Author: sergeyb
Date: Wed Apr 6 16:09:34 2011
New Revision: 1089512
URL: http://svn.apache.org/viewvc?rev=1089512&view=rev
Log:
[CXF-3444] Attempting to set the 'best' SecurityContext principal
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1089512&r1=1089511&r2=1089512&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
Wed Apr 6 16:09:34 2011
@@ -61,6 +61,7 @@ import org.apache.cxf.ws.security.Securi
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSDerivedKeyTokenPrincipal;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngine;
@@ -399,7 +400,7 @@ public class WSS4JInInterceptor extends
for (WSSecurityEngineResult o : wsResult) {
final Principal p =
(Principal)o.get(WSSecurityEngineResult.TAG_PRINCIPAL);
- if (p != null) {
+ if (p != null && isSecurityContextPrincipal(p, wsResult)) {
msg.put(PRINCIPAL_RESULT, p);
if (!utWithCallbacks) {
WSS4JTokenConverter.convertToken(msg, p);
@@ -413,6 +414,24 @@ public class WSS4JInInterceptor extends
}
}
+ /**
+ * Checks if a given WSS4J Principal can be represented as a user principal
+ * inside SecurityContext. Example, UsernameToken or PublicKey principals
can
+ * be used to facilitate checking the user roles, etc.
+ */
+ protected boolean isSecurityContextPrincipal(Principal p,
List<WSSecurityEngineResult> wsResult) {
+ boolean derivedKeyPrincipal = p instanceof WSDerivedKeyTokenPrincipal;
+ if (derivedKeyPrincipal) {
+ // If it is a derived key principal then let it be a
SecurityContext
+ // principal only if no other principals are available.
+ // The derived key principal will still be visible to
+ // custom interceptors as part of the
WSHandlerConstants.RECV_RESULTS value
+ return wsResult.size() > 1 ? false : true;
+ } else {
+ return true;
+ }
+ }
+
protected void advanceBody(
SoapMessage msg, Node body
) throws SOAPException, XMLStreamException, WSSecurityException {
Modified:
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java?rev=1089512&r1=1089511&r2=1089512&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
(original)
+++
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
Wed Apr 6 16:09:34 2011
@@ -20,6 +20,7 @@ package org.apache.cxf.ws.security.wss4j
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
+import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
@@ -27,6 +28,7 @@ import java.util.List;
import java.util.Map;
import java.util.SortedSet;
import java.util.TreeSet;
+
import javax.xml.namespace.QName;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
@@ -57,9 +59,11 @@ import org.apache.cxf.staxutils.StaxUtil
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDataRef;
import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSUsernameTokenPrincipal;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.handler.WSHandlerResult;
import org.apache.ws.security.util.WSSecurityUtil;
+
import org.junit.Test;
@@ -105,7 +109,7 @@ public class WSS4JInOutTest extends Abst
xpaths.add("//wsse:Security/ds:Signature");
List<WSHandlerResult> handlerResults =
- makeInvocation(outProperties, xpaths, inProperties);
+ getResults(makeInvocation(outProperties, xpaths, inProperties));
WSSecurityEngineResult actionResult =
WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(),
WSConstants.SIGN);
@@ -133,7 +137,7 @@ public class WSS4JInOutTest extends Abst
xpaths.add("//wsse:Security/ds:Signature");
List<WSHandlerResult> handlerResults =
- makeInvocation(outProperties, xpaths, inProperties);
+ getResults(makeInvocation(outProperties, xpaths, inProperties));
WSSecurityEngineResult actionResult =
WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(),
WSConstants.SIGN);
@@ -163,7 +167,7 @@ public class WSS4JInOutTest extends Abst
xpaths.add("//s:Body/xenc:EncryptedData");
List<WSHandlerResult> handlerResults =
- makeInvocation(outProperties, xpaths, inProperties);
+ getResults(makeInvocation(outProperties, xpaths, inProperties));
assertNotNull(handlerResults);
assertSame(handlerResults.size(), 1);
@@ -223,8 +227,8 @@ public class WSS4JInOutTest extends Abst
List<String> xpaths = new ArrayList<String>();
xpaths.add("//wsse:Security");
- List<WSHandlerResult> handlerResults =
- makeInvocation(outProperties, xpaths, inProperties);
+ SoapMessage inmsg = makeInvocation(outProperties, xpaths,
inProperties);
+ List<WSHandlerResult> handlerResults = getResults(inmsg);
assertNotNull(handlerResults);
assertSame(handlerResults.size(), 1);
@@ -236,6 +240,15 @@ public class WSS4JInOutTest extends Abst
(java.util.List<WSSecurityEngineResult>)
handlerResults.get(0).getResults();
assertNotNull(protectionResults);
assertSame(protectionResults.size(), 2);
+
+ final Principal p1 =
(Principal)protectionResults.get(0).get(WSSecurityEngineResult.TAG_PRINCIPAL);
+ final Principal p2 =
(Principal)protectionResults.get(1).get(WSSecurityEngineResult.TAG_PRINCIPAL);
+ assertTrue(p1 instanceof WSUsernameTokenPrincipal || p2 instanceof
WSUsernameTokenPrincipal);
+
+ Principal utPrincipal = p1 instanceof WSUsernameTokenPrincipal ? p1 :
p2;
+
+ Principal secContextPrincipal =
(Principal)inmsg.get(WSS4JInInterceptor.PRINCIPAL_RESULT);
+ assertSame(secContextPrincipal, utPrincipal);
}
@Test
@@ -438,7 +451,7 @@ public class WSS4JInOutTest extends Abst
xpaths.add("//wsse:Security/ds:Signature");
List<WSHandlerResult> handlerResults =
- makeInvocation(outProperties, xpaths, inProperties);
+ getResults(makeInvocation(outProperties, xpaths, inProperties));
WSSecurityEngineResult actionResult =
WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(),
WSConstants.SIGN);
@@ -476,7 +489,13 @@ public class WSS4JInOutTest extends Abst
return ret;
}
- private List<WSHandlerResult> makeInvocation(
+ private List<WSHandlerResult> getResults(SoapMessage inmsg) {
+ final List<WSHandlerResult> handlerResults =
+
CastUtils.cast((List<?>)inmsg.get(WSHandlerConstants.RECV_RESULTS));
+ return handlerResults;
+ }
+
+ private SoapMessage makeInvocation(
Map<String, String> outProperties,
List<String> xpaths,
Map<String, String> inProperties
@@ -535,9 +554,7 @@ public class WSS4JInOutTest extends Abst
inHandler.handleMessage(inmsg);
- final List<WSHandlerResult> handlerResults =
-
CastUtils.cast((List<?>)inmsg.get(WSHandlerConstants.RECV_RESULTS));
- return handlerResults;
+ return inmsg;
}
// FOR DEBUGGING ONLY
