cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/5] cxf git commit: Fix subjectNameIDFormat to not always assume unspecified and sets it based on the principal's token
Date Wed, 07 Oct 2015 10:47:05 GMT
Fix subjectNameIDFormat to not always assume unspecified and sets it based on the principal's
token

Conflicts:
	services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a76ef70f
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a76ef70f
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a76ef70f

Branch: refs/heads/3.0.x-fixes
Commit: a76ef70fbb59020b987181f52e28a0a909210bc9
Parents: 3d58196
Author: Armand Roelens <armand.roelens@connexta.com>
Authored: Tue Oct 6 12:34:36 2015 -0700
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Oct 7 11:39:36 2015 +0100

----------------------------------------------------------------------
 .../token/provider/DefaultSubjectProvider.java  | 111 +++++++++++++++----
 1 file changed, 89 insertions(+), 22 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/a76ef70f/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
index f6f1846..f41edaa 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
@@ -27,8 +27,10 @@ import java.util.logging.Level;
 import java.util.logging.Logger;
 import java.util.regex.Pattern;
 
+import javax.security.auth.kerberos.KerberosPrincipal;
 import javax.security.auth.x500.X500Principal;
 
+import org.apache.wss4j.common.principal.UsernameTokenPrincipal;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.apache.cxf.common.logging.LogUtils;
@@ -60,11 +62,11 @@ import org.apache.wss4j.dom.message.WSSecEncryptedKey;
  * attached to the Subject.
  */
 public class DefaultSubjectProvider implements SubjectProvider {
-    
+
     private static final Logger LOG = LogUtils.getL7dLogger(DefaultSubjectProvider.class);
     private String subjectNameQualifier = "http://cxf.apache.org/sts";
-    private String subjectNameIDFormat = SAML2Constants.NAMEID_FORMAT_UNSPECIFIED;
-    
+    private String subjectNameIDFormat;
+
     /**
      * Set the SubjectNameQualifier.
      */
@@ -72,7 +74,7 @@ public class DefaultSubjectProvider implements SubjectProvider {
         this.subjectNameQualifier = subjectNameQualifier;
         LOG.fine("Setting Subject Name Qualifier: " + subjectNameQualifier);
     }
-    
+
     /**
      * Set the SubjectNameIDFormat.
      */
@@ -84,26 +86,36 @@ public class DefaultSubjectProvider implements SubjectProvider {
     /**
      * Get a SubjectBean object.
      */
+<<<<<<< HEAD
     public SubjectBean getSubject(
         TokenProviderParameters providerParameters, Document doc, byte[] secret
     ) {
+=======
+    public SubjectBean getSubject(SubjectProviderParameters subjectProviderParameters) {
+
+>>>>>>> 1c0dad1... Fix subjectNameIDFormat to not always assume unspecified
and sets it based on the principal's token
         // 1. Get the principal
         Principal principal = getPrincipal(providerParameters);
         if (principal == null) {
             LOG.fine("Error in getting principal");
             throw new STSException("Error in getting principal", STSException.REQUEST_FAILED);
         }
-        
+
         // 2. Create the SubjectBean using the principal
+<<<<<<< HEAD
         SubjectBean subjectBean = createSubjectBean(principal, providerParameters);
         
+=======
+        SubjectBean subjectBean = createSubjectBean(principal, subjectProviderParameters);
+
+>>>>>>> 1c0dad1... Fix subjectNameIDFormat to not always assume unspecified
and sets it based on the principal's token
         // 3. Create the KeyInfoBean and set it on the SubjectBean
         KeyInfoBean keyInfo = createKeyInfo(providerParameters, doc, secret);
         subjectBean.setKeyInfo(keyInfo);
-        
+
         return subjectBean;
     }
-    
+
     /**
      * Get the Principal (which is used as the Subject). By default, we check the following
(in order):
      *  - A valid OnBehalfOf principal
@@ -112,12 +124,18 @@ public class DefaultSubjectProvider implements SubjectProvider {
      *  - The principal associated with the request. We don't need to check to see if it
is "valid" here, as it
      *    is not parsed by the STS (but rather the WS-Security layer).
      */
+<<<<<<< HEAD
     protected Principal getPrincipal(TokenProviderParameters providerParameters) {
+=======
+    protected Principal getPrincipal(SubjectProviderParameters subjectProviderParameters)
{
+        TokenProviderParameters providerParameters = subjectProviderParameters.getProviderParameters();
+
+>>>>>>> 1c0dad1... Fix subjectNameIDFormat to not always assume unspecified
and sets it based on the principal's token
         Principal principal = null;
         //TokenValidator in IssueOperation has validated the ReceivedToken
         //if validation was successful, the principal was set in ReceivedToken 
         if (providerParameters.getTokenRequirements().getOnBehalfOf() != null) {
-            ReceivedToken receivedToken = providerParameters.getTokenRequirements().getOnBehalfOf();
   
+            ReceivedToken receivedToken = providerParameters.getTokenRequirements().getOnBehalfOf();
             if (receivedToken.getState().equals(STATE.VALID)) {
                 principal = receivedToken.getPrincipal();
             }
@@ -134,10 +152,10 @@ public class DefaultSubjectProvider implements SubjectProvider {
         } else {
             principal = providerParameters.getPrincipal();
         }
-        
+
         return principal;
     }
-    
+
     /**
      * Create the SubjectBean using the specified principal.
      */
@@ -148,7 +166,7 @@ public class DefaultSubjectProvider implements SubjectProvider {
         String tokenType = tokenRequirements.getTokenType();
         String keyType = keyRequirements.getKeyType();
         String confirmationMethod = getSubjectConfirmationMethod(tokenType, keyType);
-        
+
         String subjectName = principal.getName();
         if (SAML2Constants.NAMEID_FORMAT_UNSPECIFIED.equals(subjectNameIDFormat)
             && principal instanceof X500Principal) {
@@ -163,18 +181,61 @@ public class DefaultSubjectProvider implements SubjectProvider {
                 //Ignore, not X500 compliant thus use the whole string as the value
             }
         }
-        
-        SubjectBean subjectBean = 
+        else {
+            if (!SAML2Constants.NAMEID_FORMAT_UNSPECIFIED.equals(subjectNameIDFormat)) {
+                /* Set subjectNameIDFormat correctly based on type of principal
+                unless already set to some value other than unspecified */
+                if (principal instanceof UsernameTokenPrincipal) {
+                    subjectNameIDFormat = SAML2Constants.NAMEID_FORMAT_PERSISTENT;
+                }
+                else if (principal instanceof X500Principal) {
+                    subjectNameIDFormat = SAML2Constants.NAMEID_FORMAT_X509_SUBJECT_NAME;
+                }
+                else if (principal instanceof KerberosPrincipal) {
+                    subjectNameIDFormat = SAML2Constants.NAMEID_FORMAT_KERBEROS;
+                }
+                else {
+                    subjectNameIDFormat = SAML2Constants.NAMEID_FORMAT_UNSPECIFIED;
+                }
+            }
+        }
+
+        SubjectBean subjectBean =
             new SubjectBean(subjectName, subjectNameQualifier, confirmationMethod);
         LOG.fine("Creating new subject with principal name: " + principal.getName());
         if (subjectNameIDFormat != null && subjectNameIDFormat.length() > 0) {
             subjectBean.setSubjectNameIDFormat(subjectNameIDFormat);
         }
-        
+
         return subjectBean;
     }
-        
+
+    /**
+<<<<<<< HEAD
+=======
+     * Get the SubjectConfirmation method given a tokenType and keyType
+     */
+    protected String getSubjectConfirmationMethod(String tokenType, String keyType) {
+        if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
+            || WSConstants.SAML_NS.equals(tokenType)) {
+            if (STSConstants.SYMMETRIC_KEY_KEYTYPE.equals(keyType)
+                || STSConstants.PUBLIC_KEY_KEYTYPE.equals(keyType)) {
+                return SAML1Constants.CONF_HOLDER_KEY;
+            } else {
+                return SAML1Constants.CONF_BEARER;
+            }
+        } else {
+            if (STSConstants.SYMMETRIC_KEY_KEYTYPE.equals(keyType)
+                || STSConstants.PUBLIC_KEY_KEYTYPE.equals(keyType)) {
+                return SAML2Constants.CONF_HOLDER_KEY;
+            } else {
+                return SAML2Constants.CONF_BEARER;
+            }
+        }
+    }
+
     /**
+>>>>>>> 1c0dad1... Fix subjectNameIDFormat to not always assume unspecified
and sets it based on the principal's token
      * Create and return the KeyInfoBean to be inserted into the SubjectBean
      */
     protected KeyInfoBean createKeyInfo(
@@ -184,7 +245,7 @@ public class DefaultSubjectProvider implements SubjectProvider {
         STSPropertiesMBean stsProperties = providerParameters.getStsProperties();
 
         String keyType = keyRequirements.getKeyType();
-        
+
         if (STSConstants.SYMMETRIC_KEY_KEYTYPE.equals(keyType)) {
             Crypto crypto = stsProperties.getEncryptionCrypto();
 
@@ -198,7 +259,7 @@ public class DefaultSubjectProvider implements SubjectProvider {
                 LOG.fine("No encryption Name is configured for Symmetric KeyType");
                 throw new STSException("No Encryption Name is configured", STSException.REQUEST_FAILED);
             }
-            
+
             CryptoType cryptoType = null;
 
             // Check for using of service endpoint (AppliesTo) as certificate identifier
@@ -219,7 +280,13 @@ public class DefaultSubjectProvider implements SubjectProvider {
                 if ((certs == null) || (certs.length == 0)) {
                     throw new STSException("Encryption certificate is not found for alias:
" + encryptionName);
                 }
+<<<<<<< HEAD
                 KeyInfoBean keyInfo = 
+=======
+                Document doc = subjectProviderParameters.getDoc();
+                byte[] secret = subjectProviderParameters.getSecret();
+                KeyInfoBean keyInfo =
+>>>>>>> 1c0dad1... Fix subjectNameIDFormat to not always assume unspecified
and sets it based on the principal's token
                     createEncryptedKeyKeyInfo(certs[0], secret, doc, encryptionProperties,
crypto);
                 return keyInfo;
             } catch (WSSecurityException ex) {
@@ -228,7 +295,7 @@ public class DefaultSubjectProvider implements SubjectProvider {
             }
         } else if (STSConstants.PUBLIC_KEY_KEYTYPE.equals(keyType)) {
             ReceivedKey receivedKey = keyRequirements.getReceivedKey();
-            
+
             // Validate UseKey trust
             if (stsProperties.isValidateUseKey() && stsProperties.getSignatureCrypto()
!= null) {
                 if (receivedKey.getX509Cert() != null) {
@@ -250,10 +317,10 @@ public class DefaultSubjectProvider implements SubjectProvider {
                     }
                 }
             }
-            
+
             return createPublicKeyKeyInfo(receivedKey.getX509Cert(), receivedKey.getPublicKey());
         }
-        
+
         return null;
     }
         
@@ -300,7 +367,7 @@ public class DefaultSubjectProvider implements SubjectProvider {
      * Create an EncryptedKey KeyInfo.
      */
     protected static KeyInfoBean createEncryptedKeyKeyInfo(
-        X509Certificate certificate, 
+        X509Certificate certificate,
         byte[] secret,
         Document doc,
         EncryptionProperties encryptionProperties,
@@ -319,7 +386,7 @@ public class DefaultSubjectProvider implements SubjectProvider {
         Element encryptedKeyElement = encrKey.getEncryptedKeyElement();
 
         // Append the EncryptedKey to a KeyInfo element
-        Element keyInfoElement = 
+        Element keyInfoElement =
             doc.createElementNS(
                 WSConstants.SIG_NS, WSConstants.SIG_PREFIX + ":" + WSConstants.KEYINFO_LN
             );


Mime
View raw message