Author: giger
Date: Sun Jun 16 11:09:36 2013
New Revision: 1493498
URL: http://svn.apache.org/r1493498
Log:
throw an exception when a Kerberos token could not be parsed
Added:
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderException.java
(with props)
Modified:
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoder.java
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderImpl.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/KerberosTokenValidator.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosServiceSecurityTokenImpl.java
Modified:
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoder.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoder.java?rev=1493498&r1=1493497&r2=1493498&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoder.java
(original)
+++
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoder.java
Sun Jun 16 11:09:36 2013
@@ -45,7 +45,7 @@ public interface KerberosTokenDecoder {
* Get the session key from the token
* @return the session key from the token
*/
- byte[] getSessionKey();
+ byte[] getSessionKey() throws KerberosTokenDecoderException;
/**
* Clear all internal information
Added:
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderException.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderException.java?rev=1493498&view=auto
==============================================================================
---
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderException.java
(added)
+++
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderException.java
Sun Jun 16 11:09:36 2013
@@ -0,0 +1,34 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.wss4j.common.kerberos;
+
+public class KerberosTokenDecoderException extends Exception {
+
+ public KerberosTokenDecoderException(String message) {
+ super(message);
+ }
+
+ public KerberosTokenDecoderException(String message, Throwable cause) {
+ super(message, cause);
+ }
+
+ public KerberosTokenDecoderException(Throwable cause) {
+ super(cause);
+ }
+}
Propchange:
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderException.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified:
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderImpl.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderImpl.java?rev=1493498&r1=1493497&r2=1493498&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderImpl.java
(original)
+++
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderImpl.java
Sun Jun 16 11:09:36 2013
@@ -3,6 +3,7 @@ package org.apache.wss4j.common.kerberos
import
org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
import
org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
+import
org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
import
org.apache.directory.server.kerberos.shared.io.decoder.ApplicationRequestDecoder;
import org.apache.directory.server.kerberos.shared.messages.ApplicationRequest;
import
org.apache.directory.server.kerberos.shared.messages.components.EncTicketPart;
@@ -19,9 +20,6 @@ import java.util.Set;
public class KerberosTokenDecoderImpl implements KerberosTokenDecoder {
- private static org.slf4j.Logger log =
- org.slf4j.LoggerFactory.getLogger(KerberosTokenDecoderImpl.class);
-
private static final String KERBEROS_OID = "1.2.840.113554.1.2.2";
private byte[] serviceTicket;
@@ -63,7 +61,7 @@ public class KerberosTokenDecoderImpl im
*
* @return the session key from the token
*/
- public byte[] getSessionKey() {
+ public byte[] getSessionKey() throws KerberosTokenDecoderException {
if (!decoded) {
decodeServiceTicket();
}
@@ -78,7 +76,7 @@ public class KerberosTokenDecoderImpl im
*
* @return the client principal name
*/
- public String getClientPrincipalName() {
+ public String getClientPrincipalName() throws
KerberosTokenDecoderException {
if (!decoded) {
decodeServiceTicket();
}
@@ -86,60 +84,60 @@ public class KerberosTokenDecoderImpl im
}
// Decode the service ticket.
- private synchronized void decodeServiceTicket() {
- try {
- parseServiceTicket(serviceTicket);
- decoded = true;
- } catch (Exception e) {
- log.debug("Error retrieving a service ticket", e);
- }
+ private synchronized void decodeServiceTicket() throws
KerberosTokenDecoderException {
+ parseServiceTicket(serviceTicket);
+ decoded = true;
}
// Parses the service ticket (GSS AP-REQ token)
- private void parseServiceTicket(byte[] ticket) throws Exception {
-
- // I didn't find a better way how to parse this Kerberos Message...
-
- org.bouncycastle.asn1.ASN1InputStream asn1InputStream =
- new org.bouncycastle.asn1.ASN1InputStream(new
ByteArrayInputStream(ticket));
- org.bouncycastle.asn1.DERApplicationSpecific derToken =
- (org.bouncycastle.asn1.DERApplicationSpecific)
asn1InputStream.readObject();
- if (derToken == null || !derToken.isConstructed()) {
+ private void parseServiceTicket(byte[] ticket) throws
KerberosTokenDecoderException {
+ try {
+ // I didn't find a better way how to parse this Kerberos Message...
+ org.bouncycastle.asn1.ASN1InputStream asn1InputStream =
+ new org.bouncycastle.asn1.ASN1InputStream(new
ByteArrayInputStream(ticket));
+ org.bouncycastle.asn1.DERApplicationSpecific derToken =
+ (org.bouncycastle.asn1.DERApplicationSpecific)
asn1InputStream.readObject();
+ if (derToken == null || !derToken.isConstructed()) {
+ asn1InputStream.close();
+ throw new KerberosTokenDecoderException("invalid kerberos
token");
+ }
asn1InputStream.close();
- throw new IllegalArgumentException("invalid kerberos token");
- }
- asn1InputStream.close();
- asn1InputStream = new org.bouncycastle.asn1.ASN1InputStream(new
ByteArrayInputStream(derToken.getContents()));
- org.bouncycastle.asn1.DERObjectIdentifier kerberosOid =
- (org.bouncycastle.asn1.DERObjectIdentifier)
asn1InputStream.readObject();
- if (!kerberosOid.getId().equals(KERBEROS_OID)) {
- asn1InputStream.close();
- throw new IllegalArgumentException("invalid kerberos token");
- }
+ asn1InputStream = new org.bouncycastle.asn1.ASN1InputStream(new
ByteArrayInputStream(derToken.getContents()));
+ org.bouncycastle.asn1.DERObjectIdentifier kerberosOid =
+ (org.bouncycastle.asn1.DERObjectIdentifier)
asn1InputStream.readObject();
+ if (!kerberosOid.getId().equals(KERBEROS_OID)) {
+ asn1InputStream.close();
+ throw new KerberosTokenDecoderException("invalid kerberos
token");
+ }
- int readLowByte = asn1InputStream.read() & 0xff;
- int readHighByte = asn1InputStream.read() & 0xff;
- int read = (readHighByte << 8) + readLowByte;
- if (read != 0x01) {
- throw new IllegalArgumentException("invalid kerberos token");
- }
+ int readLowByte = asn1InputStream.read() & 0xff;
+ int readHighByte = asn1InputStream.read() & 0xff;
+ int read = (readHighByte << 8) + readLowByte;
+ if (read != 0x01) {
+ throw new KerberosTokenDecoderException("invalid kerberos
token");
+ }
- ApplicationRequestDecoder applicationRequestDecoder = new
ApplicationRequestDecoder();
- ApplicationRequest applicationRequest =
applicationRequestDecoder.decode(toByteArray(asn1InputStream));
+ ApplicationRequestDecoder applicationRequestDecoder = new
ApplicationRequestDecoder();
+ ApplicationRequest applicationRequest =
applicationRequestDecoder.decode(toByteArray(asn1InputStream));
- final int encryptionType =
applicationRequest.getTicket().getEncPart().getEType().getOrdinal();
- KerberosKey kerberosKey = getKrbKey(subject, encryptionType);
+ final int encryptionType =
applicationRequest.getTicket().getEncPart().getEType().getOrdinal();
+ KerberosKey kerberosKey = getKrbKey(subject, encryptionType);
- EncryptionKey encryptionKey =
- new
EncryptionKey(EncryptionType.getTypeByOrdinal(encryptionType),
kerberosKey.getEncoded());
+ EncryptionKey encryptionKey =
+ new
EncryptionKey(EncryptionType.getTypeByOrdinal(encryptionType),
kerberosKey.getEncoded());
- CipherTextHandler cipherTextHandler = new CipherTextHandler();
- this.encTicketPart = (EncTicketPart) cipherTextHandler.unseal(
- EncTicketPart.class, encryptionKey,
applicationRequest.getTicket().getEncPart(), KeyUsage.NUMBER2);
+ CipherTextHandler cipherTextHandler = new CipherTextHandler();
+ this.encTicketPart = (EncTicketPart) cipherTextHandler.unseal(
+ EncTicketPart.class, encryptionKey,
applicationRequest.getTicket().getEncPart(), KeyUsage.NUMBER2);
+ } catch (KerberosException e) {
+ throw new KerberosTokenDecoderException(e);
+ } catch (IOException e) {
+ throw new KerberosTokenDecoderException(e);
+ }
}
- private KerberosKey getKrbKey(Subject sub, int keyType) throws Exception {
+ private KerberosKey getKrbKey(Subject sub, int keyType) {
Set<Object> creds = sub.getPrivateCredentials(Object.class);
for (Iterator<Object> i = creds.iterator(); i.hasNext(); ) {
Object cred = i.next();
Modified:
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/KerberosTokenValidator.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/KerberosTokenValidator.java?rev=1493498&r1=1493497&r2=1493498&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/KerberosTokenValidator.java
(original)
+++
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/KerberosTokenValidator.java
Sun Jun 16 11:09:36 2013
@@ -29,6 +29,7 @@ import javax.security.auth.login.LoginEx
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.kerberos.KerberosTokenDecoder;
+import org.apache.wss4j.common.kerberos.KerberosTokenDecoderException;
import org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.message.token.BinarySecurity;
@@ -203,8 +204,12 @@ public class KerberosTokenValidator impl
kerberosTokenDecoder.clear();
kerberosTokenDecoder.setToken(token);
kerberosTokenDecoder.setSubject(subject);
- byte[] sessionKey = kerberosTokenDecoder.getSessionKey();
- credential.setSecretKey(sessionKey);
+ try {
+ byte[] sessionKey = kerberosTokenDecoder.getSessionKey();
+ credential.setSecretKey(sessionKey);
+ } catch (KerberosTokenDecoderException e) {
+ throw new
WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+ }
if (log.isDebugEnabled()) {
log.debug("Successfully validated a ticket");
Modified:
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosServiceSecurityTokenImpl.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosServiceSecurityTokenImpl.java?rev=1493498&r1=1493497&r2=1493498&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosServiceSecurityTokenImpl.java
(original)
+++
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosServiceSecurityTokenImpl.java
Sun Jun 16 11:09:36 2013
@@ -19,10 +19,7 @@
package org.apache.wss4j.stax.impl.securityToken;
import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.kerberos.KerberosContextAndServiceNameCallback;
-import org.apache.wss4j.common.kerberos.KerberosServiceAction;
-import org.apache.wss4j.common.kerberos.KerberosTokenDecoder;
-import org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl;
+import org.apache.wss4j.common.kerberos.*;
import org.apache.wss4j.stax.ext.WSInboundSecurityContext;
import org.apache.wss4j.stax.securityToken.KerberosServiceSecurityToken;
import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
@@ -139,7 +136,12 @@ public class KerberosServiceSecurityToke
this.kerberosTokenDecoder = getTGT();
}
- byte[] sk = this.kerberosTokenDecoder.getSessionKey();
+ byte[] sk;
+ try {
+ sk = this.kerberosTokenDecoder.getSessionKey();
+ } catch (KerberosTokenDecoderException e) {
+ throw new
WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, e);
+ }
String algoFamily =
JCEAlgorithmMapper.getJCEKeyAlgorithmFromURI(algorithmURI);
int keyLength = JCEAlgorithmMapper.getKeyLengthFromURI(algorithmURI) /
8;
