cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [3/3] cxf git commit: Fixed TLS client auth issue
Date Fri, 05 Feb 2016 20:39:15 GMT
Fixed TLS client auth issue


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/7ea12c2d
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/7ea12c2d
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/7ea12c2d

Branch: refs/heads/master
Commit: 7ea12c2dab4440f2dcd3b070a662957534fd6011
Parents: af11d1b
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Feb 5 16:14:08 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Feb 5 17:54:04 2016 +0000

----------------------------------------------------------------------
 .../sts/rest/RESTSecurityTokenServiceImpl.java  | 16 +++++-
 .../cxf/systest/sts/rest/RESTUnitTest.java      |  2 +-
 .../systest/sts/rest/WSS4JBasicAuthFilter.java  | 54 --------------------
 .../basic/src/test/resources/logging.properties |  4 +-
 .../apache/cxf/systest/sts/rest/cxf-client.xml  |  3 ++
 .../cxf/systest/sts/rest/cxf-rest-sts.xml       |  8 +--
 6 files changed, 22 insertions(+), 65 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/7ea12c2d/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java
index 6955931..393b806 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java
@@ -20,6 +20,7 @@
 package org.apache.cxf.sts.rest;
 
 import java.security.Principal;
+import java.security.cert.X509Certificate;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -34,6 +35,8 @@ import org.w3c.dom.Element;
 import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.jaxrs.ext.MessageContext;
 import org.apache.cxf.phase.PhaseInterceptorChain;
+import org.apache.cxf.security.SecurityContext;
+import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.sts.QNameConstants;
 import org.apache.cxf.sts.STSConstants;
 import org.apache.cxf.sts.token.provider.jwt.JWTTokenProvider;
@@ -87,7 +90,6 @@ public class RESTSecurityTokenServiceImpl extends SecurityTokenServiceImpl
imple
 
     @Override
     public Response getToken(String tokenType, String keyType, List<String> requestedClaims)
{
-
         if (tokenTypeMap != null && tokenTypeMap.containsKey(tokenType)) {
             tokenType = tokenTypeMap.get(tokenType);
         }
@@ -213,6 +215,18 @@ public class RESTSecurityTokenServiceImpl extends SecurityTokenServiceImpl
imple
     
     @Override
     protected Principal getPrincipal() {
+        SecurityContext sc = (SecurityContext)messageContext.get(SecurityContext.class);
+        if (sc == null || sc.getUserPrincipal() == null) {
+            // Get the TLS client principal if no security context is set up
+            TLSSessionInfo tlsInfo = 
+                (TLSSessionInfo)PhaseInterceptorChain.getCurrentMessage().get(TLSSessionInfo.class);
+            if (tlsInfo != null && tlsInfo.getPeerCertificates() != null 
+                    && tlsInfo.getPeerCertificates().length > 0
+                    && (tlsInfo.getPeerCertificates()[0] instanceof X509Certificate)
+            ) {
+                return ((X509Certificate)tlsInfo.getPeerCertificates()[0]).getSubjectX500Principal();
+            } 
+        }
         return messageContext.getSecurityContext().getUserPrincipal();
     }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/7ea12c2d/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java
b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java
index 0668e39..7caf0f2 100644
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java
@@ -77,7 +77,7 @@ public class RESTUnitTest extends AbstractBusClientServerTestBase {
         SpringBusFactory.setThreadDefaultBus(bus);
         
         String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
-        WebClient client = WebClient.create(address, "alice", "clarinet", busFile.toString());
+        WebClient client = WebClient.create(address, busFile.toString());
 
         client.type("application/xml").accept("application/xml");
         client.path("saml2.0");

http://git-wip-us.apache.org/repos/asf/cxf/blob/7ea12c2d/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/WSS4JBasicAuthFilter.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/WSS4JBasicAuthFilter.java
b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/WSS4JBasicAuthFilter.java
deleted file mode 100644
index 08873cf..0000000
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/WSS4JBasicAuthFilter.java
+++ /dev/null
@@ -1,54 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.systest.sts.rest;
-
-import java.io.IOException;
-
-import javax.ws.rs.container.ContainerRequestContext;
-import javax.ws.rs.container.ContainerRequestFilter;
-import javax.ws.rs.core.Response;
-
-import org.apache.cxf.configuration.security.AuthorizationPolicy;
-import org.apache.cxf.jaxrs.utils.ExceptionUtils;
-import org.apache.cxf.jaxrs.utils.JAXRSUtils;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.rt.security.saml.interceptor.WSS4JBasicAuthValidator;
-
-/**
- * Extends the WSS4J validator as a JAX-RS request filter
- */
-public class WSS4JBasicAuthFilter extends WSS4JBasicAuthValidator implements ContainerRequestFilter
{
-
-    public void filter(ContainerRequestContext requestContext) throws IOException {
-        Message message = JAXRSUtils.getCurrentMessage();
-        AuthorizationPolicy policy = message.get(AuthorizationPolicy.class);
-        
-        if (policy == null || policy.getUserName() == null || policy.getPassword() == null)
{
-            requestContext.abortWith(
-                Response.status(401).header("WWW-Authenticate", "Basic realm=\"IdP\"").build());
-        }
-
-        try {
-            super.validate(message);
-        } catch (Exception ex) {
-            throw ExceptionUtils.toInternalServerErrorException(ex, null);
-        }
-    }
-
-}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf/blob/7ea12c2d/services/sts/systests/basic/src/test/resources/logging.properties
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/resources/logging.properties b/services/sts/systests/basic/src/test/resources/logging.properties
index 016ae26..f70123b 100644
--- a/services/sts/systests/basic/src/test/resources/logging.properties
+++ b/services/sts/systests/basic/src/test/resources/logging.properties
@@ -43,7 +43,7 @@
 # can be overridden by a facility specific level
 # Note that the ConsoleHandler also has a separate level
 # setting to limit messages printed to the console.
-.level= FINE
+.level= INFO
 
 ############################################################
 # Handler specific properties.
@@ -57,7 +57,7 @@ java.util.logging.FileHandler.count = 1
 java.util.logging.FileHandler.formatter = java.util.logging.XMLFormatter
 
 # Limit the message that are printed on the console to WARNING and above.
-java.util.logging.ConsoleHandler.level = FINE
+java.util.logging.ConsoleHandler.level = INFO
 java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
 
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/7ea12c2d/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-client.xml
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-client.xml
b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-client.xml
index 892e5a5..f45b741 100644
--- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-client.xml
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-client.xml
@@ -25,6 +25,9 @@
     </cxf:bus>
     <http:conduit name="https://localhost:.*">
         <http:tlsClientParameters disableCNCheck="true">
+            <sec:keyManagers keyPassword="ckpass">
+                <sec:keyStore type="jks" password="cspass" resource="clientstore.jks"/>
+            </sec:keyManagers>
             <sec:trustManagers>
                 <sec:keyStore type="jks" password="cspass" resource="clientstore.jks"/>
             </sec:trustManagers>

http://git-wip-us.apache.org/repos/asf/cxf/blob/7ea12c2d/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml
b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml
index 309f3f2..106bca4 100644
--- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml
@@ -105,11 +105,6 @@
 
     <bean id="jsonProvider" class="com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider"
/>
     
-    <bean id="callbackHandler" class="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
-    <bean id="basicAuthFilter" class="org.apache.cxf.systest.sts.rest.WSS4JBasicAuthFilter">
-        <property name="callbackHandler" ref="callbackHandler"/>
-    </bean>
-   
     <jaxrs:server id="stsRESTService"
        depends-on="ClientAuthHttpsSettings" 
        address="https://localhost:${testutil.ports.STSRESTServer}/SecurityTokenService">
@@ -118,7 +113,6 @@
         </jaxrs:serviceBeans>
         <jaxrs:providers>
             <ref bean="jsonProvider" />
-            <ref bean="basicAuthFilter"/>
         </jaxrs:providers>
         <jaxrs:extensionMappings>
             <entry key="json" value="application/json;charset=UTF-8" />
@@ -135,7 +129,7 @@
                 <sec:trustManagers>
                     <sec:keyStore type="jks" password="stsspass" resource="stsstore.jks"/>
                 </sec:trustManagers>
-                <sec:clientAuthentication want="false" required="false"/>
+                <sec:clientAuthentication want="true" required="true"/>
             </httpj:tlsServerParameters>
         </httpj:engine>
     </httpj:engine-factory>


Mime
View raw message