else if (authentication instanceof PreAuthenticatedAuthenticationToken) {
-            sts.getProperties().put(SecurityConstants.USERNAME, technicalUser);
-            sts.getProperties().put(SecurityConstants.PASSWORD, technicalPassword);
-            
-            X509Certificate cert = 
-                (X509Certificate)((PreAuthenticatedAuthenticationToken)authentication).getCredentials();
-            if (cert == null) {
+            return handlePreAuthenticated((PreAuthenticatedAuthenticationToken)authentication,
sts);
+        } else if (authentication instanceof UsernamePasswordAuthenticationToken) {
+            return handleUsernamePassword((UsernamePasswordAuthenticationToken)authentication,
sts);
+        } else {
+            LOG.debug("An unknown authentication token was supplied");
+            return null;
+        }
+        
+    }
+    
+    private Authentication handleKerberos(
+        KerberosServiceRequestToken kerberosRequestToken,
+        IdpSTSClient sts
+    ) {
+        Principal kerberosPrincipal = null;
+        // 
+        // If delegation is required then validate the received token + store the
+        // Delegated Credential so that we can retrieve a new kerberos token for the
+        // STS with it. If delegation is not required, then we just get the received
+        // token + pass it to the STS
+        //
+        if (requireDelegation) {
+            kerberosPrincipal = validateKerberosToken(kerberosRequestToken, sts);
+            if (kerberosPrincipal == null) {
                 return null;
             }
+        } else {
+            PassThroughKerberosClient kerberosClient = new PassThroughKerberosClient();
+            kerberosClient.setToken(kerberosRequestToken.getToken());
+            sts.getProperties().put(SecurityConstants.KERBEROS_CLIENT, kerberosClient);
+        }
+        
+        try {
+            // Line below may be uncommented for debugging    
+            // setTimeout(sts.getClient(), 3600000L);
+
+            SecurityToken token = sts.requestSecurityToken(this.appliesTo);
             
-            // Convert the received certificate to a DOM Element to write it out "OnBehalfOf"
-            Document doc = DOMUtils.newDocument();
-            X509Data certElem = new X509Data(doc);
-            try {
-                certElem.addCertificate(cert);
-                sts.setOnBehalfOf(certElem.getElement());
-            } catch (XMLSecurityException e) {
-                LOG.debug("Error parsing a client certificate", e);
-                return null;
+            if (kerberosPrincipal == null && token.getToken() != null
+                && "Assertion".equals(token.getToken().getLocalName())) {
+                // For the pass-through Kerberos case, we don't know the Principal name...
+                kerberosPrincipal = 
+                    new SAMLTokenPrincipalImpl(new SamlAssertionWrapper(token.getToken()));
             }
-        } else {
-            sts.getProperties().put(SecurityConstants.USERNAME, authentication.getName());
-            sts.getProperties().put(SecurityConstants.PASSWORD, (String)authentication.getCredentials());
+            
+            List<GrantedAuthority> authorities = createAuthorities(token);
+            
+            KerberosServiceRequestToken ksrt = 
+                new KerberosServiceRequestToken(kerberosPrincipal, authorities, kerberosRequestToken.getToken());
+            
+            STSUserDetails details = new STSUserDetails(kerberosPrincipal.getName(),
+                                                        "",
+                                                        authorities,
+                                                        token);
+            ksrt.setDetails(details);
+            
+            LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), kerberosPrincipal.getName());
+            return ksrt;
+        } catch (Exception ex) {
+            LOG.info("Failed to authenticate user '" + kerberosRequestToken.getName() + "'",
ex);
+            return null;
+        }
+    }
+    
+    private Authentication handlePreAuthenticated(
+        PreAuthenticatedAuthenticationToken preauthenticatedToken,
+        IdpSTSClient sts
+    ) {
+        X509Certificate cert = (X509Certificate)preauthenticatedToken.getCredentials();
+        if (cert == null) {
+            return null;
         }
         
-        sts.getProperties().putAll(properties);
-        if (use200502Namespace) {
-            sts.setNamespace(HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_02_TRUST);
+        // Convert the received certificate to a DOM Element to write it out "OnBehalfOf"
+        Document doc = DOMUtils.newDocument();
+        X509Data certElem = new X509Data(doc);
+        try {
+            certElem.addCertificate(cert);
+            sts.setOnBehalfOf(certElem.getElement());
+        } catch (XMLSecurityException e) {
+            LOG.debug("Error parsing a client certificate", e);
+            return null;
         }
         
-        if (lifetime != null) {
-            sts.setEnableLifetime(true);
-            sts.setTtl(lifetime.intValue());
+        try {
+            // Line below may be uncommented for debugging    
+            // setTimeout(sts.getClient(), 3600000L);
+
+            SecurityToken token = sts.requestSecurityToken(this.appliesTo);
+            
+            List<GrantedAuthority> authorities = createAuthorities(token);
+            
+            STSUserDetails details = new STSUserDetails(preauthenticatedToken.getName(),
+                                                        "",
+                                                        authorities,
+                                                        token);
+            
+            preauthenticatedToken.setDetails(details);
+            
+            LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), preauthenticatedToken.getName());
+            return preauthenticatedToken;
+            
+        } catch (Exception ex) {
+            LOG.info("Failed to authenticate user '" + preauthenticatedToken.getName() +
"'", ex);
+            return null;
         }
+    }
+    
+    private Authentication handleUsernamePassword(
+        UsernamePasswordAuthenticationToken usernamePasswordToken,
+        IdpSTSClient sts
+    ) {
+        sts.getProperties().put(SecurityConstants.USERNAME, usernamePasswordToken.getName());
+        sts.getProperties().put(SecurityConstants.PASSWORD, (String)usernamePasswordToken.getCredentials());
+        
         try {
 
-//Line below may be uncommented for debugging    
-//            setTimeout(sts.getClient(), 3600000L);
+            // Line below may be uncommented for debugging    
+            // setTimeout(sts.getClient(), 3600000L);
 
             SecurityToken token = sts.requestSecurityToken(this.appliesTo);
             
-            List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
-            //authorities.add(new SimpleGrantedAuthority("ROLE_AUTHENTICATED"));
-            //Not needed because AuthenticatedVoter has been added for SecurityFlowExecutionListener
-            if (roleURI != null) {
-                SamlAssertionWrapper assertion = new SamlAssertionWrapper(token.getToken());
-                
-                List<Claim> claims = parseClaimsInAssertion(assertion.getSaml2());
-                for (Claim c : claims) {
-                    if (roleURI.equals(c.getClaimType())) {
-                        Object oValue = c.getValue();
-                        if ((oValue instanceof List<?>) && !((List<?>)oValue).isEmpty())
{
-                            List<String> values = (List<String>)oValue;
-                            for (String role: values) {
-                                authorities.add(new SimpleGrantedAuthority(role));
+            List<GrantedAuthority> authorities = createAuthorities(token);
+            
+            UsernamePasswordAuthenticationToken upat = 
+                new UsernamePasswordAuthenticationToken(usernamePasswordToken.getName(),

+                                                        usernamePasswordToken.getCredentials(),

+                                                        authorities);
+
+            STSUserDetails details = new STSUserDetails(usernamePasswordToken.getName(),
+                                                        (String)usernamePasswordToken.getCredentials(),
+                                                        authorities,
+                                                        token);
+            upat.setDetails(details);
+
+            LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), usernamePasswordToken.getName());
+            return upat;
+                                                                                        
  
+        } catch (Exception ex) {
+            LOG.info("Failed to authenticate user '" + usernamePasswordToken.getName() +
"'", ex);
+            return null;
+        }
+        
+    }
+    
+    private List<GrantedAuthority> createAuthorities(SecurityToken token) throws WSSecurityException
{
+        List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
+        //authorities.add(new SimpleGrantedAuthority("ROLE_AUTHENTICATED"));
+        //Not needed because AuthenticatedVoter has been added for SecurityFlowExecutionListener
+        if (roleURI != null) {
+            SamlAssertionWrapper assertion = new SamlAssertionWrapper(token.getToken());
+            
+            List<Claim> claims = parseClaimsInAssertion(assertion.getSaml2());
+            for (Claim c : claims) {
+                if (roleURI.equals(c.getClaimType())) {
+                    Object oValue = c.getValue();
+                    if ((oValue instanceof List<?>) && !((List<?>)oValue).isEmpty())
{
+                        List<?> values = (List<?>)oValue;
+                        for (Object role: values) {
+                            if (role instanceof String) {
+                                authorities.add(new SimpleGrantedAuthority((String)role));
                             }
-                        } else {
-                            LOG.error("Unsupported value type of Claim value");
-                            throw new IllegalStateException("Unsupported value type of Claim
value");
                         }
-                        claims.remove(c);
-                        break;
+                    } else {
+                        LOG.error("Unsupported value type of Claim value");
+                        throw new IllegalStateException("Unsupported value type of Claim
value");
                     }
+                    claims.remove(c);
+                    break;
                 }
             }
-            
-            //Add IDP_LOGIN role to be able to access resource Idp, TrustedIdp, etc.
-            authorities.add(new SimpleGrantedAuthority("ROLE_IDP_LOGIN"));
-            
-            if (authentication instanceof KerberosServiceRequestToken) {
-                if (kerberosPrincipal == null && token.getToken() != null
-                    && "Assertion".equals(token.getToken().getLocalName())) {
-                    // For the pass-through Kerberos case, we don't know the Principal name...
-                    kerberosPrincipal = 
-                        new SAMLTokenPrincipalImpl(new SamlAssertionWrapper(token.getToken()));
-                }
-                KerberosServiceRequestToken ksrt = 
-                    new KerberosServiceRequestToken(kerberosPrincipal, authorities, 
-                                                    ((KerberosServiceRequestToken)authentication).getToken());
-                
-                STSUserDetails details = new STSUserDetails(kerberosPrincipal.getName(),
-                                                            "",
-                                                            authorities,
-                                                            token);
-                ksrt.setDetails(details);
-                
-                LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), kerberosPrincipal.getName());
-                return ksrt;
-            } else if (authentication instanceof PreAuthenticatedAuthenticationToken) {
-                STSUserDetails details = new STSUserDetails(authentication.getName(),
-                                                            "",
-                                                            authorities,
-                                                            token);
-                
-                ((PreAuthenticatedAuthenticationToken)authentication).setDetails(details);
-                
-                LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), authentication.getName());
-                return authentication;
-            } else {
-                UsernamePasswordAuthenticationToken upat = new UsernamePasswordAuthenticationToken(
-                    authentication.getName(), authentication.getCredentials(), authorities);
-                
-                STSUserDetails details = new STSUserDetails(authentication.getName(),
-                                                            (String)authentication.getCredentials(),
-                                                            authorities,
-                                                            token);
-                upat.setDetails(details);
-                
-                LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), authentication.getName());
-                return upat;
-            }
-            
-        } catch (Exception ex) {
-            LOG.info("Failed to authenticate user '" + authentication.getName() + "'", ex);
-            return null;
         }
         
+        //Add IDP_LOGIN role to be able to access resource Idp, TrustedIdp, etc.
+        authorities.add(new SimpleGrantedAuthority("ROLE_IDP_LOGIN"));
+        
+        return authorities;
     }
-    //CHECKSTYLE:ON
     
     private Principal validateKerberosToken(
         KerberosServiceRequestToken token,
@@ -470,6 +520,7 @@ public class STSAuthenticationProvider implements AuthenticationProvider
{
                 t.setValue(values);
             } else if (oValue instanceof List<?>) {
                 //more than one child element AttributeValue
+                @SuppressWarnings("unchecked")
                 List<String> values = (List<String>)oValue;
                 values.addAll(valueList);
                 t.setValue(values);
@@ -544,22 +595,6 @@ public class STSAuthenticationProvider implements AuthenticationProvider
{
         this.requireDelegation = requireDelegation;
     }
 
-    public String getTechnicalPassword() {
-        return technicalPassword;
-    }
-
-    public void setTechnicalPassword(String technicalPassword) {
-        this.technicalPassword = technicalPassword;
-    }
-
-    public String getTechnicalUser() {
-        return technicalUser;
-    }
-
-    public void setTechnicalUser(String technicalUser) {
-        this.technicalUser = technicalUser;
-    }
-
 //May be uncommented for debugging    
 //    private void setTimeout(Client client, Long timeout) {
 //        HTTPConduit conduit = (HTTPConduit) client.getConduit();

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ecd25ab9/systests/clientcert/src/test/resources/idp/security-config.xml
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/resources/idp/security-config.xml b/systests/clientcert/src/test/resources/idp/security-config.xml
index b9b4a0f..9d2472d 100644
--- a/systests/clientcert/src/test/resources/idp/security-config.xml
+++ b/systests/clientcert/src/test/resources/idp/security-config.xml
@@ -21,6 +21,7 @@
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns:security="http://www.springframework.org/schema/security"
     xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:util="http://www.springframework.org/schema/util"
     xsi:schemaLocation="
         http://www.springframework.org/schema/beans
         http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
@@ -28,6 +29,8 @@
         http://www.springframework.org/schema/context/spring-context-3.1.xsd
         http://www.springframework.org/schema/security
         http://www.springframework.org/schema/security/spring-security-3.1.xsd
+        http://www.springframework.org/schema/util
+        http://www.springframework.org/schema/util/spring-util-2.0.xsd
         ">
 
     <context:property-placeholder location="classpath:realm.properties"/>
@@ -83,14 +86,18 @@
     
     <bean id="entitlementsEnricher" class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements"
/>
 	
+	<util:map id="securityProperties">
+        <entry key="ws-security.username" value="idp-user" />
+        <entry key="ws-security.password" value="idp-pass" />
+    </util:map>
+    
     <bean id="stsAuthProvider" class="org.apache.cxf.fediz.service.idp.STSAuthenticationProvider">
         <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/>
         <property name="wsdlEndpoint" value="TransportUT_Port"/>
         <property name="wsdlService" value="SecurityTokenService"/>
         <property name="appliesTo" value="urn:fediz:idp"/>
         <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
-        <property name="technicalUser" value="idp-user"/>
-        <property name="technicalPassword" value="idp-pass"/>
+        <property name="properties" ref="securityProperties"/>
     </bean>
 
 </beans>


Mime
View raw message