Author: sergeyb
Date: Tue Jul 17 23:00:54 2012
New Revision: 1362715
URL: http://svn.apache.org/viewvc?rev=1362715&view=rev
Log:
Merged revisions 1362686,1362711 via svnmerge from
https://svn.apache.org/repos/asf/cxf/trunk
........
r1362686 | sergeyb | 2012-07-17 23:14:35 +0100 (Tue, 17 Jul 2012) | 1 line
[CXF-4430] SpnegoAuthSupplier updates, also adding Kerberos interceptor and
filter
........
r1362711 | sergeyb | 2012-07-17 23:55:30 +0100 (Tue, 17 Jul 2012) | 1 line
[CXF-4430] Updating the filter to check if the user name is null, optionally
removing the realm when setting up a security context
........
Added:
cxf/branches/2.6.x-fixes/api/src/main/java/org/apache/cxf/common/security/SimpleSecurityContext.java
- copied unchanged from r1362686,
cxf/trunk/api/src/main/java/org/apache/cxf/common/security/SimpleSecurityContext.java
cxf/branches/2.6.x-fixes/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthOutInterceptor.java
- copied unchanged from r1362686,
cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthOutInterceptor.java
cxf/branches/2.6.x-fixes/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java
- copied, changed from r1362686,
cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java
cxf/branches/2.6.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java
- copied unchanged from r1362686,
cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java
cxf/branches/2.6.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/BookKerberosServer.java
- copied unchanged from r1362686,
cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/BookKerberosServer.java
cxf/branches/2.6.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSKerberosBookTest.java
- copied unchanged from r1362686,
cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSKerberosBookTest.java
cxf/branches/2.6.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberos.cfg
- copied unchanged from r1362686,
cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberos.cfg
cxf/branches/2.6.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberosClient.xml
- copied unchanged from r1362686,
cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberosClient.xml
Modified:
cxf/branches/2.6.x-fixes/ (props changed)
cxf/branches/2.6.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/SpnegoAuthSupplier.java
Propchange: cxf/branches/2.6.x-fixes/
------------------------------------------------------------------------------
Merged /cxf/trunk:r1362686,1362711
Propchange: cxf/branches/2.6.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.
Copied:
cxf/branches/2.6.x-fixes/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java
(from r1362686,
cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java)
URL:
http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java?p2=cxf/branches/2.6.x-fixes/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java&p1=cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java&r1=1362686&r2=1362715&rev=1362715&view=diff
==============================================================================
---
cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java
(original)
+++
cxf/branches/2.6.x-fixes/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java
Tue Jul 17 23:00:54 2012
@@ -58,6 +58,7 @@ public class KerberosAuthenticationFilte
private String loginContextName;
private String servicePrincipalName;
private String realm;
+ private boolean keepUserPrincipalRealm = true;
public Response handleRequest(Message m, ClassResourceInfo resourceClass) {
@@ -80,8 +81,21 @@ public class KerberosAuthenticationFilte
Subject.doAs(serviceSubject, new
ValidateServiceTicketAction(gssContext, serviceTicket));
- final String clientName = gssContext.getSrcName().toString();
- m.put(SecurityContext.class, new
SimpleSecurityContext(clientName));
+ GSSName srcName = gssContext.getSrcName();
+ if (srcName == null) {
+ throw new WebApplicationException(getFaultResponse());
+ }
+
+ String userName = srcName.toString();
+ if (!keepUserPrincipalRealm) {
+ int index = userName.lastIndexOf('@');
+ if (index > 0) {
+ userName = userName.substring(0, index);
+ //TODO: still provide a complete user name via
KerberosPrincipal
+ }
+ }
+ m.put(SecurityContext.class, new SimpleSecurityContext(userName));
+
} catch (LoginException e) {
throw new WebApplicationException(getFaultResponse());
@@ -167,6 +181,11 @@ public class KerberosAuthenticationFilte
this.callbackHandler = callbackHandler;
}
+
+ public void setKeepUserPrincipalRealm(boolean keep) {
+ this.keepUserPrincipalRealm = keep;
+ }
+
private final class ValidateServiceTicketAction implements
PrivilegedExceptionAction<byte[]> {
private final GSSContext context;
private final byte[] token;
Modified:
cxf/branches/2.6.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/SpnegoAuthSupplier.java
URL:
http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/SpnegoAuthSupplier.java?rev=1362715&r1=1362714&r2=1362715&view=diff
==============================================================================
---
cxf/branches/2.6.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/SpnegoAuthSupplier.java
(original)
+++
cxf/branches/2.6.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/SpnegoAuthSupplier.java
Tue Jul 17 23:00:54 2012
@@ -19,42 +19,13 @@
package org.apache.cxf.transport.http.auth;
import java.net.URL;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
-import java.util.logging.Level;
-import java.util.logging.Logger;
-
-import javax.security.auth.Subject;
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.NameCallback;
-import javax.security.auth.callback.PasswordCallback;
-import javax.security.auth.login.LoginContext;
-import javax.security.auth.login.LoginException;
-import org.apache.cxf.common.logging.LogUtils;
-import org.apache.cxf.common.util.Base64Utility;
import org.apache.cxf.configuration.security.AuthorizationPolicy;
import org.apache.cxf.message.Message;
-import org.ietf.jgss.GSSContext;
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.GSSManager;
-import org.ietf.jgss.GSSName;
-import org.ietf.jgss.Oid;
-
-public class SpnegoAuthSupplier implements HttpAuthSupplier {
- /**
- * Can be set on the jaxws:properties. If set to true then the kerberos
oid is used
- * instead of the default spnego OID
- */
- private static final String PROPERTY_USE_KERBEROS_OID =
"auth.spnego.useKerberosOid";
- private static final String KERBEROS_OID = "1.2.840.113554.1.2.2";
- private static final String SPNEGO_OID = "1.3.6.1.5.5.2";
- private static final Logger LOG =
LogUtils.getL7dLogger(SpnegoAuthSupplier.class);
+public class SpnegoAuthSupplier extends AbstractSpnegoAuthSupplier
+ implements HttpAuthSupplier {
- private LoginContext lc;
-
public boolean requiresRequestCaching() {
return false;
}
@@ -63,117 +34,7 @@ public class SpnegoAuthSupplier implemen
URL currentURL,
Message message,
String fullHeader) {
- if
(!HttpAuthHeader.AUTH_TYPE_NEGOTIATE.equals(authPolicy.getAuthorizationType()))
{
- return null;
- }
- try {
- String spn = "HTTP/" + currentURL.getHost();
- LOG.fine("Adding authorization service ticket for service
principal name: " + spn);
-
- String userKerbOidSt =
(String)message.getContextualProperty(PROPERTY_USE_KERBEROS_OID);
- boolean useKerberosOid = "true".equals(userKerbOidSt);
- Oid oid = new Oid(useKerberosOid ? KERBEROS_OID : SPNEGO_OID);
-
- byte[] token = getToken(authPolicy, spn, oid);
- return HttpAuthHeader.AUTH_TYPE_NEGOTIATE + " " +
Base64Utility.encode(token);
- } catch (LoginException e) {
- throw new RuntimeException(e.getMessage(), e);
- } catch (GSSException e) {
- throw new RuntimeException(e.getMessage(), e);
- }
- }
-
- /**
- * Create and return service ticket token
- *
- * @param authPolicy
- * @param context
- * @return
- * @throws GSSException
- * @throws LoginException
- */
- private byte[] getToken(AuthorizationPolicy authPolicy, final GSSContext
context) throws GSSException,
- LoginException {
- final byte[] token = new byte[0];
-
- if (authPolicy.getUserName() == null ||
authPolicy.getUserName().trim().length() == 0) {
- return context.initSecContext(token, 0, token.length);
- }
-
- if (lc == null) {
- lc = new LoginContext(authPolicy.getAuthorization(),
getUsernamePasswordHandler(
- authPolicy.getUserName(), authPolicy.getPassword()));
- lc.login();
- }
-
- try {
- return (byte[])Subject.doAs(lc.getSubject(), new
CreateServiceTicketAction(context, token));
- } catch (PrivilegedActionException e) {
- if (e.getCause() instanceof GSSException) {
- throw (GSSException) e.getCause();
- }
- LOG.log(Level.SEVERE, "initSecContext", e);
- return null;
- }
- }
-
- /**
- * Create and return a service ticket token for a given service principal
- * name
- *
- * @param authPolicy
- * @param spn
- * @return service ticket token
- * @throws GSSException
- * @throws LoginException
- */
- private byte[] getToken(AuthorizationPolicy authPolicy, String spn, Oid
oid) throws GSSException,
- LoginException {
- GSSManager manager = GSSManager.getInstance();
- GSSName serverName = manager.createName(spn, null);
-
- GSSContext context = manager
- .createContext(serverName.canonicalize(oid), oid, null,
GSSContext.DEFAULT_LIFETIME);
- // TODO Do we need mutual auth. Will the code we have really work with
- // mutual auth?
- context.requestMutualAuth(true);
- // TODO Credential delegation could be a security hole if it was not
- // intended. Both settings should be configurable
- context.requestCredDeleg(true);
-
- return getToken(authPolicy, context);
- }
-
- private final class CreateServiceTicketAction implements
PrivilegedExceptionAction<byte[]> {
- private final GSSContext context;
- private final byte[] token;
-
- private CreateServiceTicketAction(GSSContext context, byte[] token) {
- this.context = context;
- this.token = token;
- }
-
- public byte[] run() throws GSSException {
- return context.initSecContext(token, 0, token.length);
- }
- }
-
- public static CallbackHandler getUsernamePasswordHandler(final String
username, final String password) {
- final CallbackHandler handler = new CallbackHandler() {
-
- public void handle(final Callback[] callback) {
- for (int i = 0; i < callback.length; i++) {
- if (callback[i] instanceof NameCallback) {
- final NameCallback nameCallback = (NameCallback)
callback[i];
- nameCallback.setName(username);
- } else if (callback[i] instanceof PasswordCallback) {
- final PasswordCallback passCallback =
(PasswordCallback) callback[i];
- passCallback.setPassword(password.toCharArray());
- }
- }
- }
- };
- return handler;
+ return super.getAuthorization(authPolicy, currentURL, message);
}
}
