Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 8E539200C8F for ; Thu, 25 May 2017 15:11:14 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 8CE20160BD5; Thu, 25 May 2017 13:11:14 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id AC7AD160BC7 for ; Thu, 25 May 2017 15:11:13 +0200 (CEST) Received: (qmail 16569 invoked by uid 500); 25 May 2017 13:11:11 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 16556 invoked by uid 99); 25 May 2017 13:11:11 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 25 May 2017 13:11:11 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 04E3AE029E; Thu, 25 May 2017 13:11:11 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: coheigea@apache.org To: commits@cxf.apache.org Date: Thu, 25 May 2017 13:11:11 -0000 Message-Id: <99dee73192164754b9c2ea779f23defc@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [1/3] cxf git commit: CXF-7382 - Don't cache SecurityTokens per-endpoint when the STSClient is used as an intermediary archived-at: Thu, 25 May 2017 13:11:14 -0000 Repository: cxf Updated Branches: refs/heads/master 74cba28db -> 1523ba650 CXF-7382 - Don't cache SecurityTokens per-endpoint when the STSClient is used as an intermediary Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2a76fe1e Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2a76fe1e Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2a76fe1e Branch: refs/heads/master Commit: 2a76fe1ef1989fbfaf86d70984f049259715d3c4 Parents: 74cba28 Author: Colm O hEigeartaigh Authored: Thu May 25 11:39:50 2017 +0100 Committer: Colm O hEigeartaigh Committed: Thu May 25 11:39:50 2017 +0100 ---------------------------------------------------------------------- .../security/trust/DefaultSTSTokenCacher.java | 6 - .../ws/security/trust/STSTokenRetriever.java | 126 ++++++++++--------- .../cxf-intermediary-caching.xml | 1 - 3 files changed, 69 insertions(+), 64 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/2a76fe1e/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java index c2699fc..d090e71 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java @@ -100,16 +100,10 @@ public class DefaultSTSTokenCacher implements STSTokenCacher { if (cacheIssuedToken) { message.getExchange().getEndpoint().put(SecurityConstants.TOKEN, securityToken); message.getExchange().put(SecurityConstants.TOKEN, securityToken); - message.put(SecurityConstants.TOKEN_ELEMENT, securityToken.getToken()); message.getExchange().put(SecurityConstants.TOKEN_ID, securityToken.getId()); message.getExchange().getEndpoint().put(SecurityConstants.TOKEN_ID, securityToken.getId()); - } else { - message.put(SecurityConstants.TOKEN, securityToken); - message.put(SecurityConstants.TOKEN_ID, securityToken.getId()); - message.put(SecurityConstants.TOKEN_ELEMENT, securityToken.getToken()); } - // ? TokenStoreUtils.getTokenStore(message).add(securityToken); } http://git-wip-us.apache.org/repos/asf/cxf/blob/2a76fe1e/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenRetriever.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenRetriever.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenRetriever.java index 9e9da18..5285eb6 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenRetriever.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenRetriever.java @@ -32,6 +32,7 @@ import org.apache.cxf.rt.security.utils.SecurityUtils; import org.apache.cxf.ws.addressing.AddressingProperties; import org.apache.cxf.ws.security.SecurityConstants; import org.apache.cxf.ws.security.tokenstore.SecurityToken; +import org.apache.cxf.ws.security.tokenstore.TokenStoreUtils; import org.apache.wss4j.policy.model.Trust10; import org.apache.wss4j.policy.model.Trust13; @@ -51,29 +52,24 @@ public final class STSTokenRetriever { } public static SecurityToken getToken(Message message, TokenRequestParams params, STSTokenCacher tokenCacher) { - SecurityToken tok = tokenCacher.retrieveToken(message); - if (tok == null) { - tok = issueToken(message, params, tokenCacher); - } else { - tok = renewToken(message, tok, params, tokenCacher); - } - - tokenCacher.storeToken(message, tok); - - return tok; - } - - private static SecurityToken issueToken(Message message, TokenRequestParams params, STSTokenCacher tokenCacher) { - AddressingProperties maps = - (AddressingProperties)message - .get("javax.xml.ws.addressing.context.outbound"); - if (maps == null) { - maps = (AddressingProperties)message - .get("javax.xml.ws.addressing.context"); + Object o = SecurityUtils.getSecurityPropertyValue(SecurityConstants.STS_APPLIES_TO, message); + String appliesTo = o == null ? null : o.toString(); + if (appliesTo == null) { + String endpointAddress = + message.getContextualProperty(Message.ENDPOINT_ADDRESS).toString(); + // Strip out any query parameters if they exist + int query = endpointAddress.indexOf('?'); + if (query > 0) { + endpointAddress = endpointAddress.substring(0, query); + } + appliesTo = endpointAddress; } + STSClient client = STSUtils.getClientWithIssuer(message, "sts", params.getIssuer()); synchronized (client) { try { + client.setMessage(message); + // Transpose ActAs/OnBehalfOf info from original request to the STS client. Object token = SecurityUtils.getSecurityPropertyValue(SecurityConstants.STS_TOKEN_ACT_AS, message); @@ -85,24 +81,9 @@ public final class STSTokenRetriever { if (token != null) { client.setOnBehalfOf(token); } - Map ctx = client.getRequestContext(); - mapSecurityProps(message, ctx); - Object o = SecurityUtils.getSecurityPropertyValue(SecurityConstants.STS_APPLIES_TO, message); - String appliesTo = o == null ? null : o.toString(); - if (appliesTo == null) { - String endpointAddress = - message.getContextualProperty(Message.ENDPOINT_ADDRESS).toString(); - // Strip out any query parameters if they exist - int query = endpointAddress.indexOf('?'); - if (query > 0) { - endpointAddress = endpointAddress.substring(0, query); - } - appliesTo = endpointAddress; - } boolean enableAppliesTo = client.isEnableAppliesTo(); - client.setMessage(message); Element onBehalfOfToken = client.getOnBehalfOfToken(); Element actAsToken = client.getActAsToken(); @@ -110,22 +91,40 @@ public final class STSTokenRetriever { if (!enableAppliesTo || key == null || "".equals(key)) { key = ASSOCIATED_TOKEN; } - // See if the token corresponding to the OnBehalfOf/ActAs Token is stored in the cache - // and if it points to an issued token - SecurityToken secToken = tokenCacher.retrieveToken(message, onBehalfOfToken, key); - if (secToken == null) { - secToken = tokenCacher.retrieveToken(message, actAsToken, key); + + SecurityToken secToken = null; + if (onBehalfOfToken == null && actAsToken == null) { + // If we have no delegation token then try to retrieve a cached token from the message + secToken = tokenCacher.retrieveToken(message); + } else { + // Otherwise try to get a cached token corresponding to the delegation token + if (onBehalfOfToken != null) { + secToken = tokenCacher.retrieveToken(message, onBehalfOfToken, key); + } + if (secToken == null && actAsToken != null) { + secToken = tokenCacher.retrieveToken(message, actAsToken, key); + } } + if (secToken != null) { - // Check to see whether the delegated token needs to be renewed + // Check to see whether the token needs to be renewed secToken = renewToken(message, secToken, params, tokenCacher); } else { - secToken = getTokenFromSTS(client, maps, appliesTo, params); + secToken = getTokenFromSTS(message, client, appliesTo, params); } if (secToken != null) { tokenCacher.storeToken(message, onBehalfOfToken, secToken.getId(), key); tokenCacher.storeToken(message, actAsToken, secToken.getId(), key); + if (onBehalfOfToken == null && actAsToken == null) { + tokenCacher.storeToken(message, secToken); + } else { + TokenStoreUtils.getTokenStore(message).add(secToken); + } + + message.put(SecurityConstants.TOKEN, secToken); + message.put(SecurityConstants.TOKEN_ID, secToken.getId()); + message.put(SecurityConstants.TOKEN_ELEMENT, secToken.getToken()); } return secToken; } catch (RuntimeException e) { @@ -166,16 +165,9 @@ public final class STSTokenRetriever { // so just get a new one STSClient client = STSUtils.getClientWithIssuer(message, "sts", params.getIssuer()); if (!client.isAllowRenewing()) { - return issueToken(message, params, tokenCacher); + return getToken(message, params, tokenCacher); } - AddressingProperties maps = - (AddressingProperties)message - .get("javax.xml.ws.addressing.context.outbound"); - if (maps == null) { - maps = (AddressingProperties)message - .get("javax.xml.ws.addressing.context"); - } synchronized (client) { try { Map ctx = client.getRequestContext(); @@ -183,8 +175,9 @@ public final class STSTokenRetriever { client.setMessage(message); - if (maps != null) { - client.setAddressingNamespace(maps.getNamespaceURI()); + String addressingNamespace = getAddressingNamespaceURI(message); + if (addressingNamespace != null) { + client.setAddressingNamespace(addressingNamespace); } client.setTrust(params.getTrust10()); @@ -199,7 +192,7 @@ public final class STSTokenRetriever { SecurityConstants.STS_ISSUE_AFTER_FAILED_RENEW, message, true); if (issueAfterFailedRenew) { // Perhaps the STS does not support renewing, so try to issue a new token - return issueToken(message, params, tokenCacher); + return getToken(message, params, tokenCacher); } else { throw ex; } @@ -210,7 +203,7 @@ public final class STSTokenRetriever { SecurityConstants.STS_ISSUE_AFTER_FAILED_RENEW, message, true); if (issueAfterFailedRenew) { // Perhaps the STS does not support renewing, so try to issue a new token - return issueToken(message, params, tokenCacher); + return getToken(message, params, tokenCacher); } else { throw new Fault(ex); } @@ -222,6 +215,21 @@ public final class STSTokenRetriever { } } } + + private static String getAddressingNamespaceURI(Message message) { + AddressingProperties maps = + (AddressingProperties)message + .get("javax.xml.ws.addressing.context.outbound"); + if (maps == null) { + maps = (AddressingProperties)message + .get("javax.xml.ws.addressing.context"); + } + if (maps != null) { + return maps.getNamespaceURI(); + } + + return null; + } private static void mapSecurityProps(Message message, Map ctx) { for (String s : SecurityConstants.ALL_PROPERTIES) { @@ -235,8 +243,8 @@ public final class STSTokenRetriever { } } - private static SecurityToken getTokenFromSTS(STSClient client, - AddressingProperties maps, String appliesTo, + private static SecurityToken getTokenFromSTS(Message message, + STSClient client, String appliesTo, TokenRequestParams params) throws Exception { client.setTrust(params.getTrust10()); client.setTrust(params.getTrust13()); @@ -244,12 +252,16 @@ public final class STSTokenRetriever { if (params.getWspNamespace() != null) { client.setWspNamespace(params.getWspNamespace()); } - if (maps != null && maps.getNamespaceURI() != null) { - client.setAddressingNamespace(maps.getNamespaceURI()); + String addressingNamespace = getAddressingNamespaceURI(message); + if (addressingNamespace != null) { + client.setAddressingNamespace(addressingNamespace); } if (params.getClaims() != null) { client.setClaims(params.getClaims()); } + Map ctx = client.getRequestContext(); + mapSecurityProps(message, ctx); + return client.requestSecurityToken(appliesTo); } http://git-wip-us.apache.org/repos/asf/cxf/blob/2a76fe1e/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/intermediary_transformation/cxf-intermediary-caching.xml ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/intermediary_transformation/cxf-intermediary-caching.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/intermediary_transformation/cxf-intermediary-caching.xml index dc6ebf4..3748f56 100644 --- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/intermediary_transformation/cxf-intermediary-caching.xml +++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/intermediary_transformation/cxf-intermediary-caching.xml @@ -62,7 +62,6 @@ -