Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5E908189D3 for ; Tue, 16 Feb 2016 13:54:59 +0000 (UTC) Received: (qmail 87622 invoked by uid 500); 16 Feb 2016 13:54:59 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 87370 invoked by uid 500); 16 Feb 2016 13:54:59 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 87290 invoked by uid 99); 16 Feb 2016 13:54:59 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 16 Feb 2016 13:54:59 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 12828E08CD; Tue, 16 Feb 2016 13:54:59 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: coheigea@apache.org To: commits@cxf.apache.org Date: Tue, 16 Feb 2016 13:55:01 -0000 Message-Id: <483c0af5b1c6480090251a5aa7e90194@git.apache.org> In-Reply-To: <13e91fdaf4a84aa39e59a2515ffad374@git.apache.org> References: <13e91fdaf4a84aa39e59a2515ffad374@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [3/3] cxf git commit: Adding a custom WSS4JSecurityContextCreator for an STS system test Adding a custom WSS4JSecurityContextCreator for an STS system test Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/609fcade Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/609fcade Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/609fcade Branch: refs/heads/3.1.x-fixes Commit: 609fcadef1b418c05f3cf9d29dac87f458281156 Parents: 47839c6 Author: Colm O hEigeartaigh Authored: Tue Feb 16 13:48:18 2016 +0000 Committer: Colm O hEigeartaigh Committed: Tue Feb 16 13:54:53 2016 +0000 ---------------------------------------------------------------------- ...tUsernameTokenAuthenticatingInterceptor.java | 15 +++ .../DefaultWSS4JSecurityContextCreator.java | 13 -- .../ws/security/wss4j/WSS4JInInterceptor.java | 11 ++ .../x509/CustomWSS4JSecurityContextCreator.java | 118 +++++++++++++++++++ .../systest/sts/x509/cxf-asymmetric-service.xml | 4 + 5 files changed, 148 insertions(+), 13 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/609fcade/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java index 3b3fa01..0d8d415 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java @@ -20,6 +20,8 @@ package org.apache.cxf.ws.security.wss4j; import java.security.Principal; import java.util.HashMap; +import java.util.LinkedList; +import java.util.List; import java.util.Map; import java.util.logging.Logger; @@ -34,6 +36,7 @@ import org.apache.cxf.binding.soap.SoapMessage; import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.common.security.SecurityToken; import org.apache.cxf.common.security.UsernameToken; +import org.apache.cxf.helpers.CastUtils; import org.apache.cxf.interceptor.Fault; import org.apache.cxf.interceptor.security.DefaultSecurityContext; import org.apache.cxf.message.Message; @@ -43,6 +46,7 @@ import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.engine.WSSecurityEngine; import org.apache.wss4j.dom.handler.RequestData; +import org.apache.wss4j.dom.handler.WSHandlerConstants; import org.apache.wss4j.dom.handler.WSHandlerResult; import org.apache.wss4j.dom.validate.UsernameTokenValidator; import org.apache.wss4j.dom.validate.Validator; @@ -115,6 +119,17 @@ public abstract class AbstractUsernameTokenAuthenticatingInterceptor extends WSS WSHandlerResult wsResult, boolean utWithCallbacks ) throws SOAPException, XMLStreamException, WSSecurityException { + /* + * All ok up to this point. Now construct and setup the security result + * structure. The service may fetch this and check it. + */ + List results = CastUtils.cast((List)msg.get(WSHandlerConstants.RECV_RESULTS)); + if (results == null) { + results = new LinkedList<>(); + msg.put(WSHandlerConstants.RECV_RESULTS, results); + } + results.add(0, wsResult); + new UsernameTokenSecurityContextCreator().createSecurityContext(msg, wsResult); } http://git-wip-us.apache.org/repos/asf/cxf/blob/609fcade/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java index 8069a95..5a832ef 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java @@ -22,7 +22,6 @@ import java.security.Principal; import java.security.PublicKey; import java.security.cert.X509Certificate; import java.util.ArrayList; -import java.util.LinkedList; import java.util.List; import java.util.Map; import java.util.Set; @@ -31,7 +30,6 @@ import javax.security.auth.Subject; import javax.security.auth.kerberos.KerberosPrincipal; import org.apache.cxf.binding.soap.SoapMessage; -import org.apache.cxf.helpers.CastUtils; import org.apache.cxf.interceptor.security.DefaultSecurityContext; import org.apache.cxf.interceptor.security.RolePrefixSecurityContextImpl; import org.apache.cxf.message.MessageUtils; @@ -44,7 +42,6 @@ import org.apache.cxf.ws.security.SecurityConstants; import org.apache.wss4j.common.saml.SamlAssertionWrapper; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.engine.WSSecurityEngineResult; -import org.apache.wss4j.dom.handler.WSHandlerConstants; import org.apache.wss4j.dom.handler.WSHandlerResult; import org.apache.wss4j.dom.message.token.KerberosSecurity; @@ -69,16 +66,6 @@ public class DefaultWSS4JSecurityContextCreator implements WSS4JSecurityContextC * Create a SecurityContext and store it on the SoapMessage parameter */ public void createSecurityContext(SoapMessage msg, WSHandlerResult handlerResult) { - /* - * All ok up to this point. Now construct and setup the security result - * structure. The service may fetch this and check it. - */ - List results = CastUtils.cast((List)msg.get(WSHandlerConstants.RECV_RESULTS)); - if (results == null) { - results = new LinkedList<>(); - msg.put(WSHandlerConstants.RECV_RESULTS, results); - } - results.add(0, handlerResult); String allowUnsigned = (String)SecurityUtils.getSecurityPropertyValue( http://git-wip-us.apache.org/repos/asf/cxf/blob/609fcade/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java index d996711..1a0a758 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java @@ -22,6 +22,7 @@ import java.security.Provider; import java.security.cert.Certificate; import java.util.ArrayList; import java.util.HashMap; +import java.util.LinkedList; import java.util.List; import java.util.Map; import java.util.logging.Level; @@ -472,6 +473,16 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor { WSHandlerResult wsResult, boolean utWithCallbacks ) throws SOAPException, XMLStreamException, WSSecurityException { + /* + * All ok up to this point. Now construct and setup the security result + * structure. The service may fetch this and check it. + */ + List results = CastUtils.cast((List)msg.get(WSHandlerConstants.RECV_RESULTS)); + if (results == null) { + results = new LinkedList<>(); + msg.put(WSHandlerConstants.RECV_RESULTS, results); + } + results.add(0, wsResult); WSS4JSecurityContextCreator contextCreator = (WSS4JSecurityContextCreator)SecurityUtils.getSecurityPropertyValue( http://git-wip-us.apache.org/repos/asf/cxf/blob/609fcade/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509/CustomWSS4JSecurityContextCreator.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509/CustomWSS4JSecurityContextCreator.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509/CustomWSS4JSecurityContextCreator.java new file mode 100644 index 0000000..31ec71b --- /dev/null +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509/CustomWSS4JSecurityContextCreator.java @@ -0,0 +1,118 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.systest.sts.x509; + +import java.security.Principal; +import java.security.PublicKey; +import java.security.cert.X509Certificate; +import java.util.List; +import java.util.Map; +import java.util.Set; + +import org.apache.cxf.binding.soap.SoapMessage; +import org.apache.cxf.rt.security.claims.ClaimCollection; +import org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext; +import org.apache.cxf.rt.security.saml.utils.SAMLUtils; +import org.apache.cxf.rt.security.utils.SecurityUtils; +import org.apache.cxf.security.SecurityContext; +import org.apache.cxf.ws.security.SecurityConstants; +import org.apache.cxf.ws.security.wss4j.DefaultWSS4JSecurityContextCreator; +import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor; +import org.apache.wss4j.common.saml.SamlAssertionWrapper; +import org.apache.wss4j.dom.WSConstants; +import org.apache.wss4j.dom.engine.WSSecurityEngineResult; +import org.apache.wss4j.dom.handler.WSHandlerResult; + +/** + * A custom WSS4JSecurityContextCreator implementation. It creates a SecurityContext using the principal from an + * asymmetric signature, but populates the roles from a SAML Token. + */ +public class CustomWSS4JSecurityContextCreator extends DefaultWSS4JSecurityContextCreator { + + /** + * Create a SecurityContext and store it on the SoapMessage parameter + */ + public void createSecurityContext(SoapMessage msg, WSHandlerResult handlerResult) { + Map> actionResults = handlerResult.getActionResults(); + + Principal asymmetricPrincipal = null; + + // Get Asymmetric Signature action + List foundResults = actionResults.get(WSConstants.SIGN); + if (foundResults != null && !foundResults.isEmpty()) { + for (WSSecurityEngineResult result : foundResults) { + PublicKey publickey = + (PublicKey)result.get(WSSecurityEngineResult.TAG_PUBLIC_KEY); + X509Certificate cert = + (X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE); + + if (publickey == null && cert == null) { + continue; + } + SecurityContext context = createSecurityContext(msg, true, result); + if (context != null && context.getUserPrincipal() != null) { + asymmetricPrincipal = context.getUserPrincipal(); + break; + } + } + } + + // We must have an asymmetric principal + if (asymmetricPrincipal == null) { + return; + } + + // Get signed SAML action + SAMLSecurityContext context = null; + foundResults = actionResults.get(WSConstants.ST_SIGNED); + if (foundResults != null && !foundResults.isEmpty()) { + for (WSSecurityEngineResult result : foundResults) { + Object receivedAssertion = result.get(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN); + if (receivedAssertion == null) { + receivedAssertion = result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION); + } + + if (receivedAssertion instanceof SamlAssertionWrapper) { + String roleAttributeName = + (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.SAML_ROLE_ATTRIBUTENAME, + msg); + if (roleAttributeName == null || roleAttributeName.length() == 0) { + roleAttributeName = WSS4JInInterceptor.SAML_ROLE_ATTRIBUTENAME_DEFAULT; + } + + ClaimCollection claims = + SAMLUtils.getClaims((SamlAssertionWrapper)receivedAssertion); + Set roles = + SAMLUtils.parseRolesFromClaims(claims, roleAttributeName, null); + + context = new SAMLSecurityContext(asymmetricPrincipal, roles, claims); + context.setIssuer(SAMLUtils.getIssuer(receivedAssertion)); + context.setAssertionElement(SAMLUtils.getAssertionElement(receivedAssertion)); + break; + } + } + } + + if (context != null) { + msg.put(SecurityContext.class, context); + } + + } + +} http://git-wip-us.apache.org/repos/asf/cxf/blob/609fcade/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509/cxf-asymmetric-service.xml ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509/cxf-asymmetric-service.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509/cxf-asymmetric-service.xml index 02d3158..4402a09 100644 --- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509/cxf-asymmetric-service.xml +++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509/cxf-asymmetric-service.xml @@ -35,12 +35,16 @@ + + +