Author: coheigea
Date: Thu Jul 21 14:45:57 2011
New Revision: 1149202
URL: http://svn.apache.org/viewvc?rev=1149202&view=rev
Log:
[WSS-251] - Support WSS Kerberos Token Profile
- Made a start on this. Added a KerberosSecurity extension of the
BinarySecurity class.
- Also added a TokenElementCallback for use with the BinarySecurity class
Added:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/TokenElementCallback.java
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSConstants.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/BinarySecurity.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/PKIPathSecurity.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/X509Security.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSConstants.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSConstants.java?rev=1149202&r1=1149201&r2=1149202&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSConstants.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSConstants.java
Thu Jul 21 14:45:57 2011
@@ -233,6 +233,18 @@ public class WSConstants {
new QName (WSSE_NS, "MessageExpired");
//
+ // Kerberos ValueTypes
+ //
+ public static final String WSS_KRB_V5_AP_REQ = KERBEROS_NS11 +
"#Kerberosv5_AP_REQ";
+ public static final String WSS_GSS_KRB_V5_AP_REQ = KERBEROS_NS11 +
"#GSS_Kerberosv5_AP_REQ";
+ public static final String WSS_KRB_V5_AP_REQ1510 = KERBEROS_NS11 +
"#Kerberosv5_AP_REQ1510";
+ public static final String WSS_GSS_KRB_V5_AP_REQ1510 =
+ KERBEROS_NS11 + "#GSS_Kerberosv5_AP_REQ1510";
+ public static final String WSS_KRB_V5_AP_REQ4120 = KERBEROS_NS11 +
"#Kerberosv5_AP_REQ4120";
+ public static final String WSS_GSS_KRB_V5_AP_REQ4120 =
+ KERBEROS_NS11 + "#GSS_Kerberosv5_AP_REQ4120";
+
+ //
// Misc
//
public static final String WSS_SAML_KI_VALUE_TYPE = SAMLTOKEN_NS + "#" +
SAML_ASSERTION_ID;
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/BinarySecurity.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/BinarySecurity.java?rev=1149202&r1=1149201&r2=1149202&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/BinarySecurity.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/BinarySecurity.java
Thu Jul 21 14:45:57 2011
@@ -19,6 +19,7 @@
package org.apache.ws.security.message.token;
+import java.io.IOException;
import java.util.Arrays;
import org.apache.ws.security.WSConstants;
@@ -31,6 +32,8 @@ import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.Text;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
import javax.xml.namespace.QName;
/**
@@ -105,6 +108,36 @@ public class BinarySecurity {
}
/**
+ * Create a BinarySecurityToken via a CallbackHandler
+ * @param callbackHandler
+ * @throws WSSecurityException
+ */
+ public BinarySecurity(CallbackHandler callbackHandler) throws
WSSecurityException {
+ if (callbackHandler == null) {
+ LOG.debug("Trying to create a BinarySecurityToken via a null
CallbackHandler");
+ throw new WSSecurityException(WSSecurityException.FAILURE);
+ }
+ TokenElementCallback[] callback = new TokenElementCallback[] { new
TokenElementCallback() };
+
+ try {
+ callbackHandler.handle(callback);
+ } catch (IOException e) {
+ throw new IllegalStateException(
+ "IOException while creating a token element", e
+ );
+ } catch (UnsupportedCallbackException e) {
+ throw new IllegalStateException(
+ "UnsupportedCallbackException while creating a token element",
e
+ );
+ }
+ element = callback[0].getTokenElement();
+ if (element == null) {
+ LOG.debug("CallbackHandler did not return a token element");
+ throw new WSSecurityException(WSSecurityException.FAILURE);
+ }
+ }
+
+ /**
* Add the WSSE Namespace to this BST. The namespace is not added by
default for
* efficiency purposes.
*/
Added:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java?rev=1149202&view=auto
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java
(added)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java
Thu Jul 21 14:45:57 2011
@@ -0,0 +1,90 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ws.security.message.token;
+
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityException;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+/**
+ * Kerberos Security Token.
+ */
+public class KerberosSecurity extends BinarySecurity {
+
+ /**
+ * This constructor creates a new Kerberos token object and initializes
+ * it from the data contained in the element.
+ *
+ * @param elem the element containing the Kerberos token data
+ * @throws WSSecurityException
+ */
+ public KerberosSecurity(Element elem) throws WSSecurityException {
+ this(elem, true);
+ }
+
+ /**
+ * This constructor creates a new Kerberos token object and initializes
+ * it from the data contained in the element.
+ *
+ * @param elem the element containing the Kerberos token data
+ * @param bspCompliant Whether the token is processed according to the BSP
spec
+ * @throws WSSecurityException
+ */
+ public KerberosSecurity(Element elem, boolean bspCompliant) throws
WSSecurityException {
+ super(elem, bspCompliant);
+ }
+
+ /**
+ * This constructor creates a new Kerberos element.
+ *
+ * @param doc
+ */
+ public KerberosSecurity(Document doc) {
+ super(doc);
+ }
+
+ /**
+ * Return true if this token is a Kerberos V5 AP REQ token
+ */
+ public boolean isV5ApReq() {
+ String type = getValueType();
+ if (WSConstants.WSS_KRB_V5_AP_REQ.equals(type)
+ || WSConstants.WSS_KRB_V5_AP_REQ1510.equals(type)
+ || WSConstants.WSS_KRB_V5_AP_REQ4120.equals(type)) {
+ return true;
+ }
+ return false;
+ }
+
+ /**
+ * Return true if this token is a Kerberos GSS V5 AP REQ token
+ */
+ public boolean isGssV5ApReq() {
+ String type = getValueType();
+ if (WSConstants.WSS_GSS_KRB_V5_AP_REQ.equals(type)
+ || WSConstants.WSS_GSS_KRB_V5_AP_REQ1510.equals(type)
+ || WSConstants.WSS_GSS_KRB_V5_AP_REQ4120.equals(type)) {
+ return true;
+ }
+ return false;
+ }
+
+}
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/PKIPathSecurity.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/PKIPathSecurity.java?rev=1149202&r1=1149201&r2=1149202&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/PKIPathSecurity.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/PKIPathSecurity.java
Thu Jul 21 14:45:57 2011
@@ -84,6 +84,9 @@ public class PKIPathSecurity extends Bin
if (data == null) {
return null;
}
+ if (crypto == null) {
+ throw new WSSecurityException(WSSecurityException.FAILURE,
"noSigCryptoFile");
+ }
return crypto.getCertificatesFromBytes(data);
}
Added:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/TokenElementCallback.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/TokenElementCallback.java?rev=1149202&view=auto
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/TokenElementCallback.java
(added)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/TokenElementCallback.java
Thu Jul 21 14:45:57 2011
@@ -0,0 +1,52 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ws.security.message.token;
+
+import org.w3c.dom.Element;
+
+import javax.security.auth.callback.Callback;
+
+/**
+ * This class is a callback to obtain a DOM Element representing a security
token.
+ */
+public class TokenElementCallback implements Callback {
+
+ /**
+ * A DOM Element representing a security token
+ */
+ private Element element;
+
+ /**
+ * Get the token element
+ * @return the token element
+ */
+ public Element getTokenElement() {
+ return element;
+ }
+
+ /**
+ * Set the token element
+ * @param the token element
+ */
+ public void setTokenElement(Element element) {
+ this.element = element;
+ }
+
+}
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/X509Security.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/X509Security.java?rev=1149202&r1=1149201&r2=1149202&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/X509Security.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/X509Security.java
Thu Jul 21 14:45:57 2011
@@ -96,6 +96,9 @@ public class X509Security extends Binary
if (cachedCert != null) {
return cachedCert;
}
+ if (crypto == null) {
+ throw new WSSecurityException(WSSecurityException.FAILURE,
"noSigCryptoFile");
+ }
byte[] data = getToken();
if (data == null) {
throw new WSSecurityException(
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java?rev=1149202&r1=1149201&r2=1149202&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java
Thu Jul 21 14:45:57 2011
@@ -28,6 +28,7 @@ import org.apache.ws.security.WSSecurity
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.message.token.BinarySecurity;
+import org.apache.ws.security.message.token.KerberosSecurity;
import org.apache.ws.security.message.token.PKIPathSecurity;
import org.apache.ws.security.message.token.X509Security;
import org.apache.ws.security.validate.Credential;
@@ -86,6 +87,8 @@ public class BinarySecurityTokenProcesso
SAMLTokenPrincipal samlPrincipal =
new SAMLTokenPrincipal(credential.getTransformedToken());
result.put(WSSecurityEngineResult.TAG_PRINCIPAL,
samlPrincipal);
+ } else if (credential.getPrincipal() != null) {
+ result.put(WSSecurityEngineResult.TAG_PRINCIPAL,
credential.getPrincipal());
} else if (certs != null && certs[0] != null) {
result.put(WSSecurityEngineResult.TAG_PRINCIPAL,
certs[0].getSubjectX500Principal());
}
@@ -105,9 +108,6 @@ public class BinarySecurityTokenProcesso
*/
private X509Certificate[] getCertificatesTokenReference(BinarySecurity
token, Crypto crypto)
throws WSSecurityException {
- if (crypto == null) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
"noSigCryptoFile");
- }
if (token instanceof PKIPathSecurity) {
return ((PKIPathSecurity) token).getX509Certificates(crypto);
} else if (token instanceof X509Security) {
@@ -136,10 +136,29 @@ public class BinarySecurityTokenProcesso
token = new X509Security(element, config.isWsiBSPCompliant());
} else if (PKIPathSecurity.getType().equals(type)) {
token = new PKIPathSecurity(element, config.isWsiBSPCompliant());
+ } else if (isKerberosToken(type)) {
+ token = new KerberosSecurity(element, config.isWsiBSPCompliant());
} else {
token = new BinarySecurity(element, config.isWsiBSPCompliant());
}
return token;
}
+
+ /**
+ * Return true if the valueType represents a Kerberos Token
+ * @param valueType the valueType of the token
+ * @return true if the valueType represents a Kerberos Token
+ */
+ private boolean isKerberosToken(String valueType) {
+ if (WSConstants.WSS_KRB_V5_AP_REQ.equals(valueType)
+ || WSConstants.WSS_GSS_KRB_V5_AP_REQ.equals(valueType)
+ || WSConstants.WSS_KRB_V5_AP_REQ1510.equals(valueType)
+ || WSConstants.WSS_GSS_KRB_V5_AP_REQ1510.equals(valueType)
+ || WSConstants.WSS_KRB_V5_AP_REQ4120.equals(valueType)
+ || WSConstants.WSS_GSS_KRB_V5_AP_REQ4120.equals(valueType)) {
+ return true;
+ }
+ return false;
+ }
}
