Fixed TLS client auth issue
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/7ea12c2d Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/7ea12c2d Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/7ea12c2d Branch: refs/heads/master Commit: 7ea12c2dab4440f2dcd3b070a662957534fd6011 Parents: af11d1b Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Fri Feb 5 16:14:08 2016 +0000 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Fri Feb 5 17:54:04 2016 +0000 ---------------------------------------------------------------------- .../sts/rest/RESTSecurityTokenServiceImpl.java | 16 +++++- .../cxf/systest/sts/rest/RESTUnitTest.java | 2 +- .../systest/sts/rest/WSS4JBasicAuthFilter.java | 54 -------------------- .../basic/src/test/resources/logging.properties | 4 +- .../apache/cxf/systest/sts/rest/cxf-client.xml | 3 ++ .../cxf/systest/sts/rest/cxf-rest-sts.xml | 8 +-- 6 files changed, 22 insertions(+), 65 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/7ea12c2d/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java index 6955931..393b806 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java @@ -20,6 +20,7 @@ package org.apache.cxf.sts.rest; import java.security.Principal; +import java.security.cert.X509Certificate; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -34,6 +35,8 @@ import org.w3c.dom.Element; import org.apache.cxf.helpers.DOMUtils; import org.apache.cxf.jaxrs.ext.MessageContext; import org.apache.cxf.phase.PhaseInterceptorChain; +import org.apache.cxf.security.SecurityContext; +import org.apache.cxf.security.transport.TLSSessionInfo; import org.apache.cxf.sts.QNameConstants; import org.apache.cxf.sts.STSConstants; import org.apache.cxf.sts.token.provider.jwt.JWTTokenProvider; @@ -87,7 +90,6 @@ public class RESTSecurityTokenServiceImpl extends SecurityTokenServiceImpl imple @Override public Response getToken(String tokenType, String keyType, List<String> requestedClaims) { - if (tokenTypeMap != null && tokenTypeMap.containsKey(tokenType)) { tokenType = tokenTypeMap.get(tokenType); } @@ -213,6 +215,18 @@ public class RESTSecurityTokenServiceImpl extends SecurityTokenServiceImpl imple @Override protected Principal getPrincipal() { + SecurityContext sc = (SecurityContext)messageContext.get(SecurityContext.class); + if (sc == null || sc.getUserPrincipal() == null) { + // Get the TLS client principal if no security context is set up + TLSSessionInfo tlsInfo = + (TLSSessionInfo)PhaseInterceptorChain.getCurrentMessage().get(TLSSessionInfo.class); + if (tlsInfo != null && tlsInfo.getPeerCertificates() != null + && tlsInfo.getPeerCertificates().length > 0 + && (tlsInfo.getPeerCertificates()[0] instanceof X509Certificate) + ) { + return ((X509Certificate)tlsInfo.getPeerCertificates()[0]).getSubjectX500Principal(); + } + } return messageContext.getSecurityContext().getUserPrincipal(); } http://git-wip-us.apache.org/repos/asf/cxf/blob/7ea12c2d/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java index 0668e39..7caf0f2 100644 --- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java @@ -77,7 +77,7 @@ public class RESTUnitTest extends AbstractBusClientServerTestBase { SpringBusFactory.setThreadDefaultBus(bus); String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token"; - WebClient client = WebClient.create(address, "alice", "clarinet", busFile.toString()); + WebClient client = WebClient.create(address, busFile.toString()); client.type("application/xml").accept("application/xml"); client.path("saml2.0"); http://git-wip-us.apache.org/repos/asf/cxf/blob/7ea12c2d/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/WSS4JBasicAuthFilter.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/WSS4JBasicAuthFilter.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/WSS4JBasicAuthFilter.java deleted file mode 100644 index 08873cf..0000000 --- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/WSS4JBasicAuthFilter.java +++ /dev/null @@ -1,54 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.systest.sts.rest; - -import java.io.IOException; - -import javax.ws.rs.container.ContainerRequestContext; -import javax.ws.rs.container.ContainerRequestFilter; -import javax.ws.rs.core.Response; - -import org.apache.cxf.configuration.security.AuthorizationPolicy; -import org.apache.cxf.jaxrs.utils.ExceptionUtils; -import org.apache.cxf.jaxrs.utils.JAXRSUtils; -import org.apache.cxf.message.Message; -import org.apache.cxf.rt.security.saml.interceptor.WSS4JBasicAuthValidator; - -/** - * Extends the WSS4J validator as a JAX-RS request filter - */ -public class WSS4JBasicAuthFilter extends WSS4JBasicAuthValidator implements ContainerRequestFilter { - - public void filter(ContainerRequestContext requestContext) throws IOException { - Message message = JAXRSUtils.getCurrentMessage(); - AuthorizationPolicy policy = message.get(AuthorizationPolicy.class); - - if (policy == null || policy.getUserName() == null || policy.getPassword() == null) { - requestContext.abortWith( - Response.status(401).header("WWW-Authenticate", "Basic realm=\"IdP\"").build()); - } - - try { - super.validate(message); - } catch (Exception ex) { - throw ExceptionUtils.toInternalServerErrorException(ex, null); - } - } - -} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cxf/blob/7ea12c2d/services/sts/systests/basic/src/test/resources/logging.properties ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/resources/logging.properties b/services/sts/systests/basic/src/test/resources/logging.properties index 016ae26..f70123b 100644 --- a/services/sts/systests/basic/src/test/resources/logging.properties +++ b/services/sts/systests/basic/src/test/resources/logging.properties @@ -43,7 +43,7 @@ # can be overridden by a facility specific level # Note that the ConsoleHandler also has a separate level # setting to limit messages printed to the console. -.level= FINE +.level= INFO ############################################################ # Handler specific properties. @@ -57,7 +57,7 @@ java.util.logging.FileHandler.count = 1 java.util.logging.FileHandler.formatter = java.util.logging.XMLFormatter # Limit the message that are printed on the console to WARNING and above. -java.util.logging.ConsoleHandler.level = FINE +java.util.logging.ConsoleHandler.level = INFO java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter http://git-wip-us.apache.org/repos/asf/cxf/blob/7ea12c2d/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-client.xml ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-client.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-client.xml index 892e5a5..f45b741 100644 --- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-client.xml +++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-client.xml @@ -25,6 +25,9 @@ </cxf:bus> <http:conduit name="https://localhost:.*"> <http:tlsClientParameters disableCNCheck="true"> + <sec:keyManagers keyPassword="ckpass"> + <sec:keyStore type="jks" password="cspass" resource="clientstore.jks"/> + </sec:keyManagers> <sec:trustManagers> <sec:keyStore type="jks" password="cspass" resource="clientstore.jks"/> </sec:trustManagers> http://git-wip-us.apache.org/repos/asf/cxf/blob/7ea12c2d/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml index 309f3f2..106bca4 100644 --- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml +++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml @@ -105,11 +105,6 @@ <bean id="jsonProvider" class="com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider" /> - <bean id="callbackHandler" class="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/> - <bean id="basicAuthFilter" class="org.apache.cxf.systest.sts.rest.WSS4JBasicAuthFilter"> - <property name="callbackHandler" ref="callbackHandler"/> - </bean> - <jaxrs:server id="stsRESTService" depends-on="ClientAuthHttpsSettings" address="https://localhost:${testutil.ports.STSRESTServer}/SecurityTokenService"> @@ -118,7 +113,6 @@ </jaxrs:serviceBeans> <jaxrs:providers> <ref bean="jsonProvider" /> - <ref bean="basicAuthFilter"/> </jaxrs:providers> <jaxrs:extensionMappings> <entry key="json" value="application/json;charset=UTF-8" /> @@ -135,7 +129,7 @@ <sec:trustManagers> <sec:keyStore type="jks" password="stsspass" resource="stsstore.jks"/> </sec:trustManagers> - <sec:clientAuthentication want="false" required="false"/> + <sec:clientAuthentication want="true" required="true"/> </httpj:tlsServerParameters> </httpj:engine> </httpj:engine-factory>