Repository: cxf
Updated Branches:
refs/heads/3.0.x-fixes 02c588ce4 -> ef5751eef
Refactor DefaultSubjectProvider to make it easier to subclass bits of
functionality
Conflicts:
services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/c28c439e
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/c28c439e
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/c28c439e
Branch: refs/heads/3.0.x-fixes
Commit: c28c439e445984d45d10ec658fc672b4f35a5e14
Parents: 02c588c
Author: Colm O hEigeartaigh <[email protected]>
Authored: Wed Jun 3 14:56:55 2015 +0100
Committer: Colm O hEigeartaigh <[email protected]>
Committed: Wed Jun 3 15:20:59 2015 +0100
----------------------------------------------------------------------
.../token/provider/DefaultSubjectProvider.java | 107 +++++++++++++++----
1 file changed, 86 insertions(+), 21 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/c28c439e/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
----------------------------------------------------------------------
diff --git
a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
index 7d28b57..c4e54f8 100644
---
a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
+++
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
@@ -87,30 +87,47 @@ public class DefaultSubjectProvider implements
SubjectProvider {
public SubjectBean getSubject(
TokenProviderParameters providerParameters, Document doc, byte[] secret
) {
- TokenRequirements tokenRequirements =
providerParameters.getTokenRequirements();
- KeyRequirements keyRequirements =
providerParameters.getKeyRequirements();
- STSPropertiesMBean stsProperties =
providerParameters.getStsProperties();
-
- String tokenType = tokenRequirements.getTokenType();
- String keyType = keyRequirements.getKeyType();
- String confirmationMethod = getSubjectConfirmationMethod(tokenType,
keyType);
+ // 1. Get the principal
+ Principal principal = getPrincipal(providerParameters);
+ if (principal == null) {
+ LOG.fine("Error in getting principal");
+ throw new STSException("Error in getting principal",
STSException.REQUEST_FAILED);
+ }
+
+ // 2. Create the SubjectBean using the principal
+ SubjectBean subjectBean = createSubjectBean(principal,
providerParameters);
+ // 3. Create the KeyInfoBean and set it on the SubjectBean
+ KeyInfoBean keyInfo = createKeyInfo(providerParameters, doc, secret);
+ subjectBean.setKeyInfo(keyInfo);
+
+ return subjectBean;
+ }
+
+ /**
+ * Get the Principal (which is used as the Subject). By default, we check
the following (in order):
+ * - A valid OnBehalfOf principal
+ * - A valid ActAs principal
+ * - A valid principal associated with a token received as ValidateTarget
+ * - The principal associated with the request. We don't need to check to
see if it is "valid" here, as it
+ * is not parsed by the STS (but rather the WS-Security layer).
+ */
+ protected Principal getPrincipal(TokenProviderParameters
providerParameters) {
Principal principal = null;
- ReceivedToken receivedToken = null;
//TokenValidator in IssueOperation has validated the ReceivedToken
//if validation was successful, the principal was set in ReceivedToken
if (providerParameters.getTokenRequirements().getOnBehalfOf() != null)
{
- receivedToken =
providerParameters.getTokenRequirements().getOnBehalfOf();
+ ReceivedToken receivedToken =
providerParameters.getTokenRequirements().getOnBehalfOf();
if (receivedToken.getState().equals(STATE.VALID)) {
principal = receivedToken.getPrincipal();
}
} else if (providerParameters.getTokenRequirements().getActAs() !=
null) {
- receivedToken =
providerParameters.getTokenRequirements().getActAs();
+ ReceivedToken receivedToken =
providerParameters.getTokenRequirements().getActAs();
if (receivedToken.getState().equals(STATE.VALID)) {
principal = receivedToken.getPrincipal();
}
} else if
(providerParameters.getTokenRequirements().getValidateTarget() != null) {
- receivedToken =
providerParameters.getTokenRequirements().getValidateTarget();
+ ReceivedToken receivedToken =
providerParameters.getTokenRequirements().getValidateTarget();
if (receivedToken.getState().equals(STATE.VALID)) {
principal = receivedToken.getPrincipal();
}
@@ -118,10 +135,19 @@ public class DefaultSubjectProvider implements
SubjectProvider {
principal = providerParameters.getPrincipal();
}
- if (principal == null) {
- LOG.fine("Error in getting principal");
- throw new STSException("Error in getting principal",
STSException.REQUEST_FAILED);
- }
+ return principal;
+ }
+
+ /**
+ * Create the SubjectBean using the specified principal.
+ */
+ protected SubjectBean createSubjectBean(Principal principal,
TokenProviderParameters providerParameters) {
+ TokenRequirements tokenRequirements =
providerParameters.getTokenRequirements();
+ KeyRequirements keyRequirements =
providerParameters.getKeyRequirements();
+
+ String tokenType = tokenRequirements.getTokenType();
+ String keyType = keyRequirements.getKeyType();
+ String confirmationMethod = getSubjectConfirmationMethod(tokenType,
keyType);
String subjectName = principal.getName();
if
(SAML2Constants.NAMEID_FORMAT_UNSPECIFIED.equals(subjectNameIDFormat)
@@ -145,6 +171,42 @@ public class DefaultSubjectProvider implements
SubjectProvider {
subjectBean.setSubjectNameIDFormat(subjectNameIDFormat);
}
+ return subjectBean;
+ }
+
+ /**
+ * Get the SubjectConfirmation method given a tokenType and keyType
+ */
+ protected String getSubjectConfirmationMethod(String tokenType, String
keyType) {
+ if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
+ || WSConstants.SAML_NS.equals(tokenType)) {
+ if (STSConstants.SYMMETRIC_KEY_KEYTYPE.equals(keyType)
+ || STSConstants.PUBLIC_KEY_KEYTYPE.equals(keyType)) {
+ return SAML1Constants.CONF_HOLDER_KEY;
+ } else {
+ return SAML1Constants.CONF_BEARER;
+ }
+ } else {
+ if (STSConstants.SYMMETRIC_KEY_KEYTYPE.equals(keyType)
+ || STSConstants.PUBLIC_KEY_KEYTYPE.equals(keyType)) {
+ return SAML2Constants.CONF_HOLDER_KEY;
+ } else {
+ return SAML2Constants.CONF_BEARER;
+ }
+ }
+ }
+
+ /**
+ * Create and return the KeyInfoBean to be inserted into the SubjectBean
+ */
+ protected KeyInfoBean createKeyInfo(
+ TokenProviderParameters providerParameters, Document doc, byte[] secret
+ ) {
+ KeyRequirements keyRequirements =
providerParameters.getKeyRequirements();
+ STSPropertiesMBean stsProperties =
providerParameters.getStsProperties();
+
+ String keyType = keyRequirements.getKeyType();
+
if (STSConstants.SYMMETRIC_KEY_KEYTYPE.equals(keyType)) {
Crypto crypto = stsProperties.getEncryptionCrypto();
@@ -180,8 +242,8 @@ public class DefaultSubjectProvider implements
SubjectProvider {
throw new STSException("Encryption certificate is not
found for alias: " + encryptionName);
}
KeyInfoBean keyInfo =
- createKeyInfo(certs[0], secret, doc, encryptionProperties,
crypto);
- subjectBean.setKeyInfo(keyInfo);
+ createEncryptedKeyKeyInfo(certs[0], secret, doc,
encryptionProperties, crypto);
+ return keyInfo;
} catch (WSSecurityException ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException(ex.getMessage(), ex);
@@ -211,10 +273,10 @@ public class DefaultSubjectProvider implements
SubjectProvider {
}
}
- KeyInfoBean keyInfo = createKeyInfo(receivedKey.getX509Cert(),
receivedKey.getPublicKey());
- subjectBean.setKeyInfo(keyInfo);
+ return createPublicKeyKeyInfo(receivedKey.getX509Cert(),
receivedKey.getPublicKey());
}
+<<<<<<< HEAD
return subjectBean;
}
@@ -238,12 +300,15 @@ public class DefaultSubjectProvider implements
SubjectProvider {
return SAML1Constants.CONF_BEARER;
}
}
+=======
+ return null;
+>>>>>>> 3348a29... Refactor DefaultSubjectProvider to make it easier to
subclass bits of functionality
}
/**
* Create a KeyInfoBean that contains an X.509 certificate or Public Key
*/
- protected static KeyInfoBean createKeyInfo(X509Certificate certificate,
PublicKey publicKey) {
+ protected static KeyInfoBean createPublicKeyKeyInfo(X509Certificate
certificate, PublicKey publicKey) {
KeyInfoBean keyInfo = new KeyInfoBean();
if (certificate != null) {
@@ -260,7 +325,7 @@ public class DefaultSubjectProvider implements
SubjectProvider {
/**
* Create an EncryptedKey KeyInfo.
*/
- protected static KeyInfoBean createKeyInfo(
+ protected static KeyInfoBean createEncryptedKeyKeyInfo(
X509Certificate certificate,
byte[] secret,
Document doc,
