cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf-fediz git commit: Downgrading to CXF 3.0.4 for the release
Date Fri, 17 Apr 2015 11:13:25 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master 541c991fa -> 9d8f98acd


Downgrading to CXF 3.0.4 for the release


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/9d8f98ac
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/9d8f98ac
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/9d8f98ac

Branch: refs/heads/master
Commit: 9d8f98acd71b2b2d2c2eb257b38419926e4ffd64
Parents: 541c991
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Apr 17 12:13:09 2015 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Apr 17 12:13:09 2015 +0100

----------------------------------------------------------------------
 pom.xml                                         |   2 +-
 .../service/sts/DefaultSubjectProvider.java     | 298 +++++++++++++++++++
 .../fediz/service/sts/X509TokenValidator.java   | 199 +++++++++++++
 .../src/main/webapp/WEB-INF/cxf-transport.xml   |   5 +-
 4 files changed, 502 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d8f98ac/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index f4c9429..3348d25 100644
--- a/pom.xml
+++ b/pom.xml
@@ -39,7 +39,7 @@
         <apacheds.version>2.0.0-M19</apacheds.version>
         <commons.lang.version>3.3.2</commons.lang.version>
         <commons.logging.version>1.1.3</commons.logging.version>
-        <cxf.version>3.0.5-SNAPSHOT</cxf.version>
+        <cxf.version>3.0.4</cxf.version>
         <cxf.build-utils.version>3.0.0</cxf.build-utils.version>
         <easymock.version>3.3</easymock.version>
         <ehcache.version>2.8.5</ehcache.version>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d8f98ac/services/sts/src/main/java/org/apache/cxf/fediz/service/sts/DefaultSubjectProvider.java
----------------------------------------------------------------------
diff --git a/services/sts/src/main/java/org/apache/cxf/fediz/service/sts/DefaultSubjectProvider.java
b/services/sts/src/main/java/org/apache/cxf/fediz/service/sts/DefaultSubjectProvider.java
new file mode 100644
index 0000000..cf0f7d4
--- /dev/null
+++ b/services/sts/src/main/java/org/apache/cxf/fediz/service/sts/DefaultSubjectProvider.java
@@ -0,0 +1,298 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.sts;
+
+import java.security.Principal;
+import java.security.PublicKey;
+import java.security.cert.X509Certificate;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import java.util.regex.Pattern;
+
+import javax.security.auth.x500.X500Principal;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.sts.STSConstants;
+import org.apache.cxf.sts.STSPropertiesMBean;
+import org.apache.cxf.sts.request.KeyRequirements;
+import org.apache.cxf.sts.request.ReceivedKey;
+import org.apache.cxf.sts.request.ReceivedToken;
+import org.apache.cxf.sts.request.ReceivedToken.STATE;
+import org.apache.cxf.sts.request.TokenRequirements;
+import org.apache.cxf.sts.service.EncryptionProperties;
+import org.apache.cxf.sts.token.provider.SubjectProvider;
+import org.apache.cxf.sts.token.provider.TokenProviderParameters;
+import org.apache.cxf.ws.security.sts.provider.STSException;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoType;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.bean.KeyInfoBean;
+import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER;
+import org.apache.wss4j.common.saml.bean.SubjectBean;
+import org.apache.wss4j.common.saml.builder.SAML1Constants;
+import org.apache.wss4j.common.saml.builder.SAML2Constants;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.message.WSSecEncryptedKey;
+
+/**
+ * A default implementation of SubjectProvider to create a SAML Assertion. The Subject name
is the name
+ * of the current principal, the subject name qualifier is a default URL that can be configured,
and the
+ * subject confirmation method is created according to the token type and key type. If the
Subject
+ * Confirmation Method is SymmetricKey or PublicKey, the appropriate KeyInfoBean object is
created and
+ * attached to the Subject.
+ */
+public class DefaultSubjectProvider implements SubjectProvider {
+    
+    private static final Logger LOG = LogUtils.getL7dLogger(DefaultSubjectProvider.class);
+    private String subjectNameQualifier = "http://cxf.apache.org/sts";
+    private String subjectNameIDFormat = SAML2Constants.NAMEID_FORMAT_UNSPECIFIED;
+    
+    /**
+     * Set the SubjectNameQualifier.
+     */
+    public void setSubjectNameQualifier(String subjectNameQualifier) {
+        this.subjectNameQualifier = subjectNameQualifier;
+        LOG.fine("Setting Subject Name Qualifier: " + subjectNameQualifier);
+    }
+    
+    /**
+     * Set the SubjectNameIDFormat.
+     */
+    public void setSubjectNameIDFormat(String subjectNameIDFormat) {
+        this.subjectNameIDFormat = subjectNameIDFormat;
+        LOG.fine("Setting Subject Name format: " + subjectNameIDFormat);
+    }
+
+    /**
+     * Get a SubjectBean object.
+     */
+    public SubjectBean getSubject(
+        TokenProviderParameters providerParameters, Document doc, byte[] secret
+    ) {
+        TokenRequirements tokenRequirements = providerParameters.getTokenRequirements();
+        KeyRequirements keyRequirements = providerParameters.getKeyRequirements();
+        STSPropertiesMBean stsProperties = providerParameters.getStsProperties();
+
+        String tokenType = tokenRequirements.getTokenType();
+        String keyType = keyRequirements.getKeyType();
+        String confirmationMethod = getSubjectConfirmationMethod(tokenType, keyType);
+        
+        Principal principal = null;
+        ReceivedToken receivedToken = null;
+        //TokenValidator in IssueOperation has validated the ReceivedToken
+        //if validation was successful, the principal was set in ReceivedToken 
+        if (providerParameters.getTokenRequirements().getOnBehalfOf() != null) {
+            receivedToken = providerParameters.getTokenRequirements().getOnBehalfOf();  
 
+            if (receivedToken.getState().equals(STATE.VALID)) {
+                principal = receivedToken.getPrincipal();
+            }
+        } else if (providerParameters.getTokenRequirements().getActAs() != null) {
+            receivedToken = providerParameters.getTokenRequirements().getActAs();
+            if (receivedToken.getState().equals(STATE.VALID)) {
+                principal = receivedToken.getPrincipal();
+            }
+        } else if (providerParameters.getTokenRequirements().getValidateTarget() != null)
{
+            receivedToken = providerParameters.getTokenRequirements().getValidateTarget();
+            if (receivedToken.getState().equals(STATE.VALID)) {
+                principal = receivedToken.getPrincipal();
+            }
+        } else {
+            principal = providerParameters.getPrincipal();
+        }
+        
+        if (principal == null) {
+            LOG.fine("Error in getting principal");
+            throw new STSException("Error in getting principal", STSException.REQUEST_FAILED);
+        }
+        
+        String subjectName = principal.getName();
+        if (SAML2Constants.NAMEID_FORMAT_UNSPECIFIED.equals(subjectNameIDFormat)
+            && principal instanceof X500Principal) {
+            // Just use the "cn" instead of the entire DN
+            try {
+                String principalName = principal.getName();
+                int index = principalName.indexOf('=');
+                principalName = principalName.substring(index + 1, principalName.indexOf(',',
index));
+                subjectName = principalName;
+            } catch (Throwable ex) {
+                subjectName = principal.getName();
+                //Ignore, not X500 compliant thus use the whole string as the value
+            }
+        }
+        
+        SubjectBean subjectBean = 
+            new SubjectBean(subjectName, subjectNameQualifier, confirmationMethod);
+        LOG.fine("Creating new subject with principal name: " + principal.getName());
+        if (subjectNameIDFormat != null && subjectNameIDFormat.length() > 0) {
+            subjectBean.setSubjectNameIDFormat(subjectNameIDFormat);
+        }
+        
+        if (STSConstants.SYMMETRIC_KEY_KEYTYPE.equals(keyType)) {
+            Crypto crypto = stsProperties.getEncryptionCrypto();
+
+            EncryptionProperties encryptionProperties = providerParameters.getEncryptionProperties();
+            String encryptionName = encryptionProperties.getEncryptionName();
+            if (encryptionName == null) {
+                // Fall back on the STS encryption name
+                encryptionName = stsProperties.getEncryptionUsername();
+            }
+            if (encryptionName == null) {
+                LOG.fine("No encryption Name is configured for Symmetric KeyType");
+                throw new STSException("No Encryption Name is configured", STSException.REQUEST_FAILED);
+            }
+            
+            CryptoType cryptoType = null;
+
+            // Check for using of service endpoint (AppliesTo) as certificate identifier
+            if (STSConstants.USE_ENDPOINT_AS_CERT_ALIAS.equals(encryptionName)) {
+                if (providerParameters.getAppliesToAddress() == null) {
+                    throw new STSException("AppliesTo is not initilaized for encryption name
"
+                                           + STSConstants.USE_ENDPOINT_AS_CERT_ALIAS);
+                }
+                cryptoType = new CryptoType(CryptoType.TYPE.ENDPOINT);
+                cryptoType.setEndpoint(providerParameters.getAppliesToAddress());
+            } else {
+                cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+                cryptoType.setAlias(encryptionName);
+            }
+
+            try {
+                X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
+                if ((certs == null) || (certs.length == 0)) {
+                    throw new STSException("Encryption certificate is not found for alias:
" + encryptionName);
+                }
+                KeyInfoBean keyInfo = 
+                    createKeyInfo(certs[0], secret, doc, encryptionProperties, crypto);
+                subjectBean.setKeyInfo(keyInfo);
+            } catch (WSSecurityException ex) {
+                LOG.log(Level.WARNING, "", ex);
+                throw new STSException(ex.getMessage(), ex);
+            }
+        } else if (STSConstants.PUBLIC_KEY_KEYTYPE.equals(keyType)) {
+            ReceivedKey receivedKey = keyRequirements.getReceivedKey();
+            
+            // Validate UseKey trust
+            if (stsProperties.isValidateUseKey() && stsProperties.getSignatureCrypto()
!= null) {
+                if (receivedKey.getX509Cert() != null) {
+                    try {
+                        Collection<Pattern> constraints = Collections.emptyList();
+                        stsProperties.getSignatureCrypto().verifyTrust(
+                            new X509Certificate[]{receivedKey.getX509Cert()}, false, constraints);
+                    } catch (WSSecurityException e) {
+                        LOG.log(Level.FINE, "Error in trust validation of UseKey: ", e);
+                        throw new STSException("Error in trust validation of UseKey", STSException.REQUEST_FAILED);
+                    }
+                }
+                if (receivedKey.getPublicKey() != null) {
+                    try {
+                        stsProperties.getSignatureCrypto().verifyTrust(receivedKey.getPublicKey());
+                    } catch (WSSecurityException e) {
+                        LOG.log(Level.FINE, "Error in trust validation of UseKey: ", e);
+                        throw new STSException("Error in trust validation of UseKey", STSException.REQUEST_FAILED);
+                    }
+                }
+            }
+            
+            KeyInfoBean keyInfo = createKeyInfo(receivedKey.getX509Cert(), receivedKey.getPublicKey());
+            subjectBean.setKeyInfo(keyInfo);
+        }
+        
+        return subjectBean;
+    }
+        
+    /**
+     * Get the SubjectConfirmation method given a tokenType and keyType
+     */
+    protected String getSubjectConfirmationMethod(String tokenType, String keyType) {
+        if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
+            || WSConstants.SAML2_NS.equals(tokenType)) {
+            if (STSConstants.SYMMETRIC_KEY_KEYTYPE.equals(keyType) 
+                || STSConstants.PUBLIC_KEY_KEYTYPE.equals(keyType)) {
+                return SAML2Constants.CONF_HOLDER_KEY;
+            } else {
+                return SAML2Constants.CONF_BEARER;
+            }
+        } else {
+            if (STSConstants.SYMMETRIC_KEY_KEYTYPE.equals(keyType) 
+                || STSConstants.PUBLIC_KEY_KEYTYPE.equals(keyType)) {
+                return SAML1Constants.CONF_HOLDER_KEY;
+            } else {
+                return SAML1Constants.CONF_BEARER;
+            }
+        }
+    }
+
+    /**
+     * Create a KeyInfoBean that contains an X.509 certificate or Public Key
+     */
+    protected static KeyInfoBean createKeyInfo(X509Certificate certificate, PublicKey publicKey)
{
+        KeyInfoBean keyInfo = new KeyInfoBean();
+
+        if (certificate != null) {
+            keyInfo.setCertificate(certificate);
+            keyInfo.setCertIdentifer(CERT_IDENTIFIER.X509_CERT);
+        } else if (publicKey != null) {
+            keyInfo.setPublicKey(publicKey);
+            keyInfo.setCertIdentifer(CERT_IDENTIFIER.KEY_VALUE);
+        }
+
+        return keyInfo;
+    }
+
+    /**
+     * Create an EncryptedKey KeyInfo.
+     */
+    protected static KeyInfoBean createKeyInfo(
+        X509Certificate certificate, 
+        byte[] secret,
+        Document doc,
+        EncryptionProperties encryptionProperties,
+        Crypto encryptionCrypto
+    ) throws WSSecurityException {
+        KeyInfoBean keyInfo = new KeyInfoBean();
+
+        // Create an EncryptedKey
+        WSSecEncryptedKey encrKey = new WSSecEncryptedKey();
+        encrKey.setKeyIdentifierType(encryptionProperties.getKeyIdentifierType());
+        encrKey.setEphemeralKey(secret);
+        encrKey.setSymmetricEncAlgorithm(encryptionProperties.getEncryptionAlgorithm());
+        encrKey.setUseThisCert(certificate);
+        encrKey.setKeyEncAlgo(encryptionProperties.getKeyWrapAlgorithm());
+        encrKey.prepare(doc, encryptionCrypto);
+        Element encryptedKeyElement = encrKey.getEncryptedKeyElement();
+
+        // Append the EncryptedKey to a KeyInfo element
+        Element keyInfoElement = 
+            doc.createElementNS(
+                WSConstants.SIG_NS, WSConstants.SIG_PREFIX + ":" + WSConstants.KEYINFO_LN
+            );
+        keyInfoElement.setAttributeNS(
+            WSConstants.XMLNS_NS, "xmlns:" + WSConstants.SIG_PREFIX, WSConstants.SIG_NS
+        );
+        keyInfoElement.appendChild(encryptedKeyElement);
+
+        keyInfo.setElement(keyInfoElement);
+
+        return keyInfo;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d8f98ac/services/sts/src/main/java/org/apache/cxf/fediz/service/sts/X509TokenValidator.java
----------------------------------------------------------------------
diff --git a/services/sts/src/main/java/org/apache/cxf/fediz/service/sts/X509TokenValidator.java
b/services/sts/src/main/java/org/apache/cxf/fediz/service/sts/X509TokenValidator.java
new file mode 100644
index 0000000..c2bf638
--- /dev/null
+++ b/services/sts/src/main/java/org/apache/cxf/fediz/service/sts/X509TokenValidator.java
@@ -0,0 +1,199 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.sts;
+
+import java.security.Principal;
+import java.security.cert.X509Certificate;
+import java.util.List;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+import javax.security.auth.callback.CallbackHandler;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Text;
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.sts.STSPropertiesMBean;
+import org.apache.cxf.sts.request.ReceivedToken;
+import org.apache.cxf.sts.request.ReceivedToken.STATE;
+import org.apache.cxf.sts.token.realm.CertConstraintsParser;
+import org.apache.cxf.sts.token.validator.TokenValidator;
+import org.apache.cxf.sts.token.validator.TokenValidatorParameters;
+import org.apache.cxf.sts.token.validator.TokenValidatorResponse;
+import org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSSConfig;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.message.token.BinarySecurity;
+import org.apache.wss4j.dom.message.token.X509Security;
+import org.apache.wss4j.dom.validate.Credential;
+import org.apache.wss4j.dom.validate.SignatureTrustValidator;
+import org.apache.wss4j.dom.validate.Validator;
+import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.keys.content.X509Data;
+
+/**
+ * This class validates an X.509 V.3 certificate (received as a BinarySecurityToken or an
X509Data
+ * DOM Element). The cert must be known (or trusted) by the STS crypto object.
+ */
+public class X509TokenValidator implements TokenValidator {
+    
+    public static final String X509_V3_TYPE = WSConstants.X509TOKEN_NS + "#X509v3";
+    
+    public static final String BASE64_ENCODING = WSConstants.SOAPMESSAGE_NS + "#Base64Binary";
+    
+    private static final Logger LOG = LogUtils.getL7dLogger(X509TokenValidator.class);
+    
+    private Validator validator = new SignatureTrustValidator();
+    
+    private CertConstraintsParser certConstraints = new CertConstraintsParser();
+
+    /**
+     * Set a list of Strings corresponding to regular expression constraints on the subject
DN
+     * of a certificate
+     */
+    public void setSubjectConstraints(List<String> subjectConstraints) {
+        certConstraints.setSubjectConstraints(subjectConstraints);
+    }
+    
+    /**
+     * Set the WSS4J Validator instance to use to validate the token.
+     * @param validator the WSS4J Validator instance to use to validate the token
+     */
+    public void setValidator(Validator validator) {
+        this.validator = validator;
+    }
+    
+    /**
+     * Return true if this TokenValidator implementation is capable of validating the
+     * ReceivedToken argument.
+     */
+    public boolean canHandleToken(ReceivedToken validateTarget) {
+        return canHandleToken(validateTarget, null);
+    }
+    
+    /**
+     * Return true if this TokenValidator implementation is capable of validating the
+     * ReceivedToken argument. The realm is ignored in this token Validator.
+     */
+    public boolean canHandleToken(ReceivedToken validateTarget, String realm) {
+        Object token = validateTarget.getToken();
+        if ((token instanceof BinarySecurityTokenType)
+            && X509_V3_TYPE.equals(((BinarySecurityTokenType)token).getValueType()))
{
+            return true;
+        } else if (token instanceof Element
+            && WSConstants.SIG_NS.equals(((Element)token).getNamespaceURI())
+            && WSConstants.X509_DATA_LN.equals(((Element)token).getLocalName()))
{
+            return true;
+        }
+        return false;
+    }
+    
+    /**
+     * Validate a Token using the given TokenValidatorParameters.
+     */
+    public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParameters)
{
+        LOG.fine("Validating X.509 Token");
+        STSPropertiesMBean stsProperties = tokenParameters.getStsProperties();
+        Crypto sigCrypto = stsProperties.getSignatureCrypto();
+        CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
+
+        RequestData requestData = new RequestData();
+        requestData.setSigVerCrypto(sigCrypto);
+        requestData.setWssConfig(WSSConfig.getNewInstance());
+        requestData.setCallbackHandler(callbackHandler);
+        requestData.setMsgContext(tokenParameters.getWebServiceContext().getMessageContext());
+        requestData.setSubjectCertConstraints(certConstraints.getCompiledSubjectContraints());
+
+        TokenValidatorResponse response = new TokenValidatorResponse();
+        ReceivedToken validateTarget = tokenParameters.getToken();
+        validateTarget.setState(STATE.INVALID);
+        response.setToken(validateTarget);
+        
+        BinarySecurity binarySecurity = null;
+        if (validateTarget.isBinarySecurityToken()) {
+            BinarySecurityTokenType binarySecurityType = (BinarySecurityTokenType)validateTarget.getToken();
+    
+            // Test the encoding type
+            String encodingType = binarySecurityType.getEncodingType();
+            if (!BASE64_ENCODING.equals(encodingType)) {
+                LOG.fine("Bad encoding type attribute specified: " + encodingType);
+                return response;
+            }
+            
+            //
+            // Turn the received JAXB object into a DOM element
+            //
+            Document doc = DOMUtils.createDocument();
+            binarySecurity = new X509Security(doc);
+            binarySecurity.setEncodingType(encodingType);
+            binarySecurity.setValueType(binarySecurityType.getValueType());
+            String data = binarySecurityType.getValue();
+            ((Text)binarySecurity.getElement().getFirstChild()).setData(data);
+        } else if (validateTarget.isDOMElement()) {
+            try {
+                Document doc = DOMUtils.createDocument();
+                binarySecurity = new X509Security(doc);
+                binarySecurity.setEncodingType(BASE64_ENCODING);
+                X509Data x509Data = new X509Data((Element)validateTarget.getToken(), "");
+                if (x509Data.containsCertificate()) {
+                    X509Certificate cert = x509Data.itemCertificate(0).getX509Certificate();
+                    ((X509Security)binarySecurity).setX509Certificate(cert);
+                }
+            } catch (WSSecurityException ex) {
+                LOG.log(Level.WARNING, "", ex);
+                return response;
+            } catch (XMLSecurityException ex) {
+                LOG.log(Level.WARNING, "", ex);
+                return response;
+            }
+        } else {
+            return response;
+        }
+
+        //
+        // Validate the token
+        //
+        try {
+            Credential credential = new Credential();
+            credential.setBinarySecurityToken(binarySecurity);
+            if (sigCrypto != null) {
+                X509Certificate cert = ((X509Security)binarySecurity).getX509Certificate(sigCrypto);
+                credential.setCertificates(new X509Certificate[]{cert});
+            }
+
+            Credential returnedCredential = validator.validate(credential, requestData);
+            Principal principal = returnedCredential.getPrincipal();
+            if (principal == null) {
+                principal = returnedCredential.getCertificates()[0].getSubjectX500Principal();
+            }
+            response.setPrincipal(principal);
+            validateTarget.setState(STATE.VALID);
+            LOG.fine("X.509 Token successfully validated");
+        } catch (WSSecurityException ex) {
+            LOG.log(Level.WARNING, "", ex);
+        }
+        return response;
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d8f98ac/services/sts/src/main/webapp/WEB-INF/cxf-transport.xml
----------------------------------------------------------------------
diff --git a/services/sts/src/main/webapp/WEB-INF/cxf-transport.xml b/services/sts/src/main/webapp/WEB-INF/cxf-transport.xml
index d5dd55e..48df6bd 100644
--- a/services/sts/src/main/webapp/WEB-INF/cxf-transport.xml
+++ b/services/sts/src/main/webapp/WEB-INF/cxf-transport.xml
@@ -108,7 +108,7 @@
 
     <util:list id="transportTokenValidators">
         <ref bean="transportSamlTokenValidator" />
-        <bean class="org.apache.cxf.sts.token.validator.X509TokenValidator" />
+        <bean class="org.apache.cxf.fediz.service.sts.X509TokenValidator" />
     </util:list>
 
     <bean id="realmA" class="org.apache.cxf.sts.token.realm.SAMLRealm">
@@ -129,11 +129,14 @@
         <entry key="REALMA" value-ref="realmA" />
         <entry key="REALMB" value-ref="realmB" />
     </util:map>
+    
+    <bean id="subjectProvider" class="org.apache.cxf.fediz.service.sts.DefaultSubjectProvider"/>
 
     <bean id="transportSamlTokenProvider" class="org.apache.cxf.sts.token.provider.SAMLTokenProvider">
         <property name="attributeStatementProviders" ref="attributeStatementProvidersList"
/>
         <property name="realmMap" ref="realms" />
         <property name="conditionsProvider" ref="conditionsProvider" />
+        <property name="subjectProvider" ref="subjectProvider" />
     </bean>
 
     <bean id="conditionsProvider"


Mime
View raw message