Add some hooks to either set or get some information relating to the kerberos authentication process
# Conflicts: # rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java # rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/82581d6d Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/82581d6d Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/82581d6d Branch: refs/heads/3.1.x-fixes Commit: 82581d6d720c0c1db73df0c128b3371ad9d734f8 Parents: fe33fce Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Fri Sep 8 15:42:03 2017 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Fri Sep 8 15:45:15 2017 +0100 ---------------------------------------------------------------------- .../jaxrs/security/KerberosAuthenticationFilter.java | 14 ++++++++------ .../http/auth/AbstractSpnegoAuthSupplier.java | 11 +++++++++-- .../cxf/ws/security/kerberos/KerberosClient.java | 6 +++++- 3 files changed, 22 insertions(+), 9 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/82581d6d/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java index 3390104..e3cd617 100644 --- a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java +++ b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java @@ -105,16 +105,13 @@ public class KerberosAuthenticationFilter implements ContainerRequestFilter { if (index > 0) { simpleUserName = simpleUserName.substring(0, index); } + Message m = JAXRSUtils.getCurrentMessage(); + m.put(SecurityContext.class, createSecurityContext(simpleUserName, complexUserName, gssContext)); + if (!gssContext.getCredDelegState()) { gssContext.dispose(); gssContext = null; } - Message m = JAXRSUtils.getCurrentMessage(); - m.put(SecurityContext.class, - new KerberosSecurityContext(new KerberosPrincipal(simpleUserName, - complexUserName), - gssContext)); - } catch (LoginException e) { LOG.fine("Unsuccessful JAAS login for the service principal: " + e.getMessage()); throw ExceptionUtils.toNotAuthorizedException(e, getFaultResponse()); @@ -127,6 +124,11 @@ public class KerberosAuthenticationFilter implements ContainerRequestFilter { } } + protected SecurityContext createSecurityContext(String simpleUserName, String complexUserName, + GSSContext gssContext) { + return new KerberosSecurityContext(new KerberosPrincipal(simpleUserName, complexUserName), gssContext); + } + protected GSSContext createGSSContext() throws GSSException { boolean useKerberosOid = MessageUtils.isTrue( messageContext.getContextualProperty(PROPERTY_USE_KERBEROS_OID)); http://git-wip-us.apache.org/repos/asf/cxf/blob/82581d6d/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java ---------------------------------------------------------------------- diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java index 172d110..f62947e 100644 --- a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java +++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java @@ -138,7 +138,9 @@ public abstract class AbstractSpnegoAuthSupplier { if (delegatedCred != null) { return context.initSecContext(token, 0, token.length); } - + + decorateSubject(subject); + try { return (byte[])Subject.doAs(subject, new CreateServiceTicketAction(context, token)); } catch (PrivilegedActionException e) { @@ -149,7 +151,12 @@ public abstract class AbstractSpnegoAuthSupplier { return null; } } - + + // Allow subclasses to decorate the Subject if required. + protected void decorateSubject(Subject subject) { + + } + protected boolean isCredDelegationRequired(Message message) { Object prop = message.getContextualProperty(PROPERTY_REQUIRE_CRED_DELEGATION); return prop == null ? credDelegation : MessageUtils.isTrue(prop); http://git-wip-us.apache.org/repos/asf/cxf/blob/82581d6d/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java index cce09cb..51fdbe2 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java @@ -147,7 +147,7 @@ public class KerberosClient implements Configurable { LOG.fine("Requesting Kerberos ticket for " + serviceName + " using JAAS Login Module: " + getContextName()); } - KerberosSecurity bst = new KerberosSecurity(DOMUtils.createDocument()); + KerberosSecurity bst = createKerberosSecurity(); bst.retrieveServiceTicket(getContextName(), callbackHandler, serviceName, isUsernameServiceNameForm, requestCredentialDelegation, delegatedCredential); @@ -170,6 +170,10 @@ public class KerberosClient implements Configurable { return token; } + protected KerberosSecurity createKerberosSecurity() { + return new KerberosSecurity(DOMUtils.createDocument()); + } + public boolean isUsernameServiceNameForm() { return isUsernameServiceNameForm; }