Introducing new security constants to be shared between SOAP + REST code
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/5faf1822 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/5faf1822 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/5faf1822 Branch: refs/heads/master Commit: 5faf182264c64bd3c0abc0addc9746b64492c864 Parents: 5f5db64 Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Tue Apr 14 14:41:59 2015 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Tue Apr 14 14:41:59 2015 +0100 ---------------------------------------------------------------------- .../grants/saml/Saml2BearerGrantHandler.java | 2 +- .../saml/sso/AbstractServiceProviderFilter.java | 5 +- rt/rs/security/xml/pom.xml | 8 +- .../cxf/rs/security/common/CryptoLoader.java | 5 +- .../cxf/rs/security/common/SecurityUtils.java | 19 +- .../rs/security/saml/AbstractSamlInHandler.java | 30 ++- .../apache/cxf/rs/security/saml/SAMLUtils.java | 2 +- .../security/xml/AbstractXmlEncInHandler.java | 3 +- .../security/xml/AbstractXmlSigInHandler.java | 2 +- .../rs/security/xml/XmlEncOutInterceptor.java | 6 +- .../rs/security/xml/XmlSecInInterceptor.java | 2 +- .../rs/security/xml/XmlSecOutInterceptor.java | 5 +- .../rs/security/xml/XmlSigOutInterceptor.java | 3 +- .../cxf/rt/security/SecurityConstants.java | 211 +++++++++++++++++++ .../cxf/rt/security/utils/SecurityUtils.java | 12 ++ .../cxf/ws/security/SecurityConstants.java | 166 ++------------- .../cxf/ws/security/kerberos/KerberosUtils.java | 2 +- .../SpnegoContextTokenInInterceptor.java | 2 +- .../SpnegoContextTokenOutInterceptor.java | 2 +- .../ws/security/trust/AbstractSTSClient.java | 3 + .../trust/AuthPolicyValidatingInterceptor.java | 3 +- .../cxf/ws/security/trust/STSLoginModule.java | 4 +- .../delegation/WSSUsernameCallbackHandler.java | 4 +- .../wss4j/AbstractTokenInterceptor.java | 2 +- .../wss4j/AbstractWSS4JInterceptor.java | 16 +- .../wss4j/AbstractWSS4JStaxInterceptor.java | 9 +- .../wss4j/BinarySecurityTokenInterceptor.java | 2 +- .../wss4j/PolicyBasedWSS4JInInterceptor.java | 26 +-- .../PolicyBasedWSS4JStaxInInterceptor.java | 25 +-- .../PolicyBasedWSS4JStaxOutInterceptor.java | 25 +-- .../ws/security/wss4j/SamlTokenInterceptor.java | 14 +- .../wss4j/StaxSecurityContextInInterceptor.java | 5 +- .../wss4j/UsernameTokenInterceptor.java | 10 +- .../ws/security/wss4j/WSS4JInInterceptor.java | 44 ++-- .../security/wss4j/WSS4JStaxInInterceptor.java | 13 +- .../security/wss4j/WSS4JStaxOutInterceptor.java | 9 +- .../policyhandlers/AbstractBindingBuilder.java | 47 +++-- .../AbstractStaxBindingHandler.java | 11 +- .../StaxAsymmetricBindingHandler.java | 6 +- .../StaxSymmetricBindingHandler.java | 6 +- .../policyhandlers/TransportBindingHandler.java | 4 +- .../crypto/provider/CryptoProviderUtils.java | 2 +- .../security/saml/SamlCallbackHandler.java | 2 +- 43 files changed, 469 insertions(+), 310 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java index 6a29910..94d49aa 100644 --- a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java +++ b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java @@ -52,11 +52,11 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils; import org.apache.cxf.rs.security.saml.authorization.SecurityContextProvider; import org.apache.cxf.rs.security.saml.authorization.SecurityContextProviderImpl; +import org.apache.cxf.rt.security.SecurityConstants; import org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext; import org.apache.cxf.security.SecurityContext; import org.apache.cxf.security.transport.TLSSessionInfo; import org.apache.cxf.staxutils.StaxUtils; -import org.apache.cxf.ws.security.SecurityConstants; import org.apache.wss4j.common.saml.SAMLKeyInfo; import org.apache.wss4j.common.saml.SAMLUtil; import org.apache.wss4j.common.saml.SamlAssertionWrapper; http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java index b4afac4..ac64188 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java @@ -54,11 +54,12 @@ import org.apache.cxf.rs.security.saml.SAMLUtils; import org.apache.cxf.rs.security.saml.assertion.Subject; import org.apache.cxf.rs.security.saml.sso.state.RequestState; import org.apache.cxf.rs.security.saml.sso.state.ResponseState; +import org.apache.cxf.rt.security.SecurityConstants; import org.apache.cxf.rt.security.claims.ClaimCollection; import org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext; +import org.apache.cxf.rt.security.utils.SecurityUtils; import org.apache.cxf.security.SecurityContext; import org.apache.cxf.staxutils.StaxUtils; -import org.apache.cxf.ws.security.SecurityConstants; import org.apache.wss4j.common.saml.OpenSAMLUtil; import org.apache.wss4j.common.saml.SamlAssertionWrapper; import org.opensaml.saml.saml2.core.AuthnRequest; @@ -188,7 +189,7 @@ public abstract class AbstractServiceProviderFilter extends AbstractSSOSpHandler if (name != null) { String roleAttributeName = - (String)m.getContextualProperty(SecurityConstants.SAML_ROLE_ATTRIBUTENAME); + (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.SAML_ROLE_ATTRIBUTENAME, m); if (roleAttributeName == null || roleAttributeName.length() == 0) { roleAttributeName = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"; } http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/rs/security/xml/pom.xml ---------------------------------------------------------------------- diff --git a/rt/rs/security/xml/pom.xml b/rt/rs/security/xml/pom.xml index 6b7589c..9f23405 100644 --- a/rt/rs/security/xml/pom.xml +++ b/rt/rs/security/xml/pom.xml @@ -46,11 +46,15 @@ <artifactId>cxf-rt-frontend-jaxrs</artifactId> <version>${project.version}</version> </dependency> - <!-- replace with wss4j, santario and opensaml deps --> <dependency> <groupId>org.apache.cxf</groupId> - <artifactId>cxf-rt-ws-security</artifactId> + <artifactId>cxf-rt-security-saml</artifactId> <version>${project.version}</version> </dependency> + <dependency> + <groupId>org.apache.wss4j</groupId> + <artifactId>wss4j-ws-security-dom</artifactId> + <version>${cxf.wss4j.version}</version> + </dependency> </dependencies> </project> http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/CryptoLoader.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/CryptoLoader.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/CryptoLoader.java index 62dae7b..005940f 100644 --- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/CryptoLoader.java +++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/CryptoLoader.java @@ -52,12 +52,13 @@ public class CryptoLoader { String cryptoKey, String propKey) throws IOException, WSSecurityException { - Crypto crypto = (Crypto)message.getContextualProperty(cryptoKey); + Crypto crypto = + (Crypto)org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue(cryptoKey, message); if (crypto != null) { return crypto; } - Object o = message.getContextualProperty(propKey); + Object o = org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue(propKey, message); if (o == null) { return null; } http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/SecurityUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/SecurityUtils.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/SecurityUtils.java index 06b3462..d8db9ed 100644 --- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/SecurityUtils.java +++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/SecurityUtils.java @@ -33,7 +33,7 @@ import org.apache.cxf.common.util.StringUtils; import org.apache.cxf.interceptor.Fault; import org.apache.cxf.message.Message; import org.apache.cxf.message.MessageUtils; -import org.apache.cxf.ws.security.SecurityConstants; +import org.apache.cxf.rt.security.SecurityConstants; import org.apache.wss4j.common.crypto.Crypto; import org.apache.wss4j.common.crypto.CryptoType; import org.apache.wss4j.common.crypto.Merlin; @@ -56,9 +56,16 @@ public final class SecurityUtils { Message requestMessage = outMessage != null && MessageUtils.isRequestor(outMessage) ? outMessage : m; + + Object encryptionProperties = + org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue( + SecurityConstants.ENCRYPT_PROPERTIES, m); + Object signatureProperties = + org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue( + SecurityConstants.SIGNATURE_PROPERTIES, m); + return "POST".equals((String)requestMessage.get(Message.HTTP_REQUEST_METHOD)) - && m.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES) != null - && m.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES) != null; + && encryptionProperties != null && signatureProperties != null; } public static X509Certificate loadX509Certificate(Crypto crypto, Element certNode) @@ -108,7 +115,8 @@ public final class SecurityUtils { } public static String getUserName(Message message, Crypto crypto, String userNameKey) { - String user = (String)message.getContextualProperty(userNameKey); + String user = + (String)org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue(userNameKey, message); return getUserName(crypto, user); } @@ -151,7 +159,8 @@ public final class SecurityUtils { Class<?> callingClass, String callbackProperty) throws WSSecurityException { //Then try to get the password from the given callback handler - Object o = message.getContextualProperty(callbackProperty); + Object o = + org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue(callbackProperty, message); try { return org.apache.cxf.rt.security.utils.SecurityUtils.getCallbackHandler(o); http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java index 1e87629..9b672e0 100644 --- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java +++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java @@ -41,17 +41,15 @@ import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.jaxrs.utils.ExceptionUtils; import org.apache.cxf.jaxrs.utils.JAXRSUtils; import org.apache.cxf.message.Message; -import org.apache.cxf.message.MessageUtils; import org.apache.cxf.rs.security.common.CryptoLoader; import org.apache.cxf.rs.security.common.SecurityUtils; import org.apache.cxf.rs.security.saml.authorization.SecurityContextProvider; import org.apache.cxf.rs.security.saml.authorization.SecurityContextProviderImpl; import org.apache.cxf.rs.security.xml.AbstractXmlSecInHandler; +import org.apache.cxf.rt.security.SecurityConstants; import org.apache.cxf.security.SecurityContext; import org.apache.cxf.security.transport.TLSSessionInfo; import org.apache.cxf.staxutils.StaxUtils; -import org.apache.cxf.ws.security.SecurityConstants; -import org.apache.wss4j.common.ConfigurationConstants; import org.apache.wss4j.common.crypto.Crypto; import org.apache.wss4j.common.crypto.WSProviderConfig; import org.apache.wss4j.common.ext.WSSecurityException; @@ -142,8 +140,16 @@ public abstract class AbstractSamlInHandler implements ContainerRequestFilter { } catch (IOException ex) { throwFault("Crypto can not be loaded", ex); } - data.setEnableRevocation(MessageUtils.isTrue( - message.getContextualProperty(ConfigurationConstants.ENABLE_REVOCATION))); + + boolean enableRevocation = false; + String enableRevocationStr = + (String)org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue( + SecurityConstants.ENABLE_REVOCATION, message); + if (enableRevocationStr != null) { + enableRevocation = Boolean.parseBoolean(enableRevocationStr); + } + data.setEnableRevocation(enableRevocation); + Signature sig = assertion.getSignature(); WSDocInfo docInfo = new WSDocInfo(sig.getDOM().getOwnerDocument()); @@ -184,12 +190,16 @@ public abstract class AbstractSamlInHandler implements ContainerRequestFilter { protected void configureAudienceRestriction(Message msg, RequestData reqData) { // Add Audience Restrictions for SAML - boolean enableAudienceRestriction = - MessageUtils.getContextualBoolean(msg, - SecurityConstants.AUDIENCE_RESTRICTION_VALIDATION, - false); + boolean enableAudienceRestriction = false; + String audRestrStr = + (String)org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue( + SecurityConstants.AUDIENCE_RESTRICTION_VALIDATION, msg); + if (audRestrStr != null) { + enableAudienceRestriction = Boolean.parseBoolean(audRestrStr); + } + if (enableAudienceRestriction) { - List<String> audiences = new ArrayList<String>(); + List<String> audiences = new ArrayList<>(); if (msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL) != null) { audiences.add((String)msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL)); } http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java index 7660337..52fc057 100644 --- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java +++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java @@ -31,7 +31,7 @@ import org.apache.cxf.message.Message; import org.apache.cxf.rs.security.common.CryptoLoader; import org.apache.cxf.rs.security.common.SecurityUtils; import org.apache.cxf.rs.security.saml.assertion.Subject; -import org.apache.cxf.ws.security.SecurityConstants; +import org.apache.cxf.rt.security.SecurityConstants; import org.apache.wss4j.common.crypto.Crypto; import org.apache.wss4j.common.ext.WSPasswordCallback; import org.apache.wss4j.common.saml.SAMLCallback; http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlEncInHandler.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlEncInHandler.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlEncInHandler.java index 31e0431..70025d8 100644 --- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlEncInHandler.java +++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlEncInHandler.java @@ -32,16 +32,15 @@ import javax.xml.stream.XMLStreamReader; import org.w3c.dom.Document; import org.w3c.dom.Element; - import org.apache.cxf.common.util.Base64Exception; import org.apache.cxf.common.util.Base64Utility; import org.apache.cxf.message.Message; import org.apache.cxf.rs.security.common.CryptoLoader; import org.apache.cxf.rs.security.common.SecurityUtils; import org.apache.cxf.rs.security.common.TrustValidator; +import org.apache.cxf.rt.security.SecurityConstants; import org.apache.cxf.staxutils.StaxUtils; import org.apache.cxf.staxutils.W3CDOMStreamReader; -import org.apache.cxf.ws.security.SecurityConstants; import org.apache.wss4j.common.crypto.Crypto; import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.util.KeyUtils; http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java index 9d52f58..88d7270 100644 --- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java +++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java @@ -37,9 +37,9 @@ import org.apache.cxf.message.Message; import org.apache.cxf.rs.security.common.CryptoLoader; import org.apache.cxf.rs.security.common.SecurityUtils; import org.apache.cxf.rs.security.common.TrustValidator; +import org.apache.cxf.rt.security.SecurityConstants; import org.apache.cxf.security.SecurityContext; import org.apache.cxf.staxutils.W3CDOMStreamReader; -import org.apache.cxf.ws.security.SecurityConstants; import org.apache.wss4j.common.crypto.Crypto; import org.apache.wss4j.common.util.XMLUtils; import org.apache.xml.security.exceptions.XMLSecurityException; http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java index c2aa6ef..9753f43 100644 --- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java +++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java @@ -41,7 +41,7 @@ import org.apache.cxf.message.Message; import org.apache.cxf.message.MessageUtils; import org.apache.cxf.rs.security.common.CryptoLoader; import org.apache.cxf.rs.security.common.SecurityUtils; -import org.apache.cxf.ws.security.SecurityConstants; +import org.apache.cxf.rt.security.SecurityConstants; import org.apache.wss4j.common.crypto.Crypto; import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.token.DOMX509Data; @@ -111,7 +111,9 @@ public class XmlEncOutInterceptor extends AbstractXmlSecOutInterceptor { if (encryptSymmetricKey) { X509Certificate receiverCert = null; - String userName = (String)message.getContextualProperty(SecurityConstants.ENCRYPT_USERNAME); + String userName = + (String)org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue( + SecurityConstants.ENCRYPT_USERNAME, message); if (SecurityUtils.USE_REQUEST_SIGNATURE_CERT.equals(userName) && !MessageUtils.isRequestor(message)) { receiverCert = http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java index 9576bb9..1e76b85 100644 --- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java +++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java @@ -49,8 +49,8 @@ import org.apache.cxf.phase.Phase; import org.apache.cxf.rs.security.common.CryptoLoader; import org.apache.cxf.rs.security.common.SecurityUtils; import org.apache.cxf.rs.security.common.TrustValidator; +import org.apache.cxf.rt.security.SecurityConstants; import org.apache.cxf.staxutils.StaxUtils; -import org.apache.cxf.ws.security.SecurityConstants; import org.apache.wss4j.common.crypto.Crypto; import org.apache.wss4j.common.crypto.CryptoType; import org.apache.wss4j.common.ext.WSPasswordCallback; http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java index 41be15a..123f59f 100644 --- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java +++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java @@ -46,7 +46,7 @@ import org.apache.cxf.phase.AbstractPhaseInterceptor; import org.apache.cxf.phase.Phase; import org.apache.cxf.rs.security.common.CryptoLoader; import org.apache.cxf.rs.security.common.SecurityUtils; -import org.apache.cxf.ws.security.SecurityConstants; +import org.apache.cxf.rt.security.SecurityConstants; import org.apache.wss4j.common.crypto.Crypto; import org.apache.wss4j.common.ext.WSPasswordCallback; import org.apache.wss4j.common.ext.WSSecurityException; @@ -159,7 +159,8 @@ public class XmlSecOutInterceptor extends AbstractPhaseInterceptor<Message> { if (encryptSymmetricKey) { X509Certificate sendingCert = null; String userName = - (String)message.getContextualProperty(SecurityConstants.ENCRYPT_USERNAME); + (String)org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue( + SecurityConstants.ENCRYPT_USERNAME, message); if (SecurityUtils.USE_REQUEST_SIGNATURE_CERT.equals(userName) && !MessageUtils.isRequestor(message)) { sendingCert = http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java index 05800c6..e7891db 100644 --- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java +++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java @@ -36,14 +36,13 @@ import org.apache.cxf.helpers.DOMUtils; import org.apache.cxf.message.Message; import org.apache.cxf.rs.security.common.CryptoLoader; import org.apache.cxf.rs.security.common.SecurityUtils; -import org.apache.cxf.ws.security.SecurityConstants; +import org.apache.cxf.rt.security.SecurityConstants; import org.apache.wss4j.common.crypto.Crypto; import org.apache.wss4j.common.ext.WSPasswordCallback; import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.xml.security.signature.XMLSignature; import org.apache.xml.security.transforms.Transforms; import org.apache.xml.security.utils.Constants; - import org.opensaml.xmlsec.signature.support.SignatureConstants; //TODO: Make sure that enveloped signatures can be applied to individual http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java ---------------------------------------------------------------------- diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java b/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java new file mode 100644 index 0000000..4ad1e1b --- /dev/null +++ b/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java @@ -0,0 +1,211 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.rt.security; + +import java.util.Arrays; +import java.util.Collections; +import java.util.HashSet; +import java.util.Set; + +/** + * This class contains some configuration tags that can be used to configure various security properties. These + * tags are shared between the SOAP stack (WS-SecurityPolicy configuration), as well as the REST stack (JAX-RS + * XML Security). + * + * The configuration tags largely relate to properties for signing, encryption as well as SAML tokens. Most of + * the signing/encryption tags refer to Apache WSS4J "Crypto" objects, which are used by both stacks to control + * how certificates/keys are retrieved, etc. + * + * More specific configuration tags for WS-SecurityPolicy are configured in the SecurityConstants + * class in the cxf-rt-ws-security module, which extends this class. + */ +public class SecurityConstants { + + // + // User properties + // + + /** + * The user's name. It is used as follows: + * a) As the name in the UsernameToken for WS-Security. + * b) As the alias name in the keystore to get the user's cert and private key for signature + * if {@link SIGNATURE_USERNAME} is not set. + * c) As the alias name in the keystore to get the user's public key for encryption if + * {@link ENCRYPT_USERNAME} is not set. + */ + public static final String USERNAME = "security.username"; + + /** + * The user's password when a {@link CALLBACK_HANDLER} is not defined. + */ + public static final String PASSWORD = "security.password"; + + /** + * The user's name for signature. It is used as the alias name in the keystore to get the user's cert + * and private key for signature. If this is not defined, then {@link USERNAME} is used instead. If + * that is also not specified, it uses the the default alias set in the properties file referenced by + * {@link SIGNATURE_PROPERTIES}. If that's also not set, and the keystore only contains a single key, + * that key will be used. + */ + public static final String SIGNATURE_USERNAME = "security.signature.username"; + + /** + * The user's name for encryption. It is used as the alias name in the keystore to get the user's public + * key for encryption. If this is not defined, then {@link USERNAME} is used instead. If + * that is also not specified, it uses the the default alias set in the properties file referenced by + * {@link ENCRYPT_PROPERTIES}. If that's also not set, and the keystore only contains a single key, + * that key will be used. + * + * For the WS-Security web service provider, the "useReqSigCert" keyword can be used to accept (encrypt to) + * any client whose public key is in the service's truststore (defined in {@link ENCRYPT_PROPERTIES}). + */ + public static final String ENCRYPT_USERNAME = "security.encryption.username"; + + // + // Callback class and Crypto properties + // + + /** + * The CallbackHandler implementation class used to obtain passwords, for both outbound and inbound + * requests. The value of this tag must be either: + * a) The class name of a {@link javax.security.auth.callback.CallbackHandler} instance, which must + * be accessible via the classpath. + * b) A {@link javax.security.auth.callback.CallbackHandler} instance. + */ + public static final String CALLBACK_HANDLER = "security.callback-handler"; + + /** + * The SAML CallbackHandler implementation class used to construct SAML Assertions. The value of this + * tag must be either: + * a) The class name of a {@link javax.security.auth.callback.CallbackHandler} instance, which must + * be accessible via the classpath. + * b) A {@link javax.security.auth.callback.CallbackHandler} instance. + */ + public static final String SAML_CALLBACK_HANDLER = "security.saml-callback-handler"; + + /** + * The Crypto property configuration to use for signature, if {@link SIGNATURE_CRYPTO} is not set instead. + * The value of this tag must be either: + * a) A Java Properties object that contains the Crypto configuration. + * b) The path of the Crypto property file that contains the Crypto configuration. + * c) A URL that points to the Crypto property file that contains the Crypto configuration. + */ + public static final String SIGNATURE_PROPERTIES = "security.signature.properties"; + + /** + * The Crypto property configuration to use for encryption, if {@link ENCRYPT_CRYPTO} is not set instead. + * The value of this tag must be either: + * a) A Java Properties object that contains the Crypto configuration. + * b) The path of the Crypto property file that contains the Crypto configuration. + * c) A URL that points to the Crypto property file that contains the Crypto configuration. + */ + public static final String ENCRYPT_PROPERTIES = "security.encryption.properties"; + + /** + * A Crypto object to be used for signature. If this is not defined then the + * {@link SIGNATURE_PROPERTIES} is used instead. + */ + public static final String SIGNATURE_CRYPTO = "security.signature.crypto"; + + /** + * A Crypto object to be used for encryption. If this is not defined then the + * {@link ENCRYPT_PROPERTIES} is used instead. + */ + public static final String ENCRYPT_CRYPTO = "security.encryption.crypto"; + + /** + * A message property for prepared X509 certificate to be used for encryption. + * If this is not defined, then the certificate will be either loaded from the + * keystore {@link ENCRYPT_PROPERTIES} or extracted from request (when WS-Security is used and + * if {@link ENCRYPT_USERNAME} has value "useReqSigCert"). + */ + public static final String ENCRYPT_CERT = "security.encryption.certificate"; + + // + // Boolean Security configuration tags, e.g. the value should be "true" or "false". + // + + /** + * Whether to enable Certificate Revocation List (CRL) checking or not when verifying trust + * in a certificate. The default value is "false". + */ + public static final String ENABLE_REVOCATION = "security.enableRevocation"; + + /** + * Whether to allow unsigned saml assertions as SecurityContext Principals. The default is false. + */ + public static final String ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL = + "security.enable.unsigned-saml-assertion.principal"; + + /** + * Whether to validate the SubjectConfirmation requirements of a received SAML Token + * (sender-vouches or holder-of-key). The default is true. + */ + public static final String VALIDATE_SAML_SUBJECT_CONFIRMATION = + "security.validate.saml.subject.conf"; + + /** + * Set this to "false" if security context must not be created from JAAS Subject. + * + * The default value is "true". + */ + public static final String SC_FROM_JAAS_SUBJECT = "security.sc.jaas-subject"; + + /** + * Enable SAML AudienceRestriction validation. If this is set to "true", then IF the + * SAML Token contains Audience Restriction URIs, one of them must match either the + * request URL or the Service QName. The default is "true". + */ + public static final String AUDIENCE_RESTRICTION_VALIDATION = "security.validate.audience-restriction"; + + // + // Non-boolean WS-Security Configuration parameters + // + + /** + * The attribute URI of the SAML AttributeStatement where the role information is stored. + * The default is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role". + */ + public static final String SAML_ROLE_ATTRIBUTENAME = "security.saml-role-attributename"; + + /** + * A comma separated String of regular expressions which will be applied to the subject DN of + * the certificate used for signature validation, after trust verification of the certificate + * chain associated with the certificate. + */ + public static final String SUBJECT_CERT_CONSTRAINTS = "security.subject.cert.constraints"; + + public static final Set<String> COMMON_PROPERTIES; + + static { + Set<String> s = new HashSet<>(Arrays.asList(new String[] { + USERNAME, PASSWORD, SIGNATURE_USERNAME, ENCRYPT_USERNAME, + CALLBACK_HANDLER, SAML_CALLBACK_HANDLER, SIGNATURE_PROPERTIES, + SIGNATURE_CRYPTO, ENCRYPT_PROPERTIES, ENCRYPT_CRYPTO, + ENABLE_REVOCATION, SUBJECT_CERT_CONSTRAINTS, ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, + AUDIENCE_RESTRICTION_VALIDATION + })); + COMMON_PROPERTIES = Collections.unmodifiableSet(s); + } + + protected SecurityConstants() { + // complete + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java ---------------------------------------------------------------------- diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java b/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java index d86f115..2c040fc 100644 --- a/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java +++ b/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java @@ -161,4 +161,16 @@ public final class SecurityUtils { return null; } + + /** + * Get the security property value for the given property. It also checks for the older "ws-"* property + * values. + */ + public static Object getSecurityPropertyValue(String property, Message message) { + Object value = message.getContextualProperty(property); + if (value != null) { + return value; + } + return message.getContextualProperty("ws-" + property); + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java index 805d69e..4080167 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java @@ -28,116 +28,19 @@ import java.util.Set; * Configuration tags used to configure the WS-SecurityPolicy layer. Some of them are also * used by the non WS-SecurityPolicy approach in the WSS4J(Out|In)Interceptors. */ -public final class SecurityConstants { +public final class SecurityConstants extends org.apache.cxf.rt.security.SecurityConstants { // // User properties // /** - * The user's name. It is used differently by each of the WS-Security functions: - * a) It is used as the name in the UsernameToken - * b) It is used as the alias name in the keystore to get the user's cert and private key for signature - * if {@link SIGNATURE_USERNAME} is not set. - * c) It is used as the alias name in the keystore to get the user's public key for encryption if - * {@link ENCRYPT_USERNAME} is not set. - */ - public static final String USERNAME = "ws-security.username"; - - /** - * The user's password when a {@link CALLBACK_HANDLER} is not defined. It is currently only used for - * the case of adding a password to a UsernameToken. - */ - public static final String PASSWORD = "ws-security.password"; - - /** - * The user's name for signature. It is used as the alias name in the keystore to get the user's cert - * and private key for signature. If this is not defined, then {@link USERNAME} is used instead. If - * that is also not specified, it uses the the default alias set in the properties file referenced by - * {@link SIGNATURE_PROPERTIES}. If that's also not set, and the keystore only contains a single key, - * that key will be used. - */ - public static final String SIGNATURE_USERNAME = "ws-security.signature.username"; - - /** - * The user's name for encryption. It is used as the alias name in the keystore to get the user's public - * key for encryption. If this is not defined, then {@link USERNAME} is used instead. If - * that is also not specified, it uses the the default alias set in the properties file referenced by - * {@link ENCRYPT_PROPERTIES}. If that's also not set, and the keystore only contains a single key, - * that key will be used. - * - * For the web service provider, the "useReqSigCert" keyword can be used to accept (encrypt to) any - * client whose public key is in the service's truststore (defined in {@link ENCRYPT_PROPERTIES}). - */ - public static final String ENCRYPT_USERNAME = "ws-security.encryption.username"; - - /** * The actor or role name of the wsse:Security header. If this parameter * is omitted, the actor name is not set. */ public static final String ACTOR = "ws-security.actor"; // - // Callback class and Crypto properties - // - - /** - * The CallbackHandler implementation class used to obtain passwords, for both outbound and inbound - * requests. The value of this tag must be either: - * a) The class name of a {@link javax.security.auth.callback.CallbackHandler} instance, which must - * be accessible via the classpath. - * b) A {@link javax.security.auth.callback.CallbackHandler} instance. - */ - public static final String CALLBACK_HANDLER = "ws-security.callback-handler"; - - /** - * The SAML CallbackHandler implementation class used to construct SAML Assertions. The value of this - * tag must be either: - * a) The class name of a {@link javax.security.auth.callback.CallbackHandler} instance, which must - * be accessible via the classpath. - * b) A {@link javax.security.auth.callback.CallbackHandler} instance. - */ - public static final String SAML_CALLBACK_HANDLER = "ws-security.saml-callback-handler"; - - /** - * The Crypto property configuration to use for signature, if {@link SIGNATURE_CRYPTO} is not set instead. - * The value of this tag must be either: - * a) A Java Properties object that contains the Crypto configuration. - * b) The path of the Crypto property file that contains the Crypto configuration. - * c) A URL that points to the Crypto property file that contains the Crypto configuration. - */ - public static final String SIGNATURE_PROPERTIES = "ws-security.signature.properties"; - - /** - * The Crypto property configuration to use for encryption, if {@link ENCRYPT_CRYPTO} is not set instead. - * The value of this tag must be either: - * a) A Java Properties object that contains the Crypto configuration. - * b) The path of the Crypto property file that contains the Crypto configuration. - * c) A URL that points to the Crypto property file that contains the Crypto configuration. - */ - public static final String ENCRYPT_PROPERTIES = "ws-security.encryption.properties"; - - /** - * A Crypto object to be used for signature. If this is not defined then the - * {@link SIGNATURE_PROPERTIES} is used instead. - */ - public static final String SIGNATURE_CRYPTO = "ws-security.signature.crypto"; - - /** - * A Crypto object to be used for encryption. If this is not defined then the - * {@link ENCRYPT_PROPERTIES} is used instead. - */ - public static final String ENCRYPT_CRYPTO = "ws-security.encryption.crypto"; - - /** - * A message property for prepared X509 certificate to be used for encryption. - * If this is not defined, then the certificate will be either loaded from the - * keystore {@link ENCRYPT_PROPERTIES} or extracted from request - * (if {@link ENCRYPT_USERNAME} has value "useReqSigCert"). - */ - public static final String ENCRYPT_CERT = "ws-security.encryption.certificate"; - - // // Boolean WS-Security configuration tags, e.g. the value should be "true" or "false". // @@ -146,12 +49,6 @@ public final class SecurityConstants { */ public static final String VALIDATE_TOKEN = "ws-security.validate.token"; - /** - * Whether to enable Certificate Revocation List (CRL) checking or not when verifying trust - * in a certificate. The default value is "false". - */ - public static final String ENABLE_REVOCATION = "ws-security.enableRevocation"; - // WebLogic and WCF always encrypt UsernameTokens whenever possible //See: http://e-docs.bea.com/wls/docs103/webserv_intro/interop.html //Be default, we will encrypt as well for interop reasons. However, this @@ -170,12 +67,6 @@ public final class SecurityConstants { public static final String IS_BSP_COMPLIANT = "ws-security.is-bsp-compliant"; /** - * Whether to allow unsigned saml assertions as SecurityContext Principals. The default is false. - */ - public static final String ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL = - "ws-security.enable.unsigned-saml-assertion.principal"; - - /** * Whether to cache UsernameToken nonces. The default value is "true" for message recipients, and * "false" for message initiators. Set it to true to cache for both cases. Set this to "false" to * not cache UsernameToken nonces. Note that caching only applies when either a UsernameToken @@ -194,22 +85,6 @@ public final class SecurityConstants { public static final String ENABLE_TIMESTAMP_CACHE = "ws-security.enable.timestamp.cache"; /** - * Whether to cache SAML2 Token Identifiers, if the token contains a "OneTimeUse" Condition. - * The default value is "true" for message recipients, and "false" for message initiators. - * Set it to true to cache for both cases. Set this to "false" to not cache SAML2 Token Identifiers. - * Note that caching only applies when either a "SamlToken" policy is in effect, or - * else that a SAML action has been configured for the non-security-policy case. - */ - public static final String ENABLE_SAML_ONE_TIME_USE_CACHE = "ws-security.enable.saml.cache"; - - /** - * Whether to validate the SubjectConfirmation requirements of a received SAML Token - * (sender-vouches or holder-of-key). The default is true. - */ - public static final String VALIDATE_SAML_SUBJECT_CONFIRMATION = - "ws-security.validate.saml.subject.conf"; - - /** * Whether to enable streaming WS-Security. If set to false (the default), the old DOM * implementation is used. If set to true, the new streaming (StAX) implementation is used. */ @@ -231,21 +106,16 @@ public final class SecurityConstants { * The default value is "true" which included the SOAP mustUnderstand header. */ public static final String MUST_UNDERSTAND = "ws-security.must-understand"; - - /** - * Set this to "false" if security context must not be created from JAAS Subject. - * - * The default value is "true". - */ - public static final String SC_FROM_JAAS_SUBJECT = "ws-security.sc.jaas-subject"; /** - * Enable SAML AudienceRestriction validation. If this is set to "true", then IF the - * SAML Token contains Audience Restriction URIs, one of them must match either the - * request URL or the Service QName. The default is "true". + * Whether to cache SAML2 Token Identifiers, if the token contains a "OneTimeUse" Condition. + * The default value is "true" for message recipients, and "false" for message initiators. + * Set it to true to cache for both cases. Set this to "false" to not cache SAML2 Token Identifiers. + * Note that caching only applies when either a "SamlToken" policy is in effect, or + * else that a SAML action has been configured for the non-security-policy case. */ - public static final String AUDIENCE_RESTRICTION_VALIDATION = "ws-security.validate.audience-restriction"; - + public static final String ENABLE_SAML_ONE_TIME_USE_CACHE = "ws-security.enable.saml.cache"; + // // Non-boolean WS-Security Configuration parameters // @@ -277,12 +147,6 @@ public final class SecurityConstants { public static final String USERNAMETOKEN_FUTURE_TTL = "ws-security.usernametoken.futureTimeToLive"; /** - * The attribute URI of the SAML AttributeStatement where the role information is stored. - * The default is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role". - */ - public static final String SAML_ROLE_ATTRIBUTENAME = "ws-security.saml-role-attributename"; - - /** * The SpnegoClientAction implementation to use for SPNEGO. This allows the user to plug in * a different implementation to obtain a service ticket. */ @@ -306,8 +170,7 @@ public final class SecurityConstants { * This holds a reference to a ReplayCache instance used to cache SAML2 Token Identifiers, when * the token has a "OneTimeUse" Condition. The default instance that is used is the EHCacheReplayCache. */ - public static final String SAML_ONE_TIME_USE_CACHE_INSTANCE = - "ws-security.saml.cache.instance"; + public static final String SAML_ONE_TIME_USE_CACHE_INSTANCE = "ws-security.saml.cache.instance"; /** * Set this property to point to a configuration file for the underlying caching implementation. @@ -336,13 +199,6 @@ public final class SecurityConstants { public static final String CACHE_IDENTIFIER = "ws-security.cache.identifier"; /** - * A comma separated String of regular expressions which will be applied to the subject DN of - * the certificate used for signature validation, after trust verification of the certificate - * chain associated with the certificate. - */ - public static final String SUBJECT_CERT_CONSTRAINTS = "ws-security.subject.cert.constraints"; - - /** * The Subject Role Classifier to use. If one of the WSS4J Validators returns a JAAS Subject * from Validation, then the WSS4JInInterceptor will attempt to create a SecurityContext * based on this Subject. If this value is not specified, then it tries to get roles using @@ -661,6 +517,10 @@ public final class SecurityConstants { KERBEROS_REQUEST_CREDENTIAL_DELEGATION, ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, AUDIENCE_RESTRICTION_VALIDATION, POLICY_VALIDATOR_MAP })); + for (String commonProperty : COMMON_PROPERTIES) { + s.add(commonProperty); + s.add("ws-" + commonProperty); + } ALL_PROPERTIES = Collections.unmodifiableSet(s); } http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosUtils.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosUtils.java index f5e9c28..6cb4955 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosUtils.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosUtils.java @@ -49,7 +49,7 @@ public final class KerberosUtils { try { CallbackHandler callbackHandler = SecurityUtils.getCallbackHandler( - message.getContextualProperty(SecurityConstants.CALLBACK_HANDLER) + SecurityUtils.getSecurityPropertyValue(SecurityConstants.CALLBACK_HANDLER, message) ); client.setCallbackHandler(callbackHandler); } catch (Exception ex) { http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java index d7346a6..ff630d7 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java @@ -296,7 +296,7 @@ class SpnegoContextTokenInInterceptor extends AbstractPhaseInterceptor<SoapMessa (String)message.getContextualProperty(SecurityConstants.KERBEROS_SPN); CallbackHandler callbackHandler = SecurityUtils.getCallbackHandler( - message.getContextualProperty(SecurityConstants.CALLBACK_HANDLER) + SecurityUtils.getSecurityPropertyValue(SecurityConstants.CALLBACK_HANDLER, message) ); SpnegoTokenContext spnegoToken = new SpnegoTokenContext(); http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java index a2608b1..57d9b90 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java @@ -112,7 +112,7 @@ class SpnegoContextTokenOutInterceptor extends AbstractPhaseInterceptor<SoapMess try { CallbackHandler callbackHandler = SecurityUtils.getCallbackHandler( - message.getContextualProperty(SecurityConstants.CALLBACK_HANDLER) + SecurityUtils.getSecurityPropertyValue(SecurityConstants.CALLBACK_HANDLER, message) ); spnegoToken.retrieveServiceTicket(jaasContext, callbackHandler, kerberosSpn); http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java index 3603a46..a9678a1 100755 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java @@ -1554,6 +1554,9 @@ public abstract class AbstractSTSClient implements Configurable, InterceptorProv protected CallbackHandler createHandler() { Object o = getProperty(SecurityConstants.CALLBACK_HANDLER); + if (o == null) { + o = getProperty("ws-" + SecurityConstants.CALLBACK_HANDLER); + } try { return SecurityUtils.getCallbackHandler(o); } catch (Exception e) { http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java index 061febd..c1613c4 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java @@ -35,6 +35,7 @@ import org.apache.cxf.phase.Phase; import org.apache.cxf.rt.security.claims.ClaimCollection; import org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext; import org.apache.cxf.rt.security.saml.utils.SAMLUtils; +import org.apache.cxf.rt.security.utils.SecurityUtils; import org.apache.cxf.security.SecurityContext; import org.apache.cxf.ws.security.SecurityConstants; import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor; @@ -133,7 +134,7 @@ public class AuthPolicyValidatingInterceptor extends AbstractPhaseInterceptor<Me } if (samlAssertion != null) { String roleAttributeName = - (String)msg.getContextualProperty(SecurityConstants.SAML_ROLE_ATTRIBUTENAME); + (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.SAML_ROLE_ATTRIBUTENAME, msg); if (roleAttributeName == null || roleAttributeName.length() == 0) { roleAttributeName = WSS4JInInterceptor.SAML_ROLE_ATTRIBUTENAME_DEFAULT; } http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java index 0410e49..3793f18 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java @@ -54,6 +54,7 @@ import org.apache.cxf.message.Message; import org.apache.cxf.phase.PhaseInterceptorChain; import org.apache.cxf.rt.security.claims.ClaimCollection; import org.apache.cxf.rt.security.saml.utils.SAMLUtils; +import org.apache.cxf.rt.security.utils.SecurityUtils; import org.apache.cxf.ws.security.SecurityConstants; import org.apache.cxf.ws.security.tokenstore.EHCacheTokenStore; import org.apache.cxf.ws.security.tokenstore.TokenStore; @@ -365,7 +366,8 @@ public class STSLoginModule implements LoginModule { String roleAttributeName = null; if (msg != null) { roleAttributeName = - (String)msg.getContextualProperty(SecurityConstants.SAML_ROLE_ATTRIBUTENAME); + (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.SAML_ROLE_ATTRIBUTENAME, + msg); } if (roleAttributeName == null || roleAttributeName.length() == 0) { roleAttributeName = WSS4JInInterceptor.SAML_ROLE_ATTRIBUTENAME_DEFAULT; http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/WSSUsernameCallbackHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/WSSUsernameCallbackHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/WSSUsernameCallbackHandler.java index a954ee2..a7c0559 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/WSSUsernameCallbackHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/WSSUsernameCallbackHandler.java @@ -27,9 +27,9 @@ import javax.security.auth.callback.UnsupportedCallbackException; import org.w3c.dom.Document; import org.w3c.dom.Node; - import org.apache.cxf.helpers.DOMUtils; import org.apache.cxf.message.Message; +import org.apache.cxf.rt.security.utils.SecurityUtils; import org.apache.cxf.ws.security.SecurityConstants; import org.apache.wss4j.dom.message.token.UsernameToken; @@ -48,7 +48,7 @@ public class WSSUsernameCallbackHandler implements CallbackHandler { Message message = callback.getCurrentMessage(); String username = - (String)message.getContextualProperty(SecurityConstants.USERNAME); + (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.USERNAME, message); if (username != null) { Node contentNode = message.getContent(Node.class); Document doc = null; http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java index 5bd393a..489e0c2 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java @@ -177,7 +177,7 @@ public abstract class AbstractTokenInterceptor extends AbstractSoapInterceptor { //Then try to get the password from the given callback handler CallbackHandler handler = null; try { - Object o = message.getContextualProperty(SecurityConstants.CALLBACK_HANDLER); + Object o = SecurityUtils.getSecurityPropertyValue(SecurityConstants.CALLBACK_HANDLER, message); handler = SecurityUtils.getCallbackHandler(o); if (handler == null) { policyNotAsserted(info, "No callback handler and no password available", message); http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java index 5d96f2d..58a38b1 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java @@ -33,6 +33,7 @@ import org.apache.cxf.interceptor.Fault; import org.apache.cxf.message.Message; import org.apache.cxf.message.MessageUtils; import org.apache.cxf.phase.PhaseInterceptor; +import org.apache.cxf.rt.security.utils.SecurityUtils; import org.apache.cxf.ws.security.SecurityConstants; import org.apache.wss4j.common.ConfigurationConstants; import org.apache.wss4j.common.crypto.Crypto; @@ -98,7 +99,7 @@ public abstract class AbstractWSS4JInterceptor extends WSHandler implements Soap } public Object getProperty(Object msgContext, String key) { - Object obj = ((Message)msgContext).getContextualProperty(key); + Object obj = SecurityUtils.getSecurityPropertyValue(key, (Message)msgContext); if (obj == null) { obj = getOption(key); } @@ -173,16 +174,19 @@ public abstract class AbstractWSS4JInterceptor extends WSHandler implements Soap } String certConstraints = - (String)msg.getContextualProperty(SecurityConstants.SUBJECT_CERT_CONSTRAINTS); + (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.SUBJECT_CERT_CONSTRAINTS, msg); if (certConstraints != null) { msg.put(WSHandlerConstants.SIG_SUBJECT_CERT_CONSTRAINTS, certConstraints); } // Now set SAML SenderVouches + Holder Of Key requirements - boolean validateSAMLSubjectConf = - MessageUtils.getContextualBoolean( - msg, SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, true - ); + String valSAMLSubjectConf = + (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, + msg); + boolean validateSAMLSubjectConf = true; + if (valSAMLSubjectConf != null) { + validateSAMLSubjectConf = Boolean.parseBoolean(valSAMLSubjectConf); + } msg.put( WSHandlerConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, Boolean.toString(validateSAMLSubjectConf) http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java index bed078f..46de15d 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java @@ -146,14 +146,15 @@ public abstract class AbstractWSS4JStaxInterceptor implements SoapInterceptor, } String certConstraints = - (String)msg.getContextualProperty(SecurityConstants.SUBJECT_CERT_CONSTRAINTS); + (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.SUBJECT_CERT_CONSTRAINTS, msg); if (certConstraints != null && !"".equals(certConstraints)) { securityProperties.setSubjectCertConstraints(convertCertConstraints(certConstraints)); } // Now set SAML SenderVouches + Holder Of Key requirements String validateSAMLSubjectConf = - (String)msg.getContextualProperty(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION); + (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, + msg); if (validateSAMLSubjectConf != null) { securityProperties.setValidateSamlSubjectConfirmation(Boolean.valueOf(validateSAMLSubjectConf)); } @@ -192,7 +193,7 @@ public abstract class AbstractWSS4JStaxInterceptor implements SoapInterceptor, protected void configureCallbackHandler( SoapMessage soapMessage, WSSSecurityProperties securityProperties ) throws WSSecurityException { - Object o = soapMessage.getContextualProperty(SecurityConstants.CALLBACK_HANDLER); + Object o = SecurityUtils.getSecurityPropertyValue(SecurityConstants.CALLBACK_HANDLER, soapMessage); CallbackHandler callbackHandler = null; try { callbackHandler = SecurityUtils.getCallbackHandler(o); @@ -266,7 +267,7 @@ public abstract class AbstractWSS4JStaxInterceptor implements SoapInterceptor, } public Object getProperty(Object msgContext, String key) { - Object obj = ((Message)msgContext).getContextualProperty(key); + Object obj = SecurityUtils.getSecurityPropertyValue(key, (Message)msgContext); if (obj == null) { obj = getOption(key); } http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/BinarySecurityTokenInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/BinarySecurityTokenInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/BinarySecurityTokenInterceptor.java index e57780a..d086673 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/BinarySecurityTokenInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/BinarySecurityTokenInterceptor.java @@ -104,7 +104,7 @@ public class BinarySecurityTokenInterceptor extends AbstractTokenInterceptor { throws WSSecurityException { WSDocInfo wsDocInfo = new WSDocInfo(tokenElement.getOwnerDocument()); RequestData data = new CXFRequestData(); - Object o = message.getContextualProperty(SecurityConstants.CALLBACK_HANDLER); + Object o = SecurityUtils.getSecurityPropertyValue(SecurityConstants.CALLBACK_HANDLER, message); try { data.setCallbackHandler(SecurityUtils.getCallbackHandler(o)); } catch (Exception ex) { http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java index 6b09107..f271d28 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java @@ -30,11 +30,11 @@ import javax.xml.soap.SOAPException; import javax.xml.stream.XMLStreamException; import org.w3c.dom.Element; - import org.apache.cxf.binding.soap.SoapMessage; import org.apache.cxf.helpers.CastUtils; import org.apache.cxf.interceptor.Fault; import org.apache.cxf.message.MessageUtils; +import org.apache.cxf.rt.security.utils.SecurityUtils; import org.apache.cxf.ws.policy.AssertionInfo; import org.apache.cxf.ws.policy.AssertionInfoMap; import org.apache.cxf.ws.security.SecurityConstants; @@ -119,13 +119,13 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor { action = addToAction(action, "Signature", true); action = addToAction(action, "Encrypt", true); - Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_CRYPTO); + Object s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_CRYPTO, message); if (s == null) { - s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES); + s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_PROPERTIES, message); } - Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_CRYPTO); + Object e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_CRYPTO, message); if (e == null) { - e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES); + e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_PROPERTIES, message); } Crypto encrCrypto = getEncryptionCrypto(e, message, data); @@ -157,13 +157,13 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor { ) throws WSSecurityException { action = addToAction(action, "Signature", true); action = addToAction(action, "Encrypt", true); - Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_CRYPTO); + Object s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_CRYPTO, message); if (s == null) { - s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES); + s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_PROPERTIES, message); } - Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_CRYPTO); + Object e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_CRYPTO, message); if (e == null) { - e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES); + e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_PROPERTIES, message); } Crypto encrCrypto = getEncryptionCrypto(e, message, data); @@ -264,13 +264,13 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor { action = addToAction(action, "Signature", true); action = addToAction(action, "Encrypt", true); - Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_CRYPTO); + Object s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_CRYPTO, message); if (s == null) { - s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES); + s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_PROPERTIES, message); } - Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_CRYPTO); + Object e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_CRYPTO, message); if (e == null) { - e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES); + e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_PROPERTIES, message); } Crypto encrCrypto = getEncryptionCrypto(e, message, data); http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java index 2a133ce..f75f3c0 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java @@ -36,6 +36,7 @@ import org.apache.cxf.endpoint.Endpoint; import org.apache.cxf.interceptor.Fault; import org.apache.cxf.message.Message; import org.apache.cxf.message.MessageUtils; +import org.apache.cxf.rt.security.utils.SecurityUtils; import org.apache.cxf.service.model.BindingInfo; import org.apache.cxf.service.model.BindingOperationInfo; import org.apache.cxf.service.model.EndpointInfo; @@ -92,13 +93,13 @@ public class PolicyBasedWSS4JStaxInInterceptor extends WSS4JStaxInInterceptor { return; } - Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_CRYPTO); + Object s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_CRYPTO, message); if (s == null) { - s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES); + s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_PROPERTIES, message); } - Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_CRYPTO); + Object e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_CRYPTO, message); if (e == null) { - e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES); + e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_PROPERTIES, message); } Crypto encrCrypto = getEncryptionCrypto(e, message, securityProperties); @@ -149,13 +150,13 @@ public class PolicyBasedWSS4JStaxInInterceptor extends WSS4JStaxInInterceptor { securityEvents.add(httpsTokenSecurityEvent); } - Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_CRYPTO); + Object s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_CRYPTO, message); if (s == null) { - s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES); + s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_PROPERTIES, message); } - Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_CRYPTO); + Object e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_CRYPTO, message); if (e == null) { - e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES); + e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_PROPERTIES, message); } Crypto encrCrypto = getEncryptionCrypto(e, message, securityProperties); @@ -197,13 +198,13 @@ public class PolicyBasedWSS4JStaxInInterceptor extends WSS4JStaxInInterceptor { return; } - Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_CRYPTO); + Object s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_CRYPTO, message); if (s == null) { - s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES); + s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_PROPERTIES, message); } - Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_CRYPTO); + Object e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_CRYPTO, message); if (e == null) { - e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES); + e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_PROPERTIES, message); } Crypto encrCrypto = getEncryptionCrypto(e, message, securityProperties); http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxOutInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxOutInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxOutInterceptor.java index 9ec4040..640bcb2 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxOutInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxOutInterceptor.java @@ -22,6 +22,7 @@ package org.apache.cxf.ws.security.wss4j; import org.apache.cxf.binding.soap.SoapMessage; import org.apache.cxf.interceptor.Fault; import org.apache.cxf.message.MessageUtils; +import org.apache.cxf.rt.security.utils.SecurityUtils; import org.apache.cxf.ws.policy.AssertionInfo; import org.apache.cxf.ws.policy.AssertionInfoMap; import org.apache.cxf.ws.security.SecurityConstants; @@ -62,13 +63,13 @@ public class PolicyBasedWSS4JStaxOutInterceptor extends WSS4JStaxOutInterceptor private void checkAsymmetricBinding( SoapMessage message, WSSSecurityProperties securityProperties ) throws WSSecurityException { - Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_CRYPTO); + Object s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_CRYPTO, message); if (s == null) { - s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES); + s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_PROPERTIES, message); } - Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_CRYPTO); + Object e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_CRYPTO, message); if (e == null) { - e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES); + e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_PROPERTIES, message); } Crypto encrCrypto = getEncryptionCrypto(e, message, securityProperties); @@ -93,13 +94,13 @@ public class PolicyBasedWSS4JStaxOutInterceptor extends WSS4JStaxOutInterceptor private void checkTransportBinding( SoapMessage message, WSSSecurityProperties securityProperties ) throws WSSecurityException { - Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_CRYPTO); + Object s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_CRYPTO, message); if (s == null) { - s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES); + s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_PROPERTIES, message); } - Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_CRYPTO); + Object e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_CRYPTO, message); if (e == null) { - e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES); + e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_PROPERTIES, message); } Crypto encrCrypto = getEncryptionCrypto(e, message, securityProperties); @@ -124,13 +125,13 @@ public class PolicyBasedWSS4JStaxOutInterceptor extends WSS4JStaxOutInterceptor private void checkSymmetricBinding( SoapMessage message, WSSSecurityProperties securityProperties ) throws WSSecurityException { - Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_CRYPTO); + Object s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_CRYPTO, message); if (s == null) { - s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES); + s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_PROPERTIES, message); } - Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_CRYPTO); + Object e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_CRYPTO, message); if (e == null) { - e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES); + e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_PROPERTIES, message); } Crypto encrCrypto = getEncryptionCrypto(e, message, securityProperties); http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java index 526e96d..409ef76 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java @@ -172,7 +172,7 @@ public class SamlTokenInterceptor extends AbstractTokenInterceptor { WSDocInfo wsDocInfo = new WSDocInfo(tokenElement.getOwnerDocument()); RequestData data = new CXFRequestData(); - Object o = message.getContextualProperty(SecurityConstants.CALLBACK_HANDLER); + Object o = SecurityUtils.getSecurityPropertyValue(SecurityConstants.CALLBACK_HANDLER, message); try { data.setCallbackHandler(SecurityUtils.getCallbackHandler(o)); } catch (Exception ex) { @@ -228,7 +228,8 @@ public class SamlTokenInterceptor extends AbstractTokenInterceptor { // // Get the SAML CallbackHandler // - Object o = message.getContextualProperty(SecurityConstants.SAML_CALLBACK_HANDLER); + Object o = + SecurityUtils.getSecurityPropertyValue(SecurityConstants.SAML_CALLBACK_HANDLER, message); CallbackHandler handler = null; if (o instanceof CallbackHandler) { @@ -265,11 +266,12 @@ public class SamlTokenInterceptor extends AbstractTokenInterceptor { String issuerName = samlCallback.getIssuerKeyName(); if (issuerName == null) { String userNameKey = SecurityConstants.SIGNATURE_USERNAME; - issuerName = (String)message.getContextualProperty(userNameKey); + issuerName = (String)SecurityUtils.getSecurityPropertyValue(userNameKey, message); } String password = samlCallback.getIssuerKeyPassword(); if (password == null) { - password = (String)message.getContextualProperty(SecurityConstants.PASSWORD); + password = + (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.PASSWORD, message); if (StringUtils.isEmpty(password)) { password = getPassword(issuerName, token, WSPasswordCallback.SIGNATURE, message); @@ -301,12 +303,12 @@ public class SamlTokenInterceptor extends AbstractTokenInterceptor { String propKey, SoapMessage message ) throws WSSecurityException { - Crypto crypto = (Crypto)message.getContextualProperty(cryptoKey); + Crypto crypto = (Crypto)SecurityUtils.getSecurityPropertyValue(cryptoKey, message); if (crypto != null) { return crypto; } - Object o = message.getContextualProperty(propKey); + Object o = SecurityUtils.getSecurityPropertyValue(propKey, message); if (o == null) { return null; } http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java index 9f7d7b1..2249335 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java @@ -35,6 +35,7 @@ import org.apache.cxf.phase.Phase; import org.apache.cxf.rt.security.claims.ClaimCollection; import org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext; import org.apache.cxf.rt.security.saml.utils.SAMLUtils; +import org.apache.cxf.rt.security.utils.SecurityUtils; import org.apache.cxf.security.SecurityContext; import org.apache.cxf.ws.security.SecurityConstants; import org.apache.wss4j.common.ext.WSSecurityException; @@ -118,8 +119,8 @@ public class StaxSecurityContextInInterceptor extends AbstractPhaseInterceptor<S Object receivedAssertion = null; if (event.getSecurityEventType() == WSSecurityEventConstants.SamlToken) { - String roleAttributeName = (String)msg.getContextualProperty( - SecurityConstants.SAML_ROLE_ATTRIBUTENAME); + String roleAttributeName = (String)SecurityUtils.getSecurityPropertyValue( + SecurityConstants.SAML_ROLE_ATTRIBUTENAME, msg); if (roleAttributeName == null || roleAttributeName.length() == 0) { roleAttributeName = SAML_ROLE_ATTRIBUTENAME_DEFAULT; }