Author: sergeyb
Date: Wed Apr 20 13:49:05 2011
New Revision: 1095410
URL: http://svn.apache.org/viewvc?rev=1095410&view=rev
Log:
[CXF-3462] Prototyping the interceptor for validating BasicAuth(and similar
creds) with STS
Added:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
(with props)
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java
(with props)
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java
Added:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java?rev=1095410&view=auto
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
(added)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
Wed Apr 20 13:49:05 2011
@@ -0,0 +1,108 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.ws.security.trust;
+
+import java.util.ResourceBundle;
+import java.util.logging.Logger;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import org.apache.cxf.common.i18n.BundleUtils;
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.configuration.security.AuthorizationPolicy;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.phase.AbstractPhaseInterceptor;
+import org.apache.cxf.phase.Phase;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.message.token.UsernameToken;
+import org.apache.ws.security.validate.Credential;
+
+public class AuthPolicyValidatingInterceptor extends
AbstractPhaseInterceptor<Message> {
+
+ private static final ResourceBundle BUNDLE =
BundleUtils.getBundle(AuthPolicyValidatingInterceptor.class);
+ private static final Logger LOG =
LogUtils.getL7dLogger(AuthPolicyValidatingInterceptor.class);
+
+ private STSTokenValidator validator;
+
+ public AuthPolicyValidatingInterceptor() {
+ this(Phase.UNMARSHAL);
+ }
+
+ public AuthPolicyValidatingInterceptor(String phase) {
+ super(phase);
+ }
+
+ public void handleMessage(Message message) throws Fault {
+
+ String name = null;
+ String password = null;
+
+ AuthorizationPolicy policy =
(AuthorizationPolicy)message.get(AuthorizationPolicy.class);
+ if (policy == null || policy.getUserName() == null ||
policy.getPassword() == null) {
+ org.apache.cxf.common.i18n.Message errorMsg =
+ new org.apache.cxf.common.i18n.Message("NO_USER_PASSWORD",
+ BUNDLE,
+ name, password);
+ LOG.warning(errorMsg.toString());
+ throw new SecurityException(errorMsg.toString());
+ }
+
+ try {
+ UsernameToken token = convertPolicyToToken(policy);
+ Credential credential = new Credential();
+ credential.setUsernametoken(token);
+ validator.validateWithSTS(credential, message);
+ } catch (Exception ex) {
+ throw new Fault(ex);
+ }
+ }
+
+ protected UsernameToken convertPolicyToToken(AuthorizationPolicy policy)
+ throws Exception {
+
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilder builder = factory.newDocumentBuilder();
+ Document doc = builder.newDocument();
+ Element utElement =
+ doc.createElementNS(WSConstants.WSSE_NS, "wsse:" +
WSConstants.USERNAME_TOKEN_LN);
+
+ Element nameElement =
+ doc.createElementNS(WSConstants.WSSE_NS, "wsse:" +
WSConstants.USERNAME_LN);
+ nameElement.setTextContent(policy.getUserName());
+ Element passwordElement =
+ doc.createElementNS(WSConstants.WSSE_NS, "wsse:" +
WSConstants.PASSWORD_LN);
+ passwordElement.setTextContent(policy.getPassword());
+ passwordElement.setAttribute(WSConstants.PASSWORD_TYPE_ATTR,
+ WSConstants.USERNAMETOKEN_NS + "#" +
WSConstants.PASSWORD_TEXT);
+
+ utElement.appendChild(nameElement);
+ utElement.appendChild(passwordElement);
+ return new UsernameToken(utElement);
+ }
+
+ public void setValidator(STSTokenValidator validator) {
+ this.validator = validator;
+ }
+
+}
Propchange:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
------------------------------------------------------------------------------
svn:keywords = Rev Date
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java?rev=1095410&r1=1095409&r2=1095410&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java
Wed Apr 20 13:49:05 2011
@@ -23,6 +23,7 @@ package org.apache.cxf.ws.security.trust
import java.util.List;
import org.apache.cxf.binding.soap.SoapMessage;
+import org.apache.cxf.message.Message;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.handler.RequestData;
@@ -49,21 +50,20 @@ public class STSTokenValidator implement
}
public Credential validate(Credential credential, RequestData data) throws
WSSecurityException {
- SoapMessage m = (SoapMessage)data.getMsgContext();
+
+ if (isValidatedLocally(credential, data)) {
+ return credential;
+ }
+
+ return validateWithSTS(credential, (SoapMessage)data.getMsgContext());
+ }
+
+ public Credential validateWithSTS(Credential credential, Message message)
throws WSSecurityException {
+
SecurityToken token = new SecurityToken();
try {
if (credential.getAssertion() != null) {
- if (!alwaysValidateToSts) {
- //
- // Try to validate the Assertion locally first. If trust
verification fails
- // then send it off to the STS for validation
- //
- samlValidator.validate(credential, data);
- if (samlValidator.isTrustVerificationSucceeded()) {
- return credential;
- }
- }
token.setToken(credential.getAssertion().getElement());
} else if (credential.getUsernametoken() != null) {
token.setToken(credential.getUsernametoken().getElement());
@@ -71,7 +71,7 @@ public class STSTokenValidator implement
token.setToken(credential.getBinarySecurityToken().getElement());
}
- STSClient c = STSUtils.getClient(m, "sts");
+ STSClient c = STSUtils.getClient(message, "sts");
synchronized (c) {
System.setProperty("noprint", "true");
List<SecurityToken> tokens = c.validateSecurityToken(token);
@@ -88,5 +88,21 @@ public class STSTokenValidator implement
throw new WSSecurityException(WSSecurityException.FAILURE,
"invalidSAMLsecurity", null, e);
}
}
+
+ protected boolean isValidatedLocally(Credential credential, RequestData
data)
+ throws WSSecurityException {
+
+ if (!alwaysValidateToSts && credential.getAssertion() != null) {
+ try {
+ samlValidator.validate(credential, data);
+ return samlValidator.isTrustVerificationSucceeded();
+ } catch (RuntimeException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new WSSecurityException(WSSecurityException.FAILURE,
"invalidSAMLsecurity", null, e);
+ }
+ }
+ return false;
+ }
}
Added:
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java?rev=1095410&view=auto
==============================================================================
---
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java
(added)
+++
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java
Wed Apr 20 13:49:05 2011
@@ -0,0 +1,73 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.ws.security.trust;
+
+import org.apache.cxf.configuration.security.AuthorizationPolicy;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageImpl;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.message.token.UsernameToken;
+import org.apache.ws.security.validate.Credential;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+public class AuthPolicyValidatingInterceptorTest extends Assert {
+
+ @Test
+ public void testValidateAuthorizationPolicy() throws Exception {
+ AuthPolicyValidatingInterceptor in = new
AuthPolicyValidatingInterceptor();
+ TestSTSTokenValidator validator = new TestSTSTokenValidator();
+ in.setValidator(validator);
+
+ AuthorizationPolicy policy = new AuthorizationPolicy();
+ policy.setUserName("bob");
+ policy.setPassword("pswd");
+ Message message = new MessageImpl();
+ message.put(AuthorizationPolicy.class, policy);
+
+ in.handleMessage(message);
+
+ assertTrue(validator.isValidated());
+ }
+
+ private static class TestSTSTokenValidator extends STSTokenValidator {
+
+ private boolean validated;
+
+ public TestSTSTokenValidator() {
+ super(true);
+ }
+
+ @Override
+ public Credential validateWithSTS(Credential credential, Message
message)
+ throws WSSecurityException {
+ UsernameToken token = credential.getUsernametoken();
+ if ("bob".equals(token.getName()) &&
"pswd".equals(token.getPassword())) {
+ // TODO: mock STS
+ validated = true;
+ }
+ return credential;
+ }
+
+ public boolean isValidated() {
+ return validated;
+ }
+ }
+}
Propchange:
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange:
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java
------------------------------------------------------------------------------
svn:keywords = Rev Date
