Repository: cxf Updated Branches: refs/heads/master 4080fbafc -> ec7a52968
Add some hooks to either set or get some information relating to the kerberos authentication process Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/ec7a5296 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/ec7a5296 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/ec7a5296 Branch: refs/heads/master Commit: ec7a52968e8e4d9e7727a7798b293389c1a3dd29 Parents: 4080fba Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Fri Sep 8 15:42:03 2017 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Fri Sep 8 15:42:03 2017 +0100 ---------------------------------------------------------------------- .../jaxrs/security/KerberosAuthenticationFilter.java | 13 ++++++++----- .../http/auth/AbstractSpnegoAuthSupplier.java | 7 +++++++ .../cxf/ws/security/kerberos/KerberosClient.java | 6 +++++- 3 files changed, 20 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/ec7a5296/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java index 0111022..924057a 100644 --- a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java +++ b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java @@ -105,15 +105,13 @@ public class KerberosAuthenticationFilter implements ContainerRequestFilter { if (index > 0) { simpleUserName = simpleUserName.substring(0, index); } + Message m = JAXRSUtils.getCurrentMessage(); + m.put(SecurityContext.class, createSecurityContext(simpleUserName, complexUserName, gssContext)); + if (!gssContext.getCredDelegState()) { gssContext.dispose(); gssContext = null; } - Message m = JAXRSUtils.getCurrentMessage(); - m.put(SecurityContext.class, - new KerberosSecurityContext(new KerberosPrincipal(simpleUserName, - complexUserName), - gssContext)); } catch (LoginException e) { LOG.fine("Unsuccessful JAAS login for the service principal: " + e.getMessage()); @@ -127,6 +125,11 @@ public class KerberosAuthenticationFilter implements ContainerRequestFilter { } } + protected SecurityContext createSecurityContext(String simpleUserName, String complexUserName, + GSSContext gssContext) { + return new KerberosSecurityContext(new KerberosPrincipal(simpleUserName, complexUserName), gssContext); + } + protected GSSContext createGSSContext() throws GSSException { boolean useKerberosOid = PropertyUtils.isTrue( messageContext.getContextualProperty(PROPERTY_USE_KERBEROS_OID)); http://git-wip-us.apache.org/repos/asf/cxf/blob/ec7a5296/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java ---------------------------------------------------------------------- diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java index 464610f..2129e29 100644 --- a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java +++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java @@ -138,6 +138,8 @@ public abstract class AbstractSpnegoAuthSupplier { return context.initSecContext(token, 0, token.length); } + decorateSubject(subject); + try { return Subject.doAs(subject, new CreateServiceTicketAction(context, token)); } catch (PrivilegedActionException e) { @@ -149,6 +151,11 @@ public abstract class AbstractSpnegoAuthSupplier { } } + // Allow subclasses to decorate the Subject if required. + protected void decorateSubject(Subject subject) { + + } + protected boolean isCredDelegationRequired(Message message) { return MessageUtils.getContextualBoolean(message, PROPERTY_REQUIRE_CRED_DELEGATION, credDelegation); } http://git-wip-us.apache.org/repos/asf/cxf/blob/ec7a5296/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java index 9d8d420..e6061b7 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java @@ -147,7 +147,7 @@ public class KerberosClient implements Configurable { LOG.fine("Requesting Kerberos ticket for " + serviceName + " using JAAS Login Module: " + getContextName()); } - KerberosSecurity bst = new KerberosSecurity(DOMUtils.createDocument()); + KerberosSecurity bst = createKerberosSecurity(); bst.retrieveServiceTicket(getContextName(), callbackHandler, serviceName, isUsernameServiceNameForm, requestCredentialDelegation, delegatedCredential); @@ -170,6 +170,10 @@ public class KerberosClient implements Configurable { return token; } + protected KerberosSecurity createKerberosSecurity() { + return new KerberosSecurity(DOMUtils.createDocument()); + } + public boolean isUsernameServiceNameForm() { return isUsernameServiceNameForm; }