cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [3/3] cxf git commit: Adding a custom WSS4JSecurityContextCreator for an STS system test
Date Tue, 16 Feb 2016 13:55:01 GMT
Adding a custom WSS4JSecurityContextCreator for an STS system test


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/609fcade
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/609fcade
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/609fcade

Branch: refs/heads/3.1.x-fixes
Commit: 609fcadef1b418c05f3cf9d29dac87f458281156
Parents: 47839c6
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue Feb 16 13:48:18 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Tue Feb 16 13:54:53 2016 +0000

----------------------------------------------------------------------
 ...tUsernameTokenAuthenticatingInterceptor.java |  15 +++
 .../DefaultWSS4JSecurityContextCreator.java     |  13 --
 .../ws/security/wss4j/WSS4JInInterceptor.java   |  11 ++
 .../x509/CustomWSS4JSecurityContextCreator.java | 118 +++++++++++++++++++
 .../systest/sts/x509/cxf-asymmetric-service.xml |   4 +
 5 files changed, 148 insertions(+), 13 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/609fcade/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java
index 3b3fa01..0d8d415 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java
@@ -20,6 +20,8 @@ package org.apache.cxf.ws.security.wss4j;
 
 import java.security.Principal;
 import java.util.HashMap;
+import java.util.LinkedList;
+import java.util.List;
 import java.util.Map;
 import java.util.logging.Logger;
 
@@ -34,6 +36,7 @@ import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.security.SecurityToken;
 import org.apache.cxf.common.security.UsernameToken;
+import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.interceptor.security.DefaultSecurityContext;
 import org.apache.cxf.message.Message;
@@ -43,6 +46,7 @@ import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.engine.WSSecurityEngine;
 import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.handler.WSHandlerConstants;
 import org.apache.wss4j.dom.handler.WSHandlerResult;
 import org.apache.wss4j.dom.validate.UsernameTokenValidator;
 import org.apache.wss4j.dom.validate.Validator;
@@ -115,6 +119,17 @@ public abstract class AbstractUsernameTokenAuthenticatingInterceptor
extends WSS
                              WSHandlerResult wsResult, 
                              boolean utWithCallbacks
     ) throws SOAPException, XMLStreamException, WSSecurityException {
+        /*
+         * All ok up to this point. Now construct and setup the security result
+         * structure. The service may fetch this and check it.
+         */
+        List<WSHandlerResult> results = CastUtils.cast((List<?>)msg.get(WSHandlerConstants.RECV_RESULTS));
+        if (results == null) {
+            results = new LinkedList<>();
+            msg.put(WSHandlerConstants.RECV_RESULTS, results);
+        }
+        results.add(0, wsResult);
+        
         new UsernameTokenSecurityContextCreator().createSecurityContext(msg, wsResult);
     }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/609fcade/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java
index 8069a95..5a832ef 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java
@@ -22,7 +22,6 @@ import java.security.Principal;
 import java.security.PublicKey;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
-import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -31,7 +30,6 @@ import javax.security.auth.Subject;
 import javax.security.auth.kerberos.KerberosPrincipal;
 
 import org.apache.cxf.binding.soap.SoapMessage;
-import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.interceptor.security.DefaultSecurityContext;
 import org.apache.cxf.interceptor.security.RolePrefixSecurityContextImpl;
 import org.apache.cxf.message.MessageUtils;
@@ -44,7 +42,6 @@ import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
-import org.apache.wss4j.dom.handler.WSHandlerConstants;
 import org.apache.wss4j.dom.handler.WSHandlerResult;
 import org.apache.wss4j.dom.message.token.KerberosSecurity;
 
@@ -69,16 +66,6 @@ public class DefaultWSS4JSecurityContextCreator implements WSS4JSecurityContextC
      * Create a SecurityContext and store it on the SoapMessage parameter
      */
     public void createSecurityContext(SoapMessage msg, WSHandlerResult handlerResult) {
-        /*
-         * All ok up to this point. Now construct and setup the security result
-         * structure. The service may fetch this and check it.
-         */
-        List<WSHandlerResult> results = CastUtils.cast((List<?>)msg.get(WSHandlerConstants.RECV_RESULTS));
-        if (results == null) {
-            results = new LinkedList<>();
-            msg.put(WSHandlerConstants.RECV_RESULTS, results);
-        }
-        results.add(0, handlerResult);
         
         String allowUnsigned = 
             (String)SecurityUtils.getSecurityPropertyValue(

http://git-wip-us.apache.org/repos/asf/cxf/blob/609fcade/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
index d996711..1a0a758 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
@@ -22,6 +22,7 @@ import java.security.Provider;
 import java.security.cert.Certificate;
 import java.util.ArrayList;
 import java.util.HashMap;
+import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 import java.util.logging.Level;
@@ -472,6 +473,16 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
         WSHandlerResult wsResult,
         boolean utWithCallbacks
     ) throws SOAPException, XMLStreamException, WSSecurityException {
+        /*
+         * All ok up to this point. Now construct and setup the security result
+         * structure. The service may fetch this and check it.
+         */
+        List<WSHandlerResult> results = CastUtils.cast((List<?>)msg.get(WSHandlerConstants.RECV_RESULTS));
+        if (results == null) {
+            results = new LinkedList<>();
+            msg.put(WSHandlerConstants.RECV_RESULTS, results);
+        }
+        results.add(0, wsResult);
         
         WSS4JSecurityContextCreator contextCreator = 
             (WSS4JSecurityContextCreator)SecurityUtils.getSecurityPropertyValue(

http://git-wip-us.apache.org/repos/asf/cxf/blob/609fcade/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509/CustomWSS4JSecurityContextCreator.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509/CustomWSS4JSecurityContextCreator.java
b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509/CustomWSS4JSecurityContextCreator.java
new file mode 100644
index 0000000..31ec71b
--- /dev/null
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509/CustomWSS4JSecurityContextCreator.java
@@ -0,0 +1,118 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.x509;
+
+import java.security.Principal;
+import java.security.PublicKey;
+import java.security.cert.X509Certificate;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.cxf.binding.soap.SoapMessage;
+import org.apache.cxf.rt.security.claims.ClaimCollection;
+import org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext;
+import org.apache.cxf.rt.security.saml.utils.SAMLUtils;
+import org.apache.cxf.rt.security.utils.SecurityUtils;
+import org.apache.cxf.security.SecurityContext;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.wss4j.DefaultWSS4JSecurityContextCreator;
+import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.WSHandlerResult;
+
+/**
+ * A custom WSS4JSecurityContextCreator implementation. It creates a SecurityContext using
the principal from an
+ * asymmetric signature, but populates the roles from a SAML Token.
+ */
+public class CustomWSS4JSecurityContextCreator extends DefaultWSS4JSecurityContextCreator
{
+    
+    /**
+     * Create a SecurityContext and store it on the SoapMessage parameter
+     */
+    public void createSecurityContext(SoapMessage msg, WSHandlerResult handlerResult) {
+        Map<Integer, List<WSSecurityEngineResult>> actionResults = handlerResult.getActionResults();
+        
+        Principal asymmetricPrincipal = null;
+        
+        // Get Asymmetric Signature action
+        List<WSSecurityEngineResult> foundResults = actionResults.get(WSConstants.SIGN);
+        if (foundResults != null && !foundResults.isEmpty()) {
+            for (WSSecurityEngineResult result : foundResults) {
+                PublicKey publickey = 
+                    (PublicKey)result.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
+                X509Certificate cert = 
+                    (X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+                
+                if (publickey == null && cert == null) {
+                    continue;
+                }
+                SecurityContext context = createSecurityContext(msg, true, result);
+                if (context != null && context.getUserPrincipal() != null) {
+                    asymmetricPrincipal = context.getUserPrincipal();
+                    break;
+                }
+            }
+        }
+        
+        // We must have an asymmetric principal
+        if (asymmetricPrincipal == null) {
+            return;
+        }
+        
+        // Get signed SAML action
+        SAMLSecurityContext context = null;
+        foundResults = actionResults.get(WSConstants.ST_SIGNED);
+        if (foundResults != null && !foundResults.isEmpty()) {
+            for (WSSecurityEngineResult result : foundResults) {
+                Object receivedAssertion = result.get(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN);
+                if (receivedAssertion == null) {
+                    receivedAssertion = result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+                }
+
+                if (receivedAssertion instanceof SamlAssertionWrapper) {
+                    String roleAttributeName = 
+                        (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.SAML_ROLE_ATTRIBUTENAME,

+                                                                       msg);
+                    if (roleAttributeName == null || roleAttributeName.length() == 0) {
+                        roleAttributeName = WSS4JInInterceptor.SAML_ROLE_ATTRIBUTENAME_DEFAULT;
+                    }
+
+                    ClaimCollection claims = 
+                        SAMLUtils.getClaims((SamlAssertionWrapper)receivedAssertion);
+                    Set<Principal> roles = 
+                        SAMLUtils.parseRolesFromClaims(claims, roleAttributeName, null);
+
+                    context = new SAMLSecurityContext(asymmetricPrincipal, roles, claims);
+                    context.setIssuer(SAMLUtils.getIssuer(receivedAssertion));
+                    context.setAssertionElement(SAMLUtils.getAssertionElement(receivedAssertion));
+                    break;
+                }
+            }
+        }
+        
+        if (context != null) {
+            msg.put(SecurityContext.class, context);
+        }
+        
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/609fcade/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509/cxf-asymmetric-service.xml
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509/cxf-asymmetric-service.xml
b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509/cxf-asymmetric-service.xml
index 02d3158..4402a09 100644
--- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509/cxf-asymmetric-service.xml
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509/cxf-asymmetric-service.xml
@@ -35,12 +35,16 @@
        </property>
     </bean>
     
+    <bean id="customSecurityContextCreator" 
+          class="org.apache.cxf.systest.sts.x509.CustomWSS4JSecurityContextCreator" />
+    
     <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="doubleitasymmetricsaml2"
implementor="org.apache.cxf.systest.sts.common.DoubleItPortTypeImpl" endpointName="s:DoubleItAsymmetricSAML2Port"
serviceName="s:DoubleItService" address="http://localhost:${testutil.ports.AsymmetricServer}/doubleit/services/doubleitasymmetricsaml2"
wsdlLocation="org/apache/cxf/systest/sts/x509/DoubleItAsymmetric.wsdl">
         <jaxws:properties>
             <entry key="security.signature.username" value="myservicekey"/>
             <entry key="security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
             <entry key="security.signature.properties" value="serviceKeystore2.properties"/>
             <entry key="security.encryption.username" value="useReqSigCert"/>
+            <entry key="ws-security.security.context.creator" value-ref="customSecurityContextCreator"/>
         </jaxws:properties>
         <jaxws:inInterceptors>
              <ref bean="authorizationInterceptor"/>


Mime
View raw message