Author: nandana
Date: Thu Aug 27 18:40:34 2009
New Revision: 808564
URL: http://svn.apache.org/viewvc?rev=808564&view=rev
Log:
RAMPART-231 Applying Thilina's patch for SAML 2.0 support. Thanks Thilina
Modified:
webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java
webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java
webservices/rampart/trunk/java/modules/rampart-trust-mar/module.xml
webservices/rampart/trunk/java/modules/rampart-trust/src/main/java/org/apache/rahas/RahasConstants.java
webservices/rampart/trunk/java/modules/rampart-trust/src/main/java/org/apache/rahas/impl/AbstractIssuerConfig.java
webservices/rampart/trunk/java/modules/rampart-trust/src/main/java/org/apache/rahas/impl/SAMLTokenIssuerConfig.java
webservices/rampart/trunk/java/modules/rampart-trust/src/main/java/org/apache/rahas/impl/util/SAMLAttributeCallback.java
webservices/rampart/trunk/java/modules/rampart-trust/sts-aar-resources/token-dispatcher-configuration.xml
webservices/rampart/trunk/java/pom.xml
Modified:
webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java?rev=808564&r1=808563&r2=808564&view=diff
==============================================================================
---
webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java
(original)
+++
webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java
Thu Aug 27 18:40:34 2009
@@ -17,21 +17,15 @@
package org.apache.rampart;
import org.apache.axiom.om.OMElement;
-import org.apache.axiom.soap.SOAP11Constants;
-import org.apache.axiom.soap.SOAP12Constants;
-import org.apache.axiom.soap.SOAPEnvelope;
-import org.apache.axiom.soap.SOAPFault;
-import org.apache.axiom.soap.SOAPFaultCode;
-import org.apache.axiom.soap.SOAPFaultSubCode;
-import org.apache.axiom.soap.SOAPFaultValue;
-import org.apache.axiom.soap.SOAPHeader;
-import org.apache.axiom.soap.SOAPHeaderBlock;
+import org.apache.axiom.soap.*;
import org.apache.axis2.AxisFault;
import org.apache.axis2.context.MessageContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.rahas.Token;
import org.apache.rahas.TokenStorage;
+import org.apache.rahas.impl.util.SAML2KeyInfo;
+import org.apache.rahas.impl.util.SAML2Utils;
import org.apache.rampart.policy.RampartPolicyData;
import org.apache.rampart.util.Axis2Util;
import org.apache.rampart.util.RampartUtil;
@@ -44,10 +38,13 @@
import org.apache.ws.security.saml.SAMLKeyInfo;
import org.apache.ws.security.saml.SAMLUtil;
import org.opensaml.SAMLAssertion;
+import org.opensaml.saml2.core.Assertion;
+import org.opensaml.saml2.core.Subject;
+import org.opensaml.saml2.core.SubjectConfirmationData;
import javax.xml.namespace.QName;
-
import java.security.Principal;
+import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.Iterator;
@@ -172,39 +169,76 @@
//get the sec context id from the req msg ctx
//Store username in MessageContext property
-
- for (int j = 0; j < results.size(); j++) {
- WSSecurityEngineResult wser = (WSSecurityEngineResult)
results.get(j);
- final Integer actInt =
- (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- if(WSConstants.ST_UNSIGNED == actInt.intValue()) {
- final SAMLAssertion assertion =
+
+ for (int j = 0; j < results.size(); j++) {
+ WSSecurityEngineResult wser = (WSSecurityEngineResult)
results.get(j);
+ final Integer actInt =
+ (Integer) wser.get(WSSecurityEngineResult.TAG_ACTION);
+ if (WSConstants.ST_UNSIGNED == actInt.intValue()) {
+
+ // If this is a SAML2.0 assertion
+ if (wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION)
instanceof Assertion) {
+
+ final Assertion assertion = (Assertion)
wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ String id = assertion.getID();
+ Subject subject = assertion.getSubject();
+ SubjectConfirmationData scData =
subject.getSubjectConfirmations()
+ .get(0).getSubjectConfirmationData();
+ Date dateOfCreation = scData.getNotBefore().toDate();
+ Date dateOfExpiration = scData.getNotOnOrAfter().toDate();
+
+ // TODO : SAML2KeyInfo element needs to be moved to WSS4J.
+ SAML2KeyInfo saml2KeyInfo = SAML2Utils.
+ getSAML2KeyInfo(assertion, signatureCrypto,
tokenCallbackHandler);
+
+ //Store the token
+ try {
+ TokenStorage store = rmd.getTokenStorage();
+ if (store.getToken(id) == null) {
+ Token token = new Token(id, (OMElement)
SAML2Utils.getElementFromAssertion(assertion), dateOfCreation,
dateOfExpiration);
+ token.setSecret(saml2KeyInfo.getSecret());
+ store.add(token);
+ }
+ } catch (Exception e) {
+ throw new RampartException(
+ "errorInAddingTokenIntoStore", e);
+ }
+
+ }
+ //if this is a SAML1.1 assertion
+ else {
+ final SAMLAssertion assertion =
+
((SAMLAssertion) wser
-
.get(WSSecurityEngineResult.TAG_SAML_ASSERTION));
- String id = assertion.getId();
- Date created = assertion.getNotBefore();
- Date expires = assertion.getNotOnOrAfter();
- SAMLKeyInfo samlKi = SAMLUtil.getSAMLKeyInfo(assertion,
- signatureCrypto, tokenCallbackHandler);
- try {
- TokenStorage store = rmd.getTokenStorage();
- if(store.getToken(id) == null) {
- Token token = new Token(id,
(OMElement)assertion.toDOM(), created, expires);
- token.setSecret(samlKi.getSecret());
- store.add(token);
- }
- } catch (Exception e) {
- throw new RampartException(
- "errorInAddingTokenIntoStore", e);
+
.get(WSSecurityEngineResult.TAG_SAML_ASSERTION));
+ String id = assertion.getId();
+ Date created = assertion.getNotBefore();
+ Date expires = assertion.getNotOnOrAfter();
+ SAMLKeyInfo samlKi = SAMLUtil.getSAMLKeyInfo(assertion,
+ signatureCrypto, tokenCallbackHandler);
+ try {
+ TokenStorage store = rmd.getTokenStorage();
+ if (store.getToken(id) == null) {
+ Token token = new Token(id, (OMElement)
assertion.toDOM(), created, expires);
+ token.setSecret(samlKi.getSecret());
+ store.add(token);
}
-
- } else if (WSConstants.UT == actInt.intValue()) {
- String username =
((Principal)wser.get(WSSecurityEngineResult.TAG_PRINCIPAL))
- .getName();
- msgCtx.setProperty(RampartMessageData.USERNAME,
username);
+ } catch (Exception e) {
+ throw new RampartException(
+ "errorInAddingTokenIntoStore", e);
}
-
+
}
+ } else if (WSConstants.UT == actInt.intValue()) {
+ String username = ((Principal)
wser.get(WSSecurityEngineResult.TAG_PRINCIPAL))
+ .getName();
+ msgCtx.setProperty(RampartMessageData.USERNAME, username);
+ } else if (WSConstants.SIGN == actInt.intValue()) {
+ X509Certificate cert = (X509Certificate)
wser.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+ msgCtx.setProperty(RampartMessageData.X509_CERT, cert);
+ }
+
+ }
SOAPEnvelope env =
Axis2Util.getSOAPEnvelopeFromDOMDocument(rmd.getDocument(), true);
Modified:
webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java?rev=808564&r1=808563&r2=808564&view=diff
==============================================================================
---
webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java
(original)
+++
webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java
Thu Aug 27 18:40:34 2009
@@ -105,6 +105,8 @@
public final static String CANCEL_REQUEST = "cancelrequest";
public final static String SCT_ID = "sctID";
+
+ public final static String X509_CERT ="X509Certificate";
private MessageContext msgContext = null;
Modified: webservices/rampart/trunk/java/modules/rampart-trust-mar/module.xml
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/java/modules/rampart-trust-mar/module.xml?rev=808564&r1=808563&r2=808564&view=diff
==============================================================================
--- webservices/rampart/trunk/java/modules/rampart-trust-mar/module.xml
(original)
+++ webservices/rampart/trunk/java/modules/rampart-trust-mar/module.xml Thu Aug
27 18:40:34 2009
@@ -26,22 +26,26 @@
<issuer
class="org.apache.rahas.impl.SAMLTokenIssuer">
<configuration
type="parameter">saml-issuer-config</configuration>
<tokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</tokenType>
- </issuer>
-
- <validator
class="org.apache.rahas.impl.SAMLTokenValidator" default="true">
- <configuration
type="parameter">saml-issuer-config</configuration>
-
<tokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</tokenType>
+ </issuer>
+ <issuer class="org.apache.rahas.impl.SAML2TokenIssuer">
+ <configuration
type="parameter">saml-issuer-config</configuration>
+
<tokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</tokenType>
+ </issuer>
+
+ <validator
class="org.apache.rahas.impl.SAMLTokenValidator" default="true">
+ <configuration
type="parameter">saml-issuer-config</configuration>
+
<tokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</tokenType>
</validator>
<!-- Only a single canceler is allowed -->
<canceler class="org.apache.rahas.impl.TokenCancelerImpl">
<configuration
type="parameter">token-canceler-config</configuration>
- </canceler>
-
- <!-- Renewers. You may have many renewers -->
- <renewer class="org.apache.rahas.impl.SAMLTokenRenewer"
default="true">
- <configuration
type="parameter">saml-issuer-config</configuration>
-
<tokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</tokenType>
+ </canceler>
+
+ <!-- Renewers. You may have many renewers -->
+ <renewer class="org.apache.rahas.impl.SAMLTokenRenewer"
default="true">
+ <configuration
type="parameter">saml-issuer-config</configuration>
+
<tokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</tokenType>
</renewer>
</token-dispatcher-configuration>
Modified:
webservices/rampart/trunk/java/modules/rampart-trust/src/main/java/org/apache/rahas/RahasConstants.java
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/java/modules/rampart-trust/src/main/java/org/apache/rahas/RahasConstants.java?rev=808564&r1=808563&r2=808564&view=diff
==============================================================================
---
webservices/rampart/trunk/java/modules/rampart-trust/src/main/java/org/apache/rahas/RahasConstants.java
(original)
+++
webservices/rampart/trunk/java/modules/rampart-trust/src/main/java/org/apache/rahas/RahasConstants.java
Thu Aug 27 18:40:34 2009
@@ -123,7 +123,13 @@
public static final String TOK_TYPE_SAML_10 =
"http://docs.oasis-open.org/wss/"; +
"oasis-wss-saml-token-profile-1.1#SAMLV1.1";
+ public static final String TOK_TYPE_SAML_20 =
"http://docs.oasis-open.org/wss/"; +
+
"oasis-wss-saml-token-profile-1.1#SAMLV2.0";
//Attrs
public static final String ATTR_TYPE = "Type";
public static final String ATTR_CLAIMS_DIALECT = "Dialect";
+
+ //Constants required for SAML2 assertion generation
+ public final static String X509_CERT ="X509Certificate";
+ public final static String USERNAME = "username";
}
Modified:
webservices/rampart/trunk/java/modules/rampart-trust/src/main/java/org/apache/rahas/impl/AbstractIssuerConfig.java
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/java/modules/rampart-trust/src/main/java/org/apache/rahas/impl/AbstractIssuerConfig.java?rev=808564&r1=808563&r2=808564&view=diff
==============================================================================
---
webservices/rampart/trunk/java/modules/rampart-trust/src/main/java/org/apache/rahas/impl/AbstractIssuerConfig.java
(original)
+++
webservices/rampart/trunk/java/modules/rampart-trust/src/main/java/org/apache/rahas/impl/AbstractIssuerConfig.java
Thu Aug 27 18:40:34 2009
@@ -66,6 +66,9 @@
public void setKeyComputation(int keyComputation) {
this.keyComputation = keyComputation;
}
+ public int getKeyComputation() {
+ return keyComputation;
+ }
public void setProofKeyType(String proofKeyType) {
this.proofKeyType = proofKeyType;
}
@@ -75,6 +78,9 @@
public void setKeySize(int keySize) {
this.keySize = keySize;
}
+ public int getKeySize() {
+ return keySize;
+ }
public String getProofKeyType() {
return proofKeyType;
}
Modified:
webservices/rampart/trunk/java/modules/rampart-trust/src/main/java/org/apache/rahas/impl/SAMLTokenIssuerConfig.java
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/java/modules/rampart-trust/src/main/java/org/apache/rahas/impl/SAMLTokenIssuerConfig.java?rev=808564&r1=808563&r2=808564&view=diff
==============================================================================
---
webservices/rampart/trunk/java/modules/rampart-trust/src/main/java/org/apache/rahas/impl/SAMLTokenIssuerConfig.java
(original)
+++
webservices/rampart/trunk/java/modules/rampart-trust/src/main/java/org/apache/rahas/impl/SAMLTokenIssuerConfig.java
Thu Aug 27 18:40:34 2009
@@ -22,6 +22,7 @@
import java.util.Iterator;
import java.util.Map;
import java.util.Properties;
+import java.security.cert.X509Certificate;
import javax.xml.namespace.QName;
@@ -35,6 +36,8 @@
import org.apache.commons.logging.LogFactory;
import org.apache.rahas.TrustException;
import org.apache.rahas.impl.util.SAMLCallbackHandler;
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.WSSecurityException;
/**
* Configuration manager for the <code>SAMLTokenIssuer</code>
@@ -322,10 +325,18 @@
this.issuerKeyAlias = issuerKeyAlias;
}
+ public String getIssuerKeyAlias() {
+ return issuerKeyAlias;
+ }
+
public void setIssuerKeyPassword(String issuerKeyPassword) {
this.issuerKeyPassword = issuerKeyPassword;
}
+ public String getIssuerKeyPassword() {
+ return issuerKeyPassword;
+ }
+
public void setIssuerName(String issuerName) {
this.issuerName = issuerName;
}
@@ -388,6 +399,31 @@
this.callbackHander = callbackHander;
}
-
-
+ /**
+ * Uses the <code>wst:AppliesTo</code> to figure out the certificate to
+ * encrypt the secret in the SAML token
+ *
+ * @param crypto
+ * @param serviceAddress
+ * The address of the service
+ * @return
+ * @throws org.apache.ws.security.WSSecurityException
+ */
+ public X509Certificate getServiceCert(Crypto crypto, String
serviceAddress) throws WSSecurityException {
+
+ if (serviceAddress != null && !"".equals(serviceAddress)) {
+ String alias = (String) this.trustedServices.get(serviceAddress);
+ if (alias != null) {
+ return crypto.getCertificates(alias)[0];
+ } else {
+ alias = (String) this.trustedServices.get("*");
+ return crypto.getCertificates(alias)[0];
+ }
+ } else {
+ String alias = (String) this.trustedServices.get("*");
+ return crypto.getCertificates(alias)[0];
+ }
+
+ }
+
}
Modified:
webservices/rampart/trunk/java/modules/rampart-trust/src/main/java/org/apache/rahas/impl/util/SAMLAttributeCallback.java
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/java/modules/rampart-trust/src/main/java/org/apache/rahas/impl/util/SAMLAttributeCallback.java?rev=808564&r1=808563&r2=808564&view=diff
==============================================================================
---
webservices/rampart/trunk/java/modules/rampart-trust/src/main/java/org/apache/rahas/impl/util/SAMLAttributeCallback.java
(original)
+++
webservices/rampart/trunk/java/modules/rampart-trust/src/main/java/org/apache/rahas/impl/util/SAMLAttributeCallback.java
Thu Aug 27 18:40:34 2009
@@ -5,6 +5,7 @@
import org.apache.rahas.RahasData;
import org.opensaml.SAMLAttribute;
+import org.opensaml.saml2.core.Attribute;
public class SAMLAttributeCallback implements SAMLCallback{
@@ -23,6 +24,22 @@
public void addAttributes(SAMLAttribute attribute){
attributes.add(attribute);
}
+
+ /**
+ * Overloaded method to support SAML2
+ * @param attr
+ */
+ public void addAttributes(Attribute attr){
+ attributes.add(attr);
+ }
+
+ /**
+ * Get the array of SAML2 attributes.
+ * @return
+ */
+ public Attribute[] getSAML2Attributes(){
+ return (Attribute[])attributes.toArray(new
Attribute[attributes.size()]);
+ }
public SAMLAttribute[] getAttributes(){
return (SAMLAttribute[])attributes.toArray(new
SAMLAttribute[attributes.size()]);
Modified:
webservices/rampart/trunk/java/modules/rampart-trust/sts-aar-resources/token-dispatcher-configuration.xml
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/java/modules/rampart-trust/sts-aar-resources/token-dispatcher-configuration.xml?rev=808564&r1=808563&r2=808564&view=diff
==============================================================================
---
webservices/rampart/trunk/java/modules/rampart-trust/sts-aar-resources/token-dispatcher-configuration.xml
(original)
+++
webservices/rampart/trunk/java/modules/rampart-trust/sts-aar-resources/token-dispatcher-configuration.xml
Thu Aug 27 18:40:34 2009
@@ -8,10 +8,13 @@
<configuration
type="file">META-INF/saml-issuer-config.xml</configuration>
<tokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</tokenType>
</issuer>
+ <issuer class="org.apache.rahas.impl.SAML2TokenIssuer">
+ <configuration
type="file">META-INF/saml-issuer-config.xml</configuration>
+
<tokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</tokenType>
+ </issuer>
<!-- Only a single canceler is allowed -->
<canceler class="org.apache.rahas.impl.TokenCancelerImpl">
<configuration
type="file">META-INF/token-canceler-config.xml</configuration>
</canceler>
-
</token-dispatcher-configuration>
\ No newline at end of file
Modified: webservices/rampart/trunk/java/pom.xml
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/java/pom.xml?rev=808564&r1=808563&r2=808564&view=diff
==============================================================================
--- webservices/rampart/trunk/java/pom.xml (original)
+++ webservices/rampart/trunk/java/pom.xml Thu Aug 27 18:40:34 2009
@@ -232,10 +232,20 @@
<version>${xmlsec.version}</version>
</dependency>
<dependency>
- <groupId>org.opensaml</groupId>
+ <groupId>opensaml</groupId>
<artifactId>opensaml</artifactId>
- <version>${opensaml.version}</version>
+ <version>1.1</version>
</dependency>
+ <dependency>
+ <groupId>org.opensaml</groupId>
+ <artifactId>opensaml</artifactId>
+ <version>2.2.3</version>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-jdk14</artifactId>
+ <version>1.5.2</version>
+ </dependency>
<dependency>
<groupId>log4j</groupId>
@@ -374,7 +384,7 @@
<addressing.mar.version>1.5</addressing.mar.version>
<wss4j.version>1.5.8</wss4j.version>
- <xmlsec.version>1.4.2</xmlsec.version>
+ <xmlsec.version>1.4.2</xmlsec.version>
<opensaml.version>1.1</opensaml.version>
<bcprov.jdk14.version>140</bcprov.jdk14.version>
