Repository: cxf Updated Branches: refs/heads/master 0ed74ffb1 -> f97ef8372
Refactor DefaultSubjectProvider to make it easier to subclass bits of functionality Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/3348a299 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/3348a299 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/3348a299 Branch: refs/heads/master Commit: 3348a2999d2693edfeaf1fdd62a94222774186fd Parents: 0ed74ff Author: Colm O hEigeartaigh <[email protected]> Authored: Wed Jun 3 14:56:55 2015 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Wed Jun 3 14:56:55 2015 +0100 ---------------------------------------------------------------------- .../token/provider/DefaultSubjectProvider.java | 127 ++++++++++++------- 1 file changed, 83 insertions(+), 44 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/3348a299/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java index f845a86..4aa6253 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java @@ -87,30 +87,47 @@ public class DefaultSubjectProvider implements SubjectProvider { public SubjectBean getSubject( TokenProviderParameters providerParameters, Document doc, byte[] secret ) { - TokenRequirements tokenRequirements = providerParameters.getTokenRequirements(); - KeyRequirements keyRequirements = providerParameters.getKeyRequirements(); - STSPropertiesMBean stsProperties = providerParameters.getStsProperties(); - - String tokenType = tokenRequirements.getTokenType(); - String keyType = keyRequirements.getKeyType(); - String confirmationMethod = getSubjectConfirmationMethod(tokenType, keyType); + // 1. Get the principal + Principal principal = getPrincipal(providerParameters); + if (principal == null) { + LOG.fine("Error in getting principal"); + throw new STSException("Error in getting principal", STSException.REQUEST_FAILED); + } + + // 2. Create the SubjectBean using the principal + SubjectBean subjectBean = createSubjectBean(principal, providerParameters); + // 3. Create the KeyInfoBean and set it on the SubjectBean + KeyInfoBean keyInfo = createKeyInfo(providerParameters, doc, secret); + subjectBean.setKeyInfo(keyInfo); + + return subjectBean; + } + + /** + * Get the Principal (which is used as the Subject). By default, we check the following (in order): + * - A valid OnBehalfOf principal + * - A valid ActAs principal + * - A valid principal associated with a token received as ValidateTarget + * - The principal associated with the request. We don't need to check to see if it is "valid" here, as it + * is not parsed by the STS (but rather the WS-Security layer). + */ + protected Principal getPrincipal(TokenProviderParameters providerParameters) { Principal principal = null; - ReceivedToken receivedToken = null; //TokenValidator in IssueOperation has validated the ReceivedToken //if validation was successful, the principal was set in ReceivedToken if (providerParameters.getTokenRequirements().getOnBehalfOf() != null) { - receivedToken = providerParameters.getTokenRequirements().getOnBehalfOf(); + ReceivedToken receivedToken = providerParameters.getTokenRequirements().getOnBehalfOf(); if (receivedToken.getState().equals(STATE.VALID)) { principal = receivedToken.getPrincipal(); } } else if (providerParameters.getTokenRequirements().getActAs() != null) { - receivedToken = providerParameters.getTokenRequirements().getActAs(); + ReceivedToken receivedToken = providerParameters.getTokenRequirements().getActAs(); if (receivedToken.getState().equals(STATE.VALID)) { principal = receivedToken.getPrincipal(); } } else if (providerParameters.getTokenRequirements().getValidateTarget() != null) { - receivedToken = providerParameters.getTokenRequirements().getValidateTarget(); + ReceivedToken receivedToken = providerParameters.getTokenRequirements().getValidateTarget(); if (receivedToken.getState().equals(STATE.VALID)) { principal = receivedToken.getPrincipal(); } @@ -118,10 +135,19 @@ public class DefaultSubjectProvider implements SubjectProvider { principal = providerParameters.getPrincipal(); } - if (principal == null) { - LOG.fine("Error in getting principal"); - throw new STSException("Error in getting principal", STSException.REQUEST_FAILED); - } + return principal; + } + + /** + * Create the SubjectBean using the specified principal. + */ + protected SubjectBean createSubjectBean(Principal principal, TokenProviderParameters providerParameters) { + TokenRequirements tokenRequirements = providerParameters.getTokenRequirements(); + KeyRequirements keyRequirements = providerParameters.getKeyRequirements(); + + String tokenType = tokenRequirements.getTokenType(); + String keyType = keyRequirements.getKeyType(); + String confirmationMethod = getSubjectConfirmationMethod(tokenType, keyType); String subjectName = principal.getName(); if (SAML2Constants.NAMEID_FORMAT_UNSPECIFIED.equals(subjectNameIDFormat) @@ -145,6 +171,42 @@ public class DefaultSubjectProvider implements SubjectProvider { subjectBean.setSubjectNameIDFormat(subjectNameIDFormat); } + return subjectBean; + } + + /** + * Get the SubjectConfirmation method given a tokenType and keyType + */ + protected String getSubjectConfirmationMethod(String tokenType, String keyType) { + if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) + || WSConstants.SAML_NS.equals(tokenType)) { + if (STSConstants.SYMMETRIC_KEY_KEYTYPE.equals(keyType) + || STSConstants.PUBLIC_KEY_KEYTYPE.equals(keyType)) { + return SAML1Constants.CONF_HOLDER_KEY; + } else { + return SAML1Constants.CONF_BEARER; + } + } else { + if (STSConstants.SYMMETRIC_KEY_KEYTYPE.equals(keyType) + || STSConstants.PUBLIC_KEY_KEYTYPE.equals(keyType)) { + return SAML2Constants.CONF_HOLDER_KEY; + } else { + return SAML2Constants.CONF_BEARER; + } + } + } + + /** + * Create and return the KeyInfoBean to be inserted into the SubjectBean + */ + protected KeyInfoBean createKeyInfo( + TokenProviderParameters providerParameters, Document doc, byte[] secret + ) { + KeyRequirements keyRequirements = providerParameters.getKeyRequirements(); + STSPropertiesMBean stsProperties = providerParameters.getStsProperties(); + + String keyType = keyRequirements.getKeyType(); + if (STSConstants.SYMMETRIC_KEY_KEYTYPE.equals(keyType)) { Crypto crypto = stsProperties.getEncryptionCrypto(); @@ -180,8 +242,8 @@ public class DefaultSubjectProvider implements SubjectProvider { throw new STSException("Encryption certificate is not found for alias: " + encryptionName); } KeyInfoBean keyInfo = - createKeyInfo(certs[0], secret, doc, encryptionProperties, crypto); - subjectBean.setKeyInfo(keyInfo); + createEncryptedKeyKeyInfo(certs[0], secret, doc, encryptionProperties, crypto); + return keyInfo; } catch (WSSecurityException ex) { LOG.log(Level.WARNING, "", ex); throw new STSException(ex.getMessage(), ex); @@ -211,39 +273,16 @@ public class DefaultSubjectProvider implements SubjectProvider { } } - KeyInfoBean keyInfo = createKeyInfo(receivedKey.getX509Cert(), receivedKey.getPublicKey()); - subjectBean.setKeyInfo(keyInfo); + return createPublicKeyKeyInfo(receivedKey.getX509Cert(), receivedKey.getPublicKey()); } - return subjectBean; - } - - /** - * Get the SubjectConfirmation method given a tokenType and keyType - */ - protected String getSubjectConfirmationMethod(String tokenType, String keyType) { - if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) - || WSConstants.SAML_NS.equals(tokenType)) { - if (STSConstants.SYMMETRIC_KEY_KEYTYPE.equals(keyType) - || STSConstants.PUBLIC_KEY_KEYTYPE.equals(keyType)) { - return SAML1Constants.CONF_HOLDER_KEY; - } else { - return SAML1Constants.CONF_BEARER; - } - } else { - if (STSConstants.SYMMETRIC_KEY_KEYTYPE.equals(keyType) - || STSConstants.PUBLIC_KEY_KEYTYPE.equals(keyType)) { - return SAML2Constants.CONF_HOLDER_KEY; - } else { - return SAML2Constants.CONF_BEARER; - } - } + return null; } /** * Create a KeyInfoBean that contains an X.509 certificate or Public Key */ - protected static KeyInfoBean createKeyInfo(X509Certificate certificate, PublicKey publicKey) { + protected static KeyInfoBean createPublicKeyKeyInfo(X509Certificate certificate, PublicKey publicKey) { KeyInfoBean keyInfo = new KeyInfoBean(); if (certificate != null) { @@ -260,7 +299,7 @@ public class DefaultSubjectProvider implements SubjectProvider { /** * Create an EncryptedKey KeyInfo. */ - protected static KeyInfoBean createKeyInfo( + protected static KeyInfoBean createEncryptedKeyKeyInfo( X509Certificate certificate, byte[] secret, Document doc,
