Move STS SecurityConstants to common class
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/91c7b090 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/91c7b090 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/91c7b090 Branch: refs/heads/master Commit: 91c7b09005e8d32187283828ac348235b725e3e3 Parents: 3c0681f Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Fri Aug 28 12:03:01 2015 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Fri Aug 28 13:46:47 2015 +0100 ---------------------------------------------------------------------- .../cxf/rt/security/SecurityConstants.java | 149 ++++++++++++++++- .../cxf/rt/security/utils/SecurityUtils.java | 17 ++ .../cxf/ws/security/SecurityConstants.java | 159 +------------------ .../ws/security/trust/AbstractSTSClient.java | 30 +++- .../ws/security/trust/STSTokenRetriever.java | 30 ++-- .../apache/cxf/ws/security/trust/STSUtils.java | 24 +-- .../sts/asymmetric/AsymmetricBindingTest.java | 3 + .../cxf/systest/sts/common/TokenTestUtils.java | 9 ++ .../IntermediaryCachingPortTypeImpl.java | 3 + .../IntermediaryPortTypeImpl.java | 3 + .../UsernameActAsCachingTest.java | 6 + .../UsernameOnBehalfOfCachingTest.java | 6 + 12 files changed, 249 insertions(+), 190 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/91c7b090/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java ---------------------------------------------------------------------- diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java b/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java index 345c7da..acc671d 100644 --- a/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java +++ b/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java @@ -192,6 +192,148 @@ public class SecurityConstants { */ public static final String SUBJECT_CERT_CONSTRAINTS = "security.subject.cert.constraints"; + // + // STS Client Configuration tags + // + + /** + * A reference to the STSClient class used to communicate with the STS. + */ + public static final String STS_CLIENT = "security.sts.client"; + + /** + * The "AppliesTo" address to send to the STS. The default is the endpoint address of the + * service provider. + */ + public static final String STS_APPLIES_TO = "security.sts.applies-to"; + + /** + * Whether to write out an X509Certificate structure in UseKey/KeyInfo, or whether to write + * out a KeyValue structure. The default value is "false". + */ + public static final String STS_TOKEN_USE_CERT_FOR_KEYINFO = "security.sts.token.usecert"; + + /** + * Whether to cancel a token when using SecureConversation after successful invocation. The + * default is "false". + */ + public static final String STS_TOKEN_DO_CANCEL = "security.sts.token.do.cancel"; + + /** + * Whether to fall back to calling "issue" after failing to renew an expired token. Some + * STSs do not support the renew binding, and so we should just issue a new token after expiry. + * The default is true. + */ + public static final String STS_ISSUE_AFTER_FAILED_RENEW = "security.issue.after.failed.renew"; + + /** + * Set this to "false" to not cache a SecurityToken per proxy object in the + * IssuedTokenInterceptorProvider. This should be done if a token is being retrieved + * from an STS in an intermediary. The default value is "true". + */ + public static final String CACHE_ISSUED_TOKEN_IN_ENDPOINT = + "security.cache.issued.token.in.endpoint"; + + /** + * Whether to avoid STS client trying send WS-MetadataExchange call using + * STS EPR WSA address when the endpoint contract contains no WS-MetadataExchange info. + * The default value is "false". + */ + public static final String DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS = + "security.sts.disable-wsmex-call-using-epr-address"; + + /** + * Whether to prefer to use WS-MEX over a STSClient's location/wsdlLocation properties + * when making an STS RequestSecurityToken call. This can be set to true for the scenario + * of making a WS-MEX call to an initial STS, and using the returned token to make another + * call to an STS (which is configured using the STSClient configuration). Default is + * "false". + */ + public static final String PREFER_WSMEX_OVER_STS_CLIENT_CONFIG = + "security.sts.prefer-wsmex"; + + /** + * Switch STS client to send Soap 1.2 messages + */ + public static final String STS_CLIENT_SOAP12_BINDING = + "security.sts.client-soap12-binding"; + + /** + * + * A Crypto object to be used for the STS. If this is not defined then the + * {@link STS_TOKEN_PROPERTIES} is used instead. + * + * WCF's trust server sometimes will encrypt the token in the response IN ADDITION TO + * the full security on the message. These properties control the way the STS client + * will decrypt the EncryptedData elements in the response. + * + * These are also used by the STSClient to send/process any RSA/DSAKeyValue tokens + * used if the KeyType is "PublicKey" + */ + public static final String STS_TOKEN_CRYPTO = "security.sts.token.crypto"; + + /** + * The Crypto property configuration to use for the STS, if {@link STS_TOKEN_CRYPTO} is not + * set instead. + * The value of this tag must be either: + * a) A Java Properties object that contains the Crypto configuration. + * b) The path of the Crypto property file that contains the Crypto configuration. + * c) A URL that points to the Crypto property file that contains the Crypto configuration. + */ + public static final String STS_TOKEN_PROPERTIES = "security.sts.token.properties"; + + /** + * The alias name in the keystore to get the user's public key to send to the STS for the + * PublicKey KeyType case. + */ + public static final String STS_TOKEN_USERNAME = "security.sts.token.username"; + + /** + * The token to be sent to the STS in an "ActAs" field. It can be either: + * a) A String (which must be an XML statement like "<wst:OnBehalfOf xmlns:wst=...>...</wst:OnBehalfOf>") + * b) A DOM Element + * c) A CallbackHandler object to use to obtain the token + * + * In the case of a CallbackHandler, it must be able to handle a + * org.apache.cxf.ws.security.trust.delegation.DelegationCallback Object, which contains a + * reference to the current Message. The CallbackHandler implementation is required to set + * the token Element to be sent in the request on the Callback. + * + * Some examples that can be reused are: + * org.apache.cxf.ws.security.trust.delegation.ReceivedTokenCallbackHandler + * org.apache.cxf.ws.security.trust.delegation.WSSUsernameCallbackHandler + */ + public static final String STS_TOKEN_ACT_AS = "security.sts.token.act-as"; + + /** + * The token to be sent to the STS in an "OnBehalfOf" field. It can be either: + * a) A String (which must be an XML statement like "<wst:OnBehalfOf xmlns:wst=...>...</wst:OnBehalfOf>") + * b) A DOM Element + * c) A CallbackHandler object to use to obtain the token + * + * In the case of a CallbackHandler, it must be able to handle a + * org.apache.cxf.ws.security.trust.delegation.DelegationCallback Object, which contains a + * reference to the current Message. The CallbackHandler implementation is required to set + * the token Element to be sent in the request on the Callback. + * + * Some examples that can be reused are: + * org.apache.cxf.ws.security.trust.delegation.ReceivedTokenCallbackHandler + * org.apache.cxf.ws.security.trust.delegation.WSSUsernameCallbackHandler + */ + public static final String STS_TOKEN_ON_BEHALF_OF = "security.sts.token.on-behalf-of"; + + /** + * This is the value in seconds within which a token is considered to be expired by the + * client. When a cached token (from a STS) is retrieved by the client, it is considered + * to be expired if it will expire in a time less than the value specified by this tag. + * This prevents token expiry when the message is en route / being processed by the + * service. When the token is found to be expired then it will be renewed via the STS. + * + * The default value is 10 (seconds). Specify 0 to avoid this check. + */ + public static final String STS_TOKEN_IMMINENT_EXPIRY_VALUE = + "security.sts.token.imminent-expiry-value"; + public static final Set<String> COMMON_PROPERTIES; static { @@ -201,7 +343,12 @@ public class SecurityConstants { SIGNATURE_CRYPTO, ENCRYPT_PROPERTIES, ENCRYPT_CRYPTO, ENCRYPT_CERT, ENABLE_REVOCATION, SUBJECT_CERT_CONSTRAINTS, ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, AUDIENCE_RESTRICTION_VALIDATION, SAML_ROLE_ATTRIBUTENAME, - ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, SC_FROM_JAAS_SUBJECT + ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, SC_FROM_JAAS_SUBJECT, + STS_TOKEN_USE_CERT_FOR_KEYINFO, STS_TOKEN_DO_CANCEL, CACHE_ISSUED_TOKEN_IN_ENDPOINT, + DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS, STS_TOKEN_CRYPTO, + STS_TOKEN_PROPERTIES, STS_TOKEN_USERNAME, STS_TOKEN_ACT_AS, STS_TOKEN_ON_BEHALF_OF, + STS_CLIENT, STS_APPLIES_TO, CACHE_ISSUED_TOKEN_IN_ENDPOINT, PREFER_WSMEX_OVER_STS_CLIENT_CONFIG, + STS_TOKEN_IMMINENT_EXPIRY_VALUE })); COMMON_PROPERTIES = Collections.unmodifiableSet(s); } http://git-wip-us.apache.org/repos/asf/cxf/blob/91c7b090/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java ---------------------------------------------------------------------- diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java b/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java index a1cefcd..046b7c5 100644 --- a/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java +++ b/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java @@ -31,6 +31,7 @@ import javax.security.auth.callback.CallbackHandler; import org.apache.cxf.common.classloader.ClassLoaderUtils; import org.apache.cxf.common.classloader.ClassLoaderUtils.ClassLoaderHolder; import org.apache.cxf.common.logging.LogUtils; +import org.apache.cxf.common.util.PropertyUtils; import org.apache.cxf.message.Message; import org.apache.cxf.phase.PhaseInterceptorChain; import org.apache.cxf.resource.ResourceManager; @@ -172,4 +173,20 @@ public final class SecurityUtils { } return message.getContextualProperty("ws-" + property); } + + /** + * Get the security property boolean for the given property. It also checks for the older "ws-"* property + * values. If none is configured, then the defaultValue parameter is returned. + */ + public static boolean getSecurityPropertyBoolean(String property, Message message, boolean defaultValue) { + Object value = message.getContextualProperty(property); + if (value == null) { + value = message.getContextualProperty("ws-" + property); + } + + if (value != null) { + return PropertyUtils.isTrue(value); + } + return defaultValue; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/91c7b090/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java index 74eedeb..7d6fcdb 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java @@ -316,148 +316,6 @@ public final class SecurityConstants extends org.apache.cxf.rt.security.Security public static final String POLICY_VALIDATOR_MAP = "ws-security.policy.validator.map"; // - // STS Client Configuration tags - // - - /** - * A reference to the STSClient class used to communicate with the STS. - */ - public static final String STS_CLIENT = "ws-security.sts.client"; - - /** - * The "AppliesTo" address to send to the STS. The default is the endpoint address of the - * service provider. - */ - public static final String STS_APPLIES_TO = "ws-security.sts.applies-to"; - - /** - * Whether to write out an X509Certificate structure in UseKey/KeyInfo, or whether to write - * out a KeyValue structure. The default value is "false". - */ - public static final String STS_TOKEN_USE_CERT_FOR_KEYINFO = "ws-security.sts.token.usecert"; - - /** - * Whether to cancel a token when using SecureConversation after successful invocation. The - * default is "false". - */ - public static final String STS_TOKEN_DO_CANCEL = "ws-security.sts.token.do.cancel"; - - /** - * Whether to fall back to calling "issue" after failing to renew an expired token. Some - * STSs do not support the renew binding, and so we should just issue a new token after expiry. - * The default is true. - */ - public static final String STS_ISSUE_AFTER_FAILED_RENEW = "ws-security.issue.after.failed.renew"; - - /** - * Set this to "false" to not cache a SecurityToken per proxy object in the - * IssuedTokenInterceptorProvider. This should be done if a token is being retrieved - * from an STS in an intermediary. The default value is "true". - */ - public static final String CACHE_ISSUED_TOKEN_IN_ENDPOINT = - "ws-security.cache.issued.token.in.endpoint"; - - /** - * Whether to avoid STS client trying send WS-MetadataExchange call using - * STS EPR WSA address when the endpoint contract contains no WS-MetadataExchange info. - * The default value is "false". - */ - public static final String DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS = - "ws-security.sts.disable-wsmex-call-using-epr-address"; - - /** - * Whether to prefer to use WS-MEX over a STSClient's location/wsdlLocation properties - * when making an STS RequestSecurityToken call. This can be set to true for the scenario - * of making a WS-MEX call to an initial STS, and using the returned token to make another - * call to an STS (which is configured using the STSClient configuration). Default is - * "false". - */ - public static final String PREFER_WSMEX_OVER_STS_CLIENT_CONFIG = - "ws-security.sts.prefer-wsmex"; - - /** - * Switch STS client to send Soap 1.2 messages - */ - public static final String STS_CLIENT_SOAP12_BINDING = - "ws-security.sts.client-soap12-binding"; - - /** - * - * A Crypto object to be used for the STS. If this is not defined then the - * {@link STS_TOKEN_PROPERTIES} is used instead. - * - * WCF's trust server sometimes will encrypt the token in the response IN ADDITION TO - * the full security on the message. These properties control the way the STS client - * will decrypt the EncryptedData elements in the response. - * - * These are also used by the STSClient to send/process any RSA/DSAKeyValue tokens - * used if the KeyType is "PublicKey" - */ - public static final String STS_TOKEN_CRYPTO = "ws-security.sts.token.crypto"; - - /** - * The Crypto property configuration to use for the STS, if {@link STS_TOKEN_CRYPTO} is not - * set instead. - * The value of this tag must be either: - * a) A Java Properties object that contains the Crypto configuration. - * b) The path of the Crypto property file that contains the Crypto configuration. - * c) A URL that points to the Crypto property file that contains the Crypto configuration. - */ - public static final String STS_TOKEN_PROPERTIES = "ws-security.sts.token.properties"; - - /** - * The alias name in the keystore to get the user's public key to send to the STS for the - * PublicKey KeyType case. - */ - public static final String STS_TOKEN_USERNAME = "ws-security.sts.token.username"; - - /** - * The token to be sent to the STS in an "ActAs" field. It can be either: - * a) A String (which must be an XML statement like "<wst:OnBehalfOf xmlns:wst=...>...</wst:OnBehalfOf>") - * b) A DOM Element - * c) A CallbackHandler object to use to obtain the token - * - * In the case of a CallbackHandler, it must be able to handle a - * org.apache.cxf.ws.security.trust.delegation.DelegationCallback Object, which contains a - * reference to the current Message. The CallbackHandler implementation is required to set - * the token Element to be sent in the request on the Callback. - * - * Some examples that can be reused are: - * org.apache.cxf.ws.security.trust.delegation.ReceivedTokenCallbackHandler - * org.apache.cxf.ws.security.trust.delegation.WSSUsernameCallbackHandler - */ - public static final String STS_TOKEN_ACT_AS = "ws-security.sts.token.act-as"; - - /** - * The token to be sent to the STS in an "OnBehalfOf" field. It can be either: - * a) A String (which must be an XML statement like "<wst:OnBehalfOf xmlns:wst=...>...</wst:OnBehalfOf>") - * b) A DOM Element - * c) A CallbackHandler object to use to obtain the token - * - * In the case of a CallbackHandler, it must be able to handle a - * org.apache.cxf.ws.security.trust.delegation.DelegationCallback Object, which contains a - * reference to the current Message. The CallbackHandler implementation is required to set - * the token Element to be sent in the request on the Callback. - * - * Some examples that can be reused are: - * org.apache.cxf.ws.security.trust.delegation.ReceivedTokenCallbackHandler - * org.apache.cxf.ws.security.trust.delegation.WSSUsernameCallbackHandler - */ - public static final String STS_TOKEN_ON_BEHALF_OF = "ws-security.sts.token.on-behalf-of"; - - /** - * This is the value in seconds within which a token is considered to be expired by the - * client. When a cached token (from a STS) is retrieved by the client, it is considered - * to be expired if it will expire in a time less than the value specified by this tag. - * This prevents token expiry when the message is en route / being processed by the - * service. When the token is found to be expired then it will be renewed via the STS. - * - * The default value is 10 (seconds). Specify 0 to avoid this check. - */ - public static final String STS_TOKEN_IMMINENT_EXPIRY_VALUE = - "ws-security.sts.token.imminent-expiry-value"; - - // // Kerberos Configuration tags // @@ -517,18 +375,13 @@ public final class SecurityConstants extends org.apache.cxf.rt.security.Security NONCE_CACHE_INSTANCE, TIMESTAMP_CACHE_INSTANCE, CACHE_CONFIG_FILE, TOKEN_STORE_CACHE_INSTANCE, USERNAME_TOKEN_VALIDATOR, SAML1_TOKEN_VALIDATOR, SAML2_TOKEN_VALIDATOR, TIMESTAMP_TOKEN_VALIDATOR, SIGNATURE_TOKEN_VALIDATOR, - BST_TOKEN_VALIDATOR, SCT_TOKEN_VALIDATOR, STS_CLIENT, STS_APPLIES_TO, - STS_TOKEN_USE_CERT_FOR_KEYINFO, STS_TOKEN_DO_CANCEL, CACHE_ISSUED_TOKEN_IN_ENDPOINT, - DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS, STS_TOKEN_CRYPTO, - STS_TOKEN_PROPERTIES, STS_TOKEN_USERNAME, STS_TOKEN_ACT_AS, STS_TOKEN_ON_BEHALF_OF, - TOKEN, TOKEN_ID, SUBJECT_ROLE_CLASSIFIER, SUBJECT_ROLE_CLASSIFIER_TYPE, MUST_UNDERSTAND, - ASYMMETRIC_SIGNATURE_ALGORITHM, PASSWORD_ENCRYPTOR_INSTANCE, ENABLE_SAML_ONE_TIME_USE_CACHE, + BST_TOKEN_VALIDATOR, SCT_TOKEN_VALIDATOR, TOKEN, TOKEN_ID, SUBJECT_ROLE_CLASSIFIER, + SUBJECT_ROLE_CLASSIFIER_TYPE, MUST_UNDERSTAND, ASYMMETRIC_SIGNATURE_ALGORITHM, + PASSWORD_ENCRYPTOR_INSTANCE, ENABLE_SAML_ONE_TIME_USE_CACHE, SAML_ONE_TIME_USE_CACHE_INSTANCE, ENABLE_STREAMING_SECURITY, RETURN_SECURITY_ERROR, - CACHE_IDENTIFIER, CACHE_ISSUED_TOKEN_IN_ENDPOINT, PREFER_WSMEX_OVER_STS_CLIENT_CONFIG, - DELEGATED_CREDENTIAL, KERBEROS_USE_CREDENTIAL_DELEGATION, - KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, STS_TOKEN_IMMINENT_EXPIRY_VALUE, - KERBEROS_REQUEST_CREDENTIAL_DELEGATION, POLICY_VALIDATOR_MAP, - STORE_BYTES_IN_ATTACHMENT, USE_ATTACHMENT_ENCRYPTION_CONTENT_ONLY_TRANSFORM + CACHE_IDENTIFIER, DELEGATED_CREDENTIAL, KERBEROS_USE_CREDENTIAL_DELEGATION, + KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, KERBEROS_REQUEST_CREDENTIAL_DELEGATION, + POLICY_VALIDATOR_MAP, STORE_BYTES_IN_ATTACHMENT, USE_ATTACHMENT_ENCRYPTION_CONTENT_ONLY_TRANSFORM })); for (String commonProperty : COMMON_PROPERTIES) { s.add(commonProperty); http://git-wip-us.apache.org/repos/asf/cxf/blob/91c7b090/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java index 4cc4a13..a5310a0 100755 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java @@ -1554,9 +1554,6 @@ public abstract class AbstractSTSClient implements Configurable, InterceptorProv protected CallbackHandler createHandler() { Object o = getProperty(SecurityConstants.CALLBACK_HANDLER); - if (o == null) { - o = getProperty("ws-" + SecurityConstants.CALLBACK_HANDLER); - } try { return SecurityUtils.getCallbackHandler(o); } catch (Exception e) { @@ -1565,19 +1562,36 @@ public abstract class AbstractSTSClient implements Configurable, InterceptorProv } protected Object getProperty(String s) { - Object o = ctx.get(s); + String key = s; + + Object o = ctx.get(key); + if (o == null) { + o = client.getEndpoint().getEndpointInfo().getProperty(key); + } + if (o == null) { + o = client.getEndpoint().getEndpointInfo().getBinding().getProperty(key); + } if (o == null) { - o = client.getEndpoint().getEndpointInfo().getProperty(s); + o = client.getEndpoint().getService().get(key); } + + key = "ws-" + s; if (o == null) { - o = client.getEndpoint().getEndpointInfo().getBinding().getProperty(s); + o = ctx.get(key); } if (o == null) { - o = client.getEndpoint().getService().get(s); + o = client.getEndpoint().getEndpointInfo().getProperty(key); } + if (o == null) { + o = client.getEndpoint().getEndpointInfo().getBinding().getProperty(key); + } + if (o == null) { + o = client.getEndpoint().getService().get(key); + } + return o; } - + protected Crypto createCrypto(boolean decrypt) throws IOException, WSSecurityException { Crypto crypto = (Crypto)getProperty(SecurityConstants.STS_TOKEN_CRYPTO + (decrypt ? ".decrypt" : "")); if (crypto != null) { http://git-wip-us.apache.org/repos/asf/cxf/blob/91c7b090/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenRetriever.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenRetriever.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenRetriever.java index c9e5dc0..1e60888 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenRetriever.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenRetriever.java @@ -29,7 +29,7 @@ import org.w3c.dom.Element; import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.interceptor.Fault; import org.apache.cxf.message.Message; -import org.apache.cxf.message.MessageUtils; +import org.apache.cxf.rt.security.utils.SecurityUtils; import org.apache.cxf.ws.addressing.AddressingProperties; import org.apache.cxf.ws.security.SecurityConstants; import org.apache.cxf.ws.security.tokenstore.SecurityToken; @@ -61,9 +61,8 @@ public final class STSTokenRetriever { } boolean cacheIssuedToken = - MessageUtils.getContextualBoolean( + SecurityUtils.getSecurityPropertyBoolean(SecurityConstants.CACHE_ISSUED_TOKEN_IN_ENDPOINT, message, - SecurityConstants.CACHE_ISSUED_TOKEN_IN_ENDPOINT, true) && !isOneTimeUse(tok); if (cacheIssuedToken) { @@ -86,9 +85,8 @@ public final class STSTokenRetriever { private static SecurityToken retrieveCachedToken(Message message) { boolean cacheIssuedToken = - MessageUtils.getContextualBoolean( + SecurityUtils.getSecurityPropertyBoolean(SecurityConstants.CACHE_ISSUED_TOKEN_IN_ENDPOINT, message, - SecurityConstants.CACHE_ISSUED_TOKEN_IN_ENDPOINT, true); SecurityToken tok = null; if (cacheIssuedToken) { @@ -124,19 +122,19 @@ public final class STSTokenRetriever { try { // Transpose ActAs/OnBehalfOf info from original request to the STS client. Object token = - message.getContextualProperty(SecurityConstants.STS_TOKEN_ACT_AS); + SecurityUtils.getSecurityPropertyValue(SecurityConstants.STS_TOKEN_ACT_AS, message); if (token != null) { client.setActAs(token); } token = - message.getContextualProperty(SecurityConstants.STS_TOKEN_ON_BEHALF_OF); + SecurityUtils.getSecurityPropertyValue(SecurityConstants.STS_TOKEN_ON_BEHALF_OF, message); if (token != null) { client.setOnBehalfOf(token); } Map<String, Object> ctx = client.getRequestContext(); mapSecurityProps(message, ctx); - Object o = message.getContextualProperty(SecurityConstants.STS_APPLIES_TO); + Object o = SecurityUtils.getSecurityPropertyValue(SecurityConstants.STS_APPLIES_TO, message); String appliesTo = o == null ? null : o.toString(); appliesTo = appliesTo == null ? message.getContextualProperty(Message.ENDPOINT_ADDRESS).toString() @@ -177,8 +175,8 @@ public final class STSTokenRetriever { SecurityToken tok, TokenRequestParams params) { String imminentExpiryValue = - (String)message - .getContextualProperty(SecurityConstants.STS_TOKEN_IMMINENT_EXPIRY_VALUE); + (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.STS_TOKEN_IMMINENT_EXPIRY_VALUE, + message); long imminentExpiry = 10L; if (imminentExpiryValue != null) { imminentExpiry = Long.parseLong(imminentExpiryValue); @@ -229,10 +227,8 @@ public final class STSTokenRetriever { } catch (RuntimeException ex) { LOG.log(Level.WARNING, "Error renewing a token", ex); boolean issueAfterFailedRenew = - MessageUtils - .getContextualBoolean( - message, - SecurityConstants.STS_ISSUE_AFTER_FAILED_RENEW, true); + SecurityUtils.getSecurityPropertyBoolean( + SecurityConstants.STS_ISSUE_AFTER_FAILED_RENEW, message, true); if (issueAfterFailedRenew) { // Perhaps the STS does not support renewing, so try to issue a new token return issueToken(message, params); @@ -242,10 +238,8 @@ public final class STSTokenRetriever { } catch (Exception ex) { LOG.log(Level.WARNING, "Error renewing a token", ex); boolean issueAfterFailedRenew = - MessageUtils - .getContextualBoolean( - message, - SecurityConstants.STS_ISSUE_AFTER_FAILED_RENEW, true); + SecurityUtils.getSecurityPropertyBoolean( + SecurityConstants.STS_ISSUE_AFTER_FAILED_RENEW, message, true); if (issueAfterFailedRenew) { // Perhaps the STS does not support renewing, so try to issue a new token return issueToken(message, params); http://git-wip-us.apache.org/repos/asf/cxf/blob/91c7b090/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java index 0411140..55d56f4 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java @@ -35,7 +35,7 @@ import org.apache.cxf.endpoint.EndpointException; import org.apache.cxf.endpoint.EndpointImpl; import org.apache.cxf.helpers.DOMUtils; import org.apache.cxf.message.Message; -import org.apache.cxf.message.MessageUtils; +import org.apache.cxf.rt.security.utils.SecurityUtils; import org.apache.cxf.service.Service; import org.apache.cxf.service.ServiceImpl; import org.apache.cxf.service.model.BindingInfo; @@ -103,8 +103,8 @@ public final class STSUtils { public static STSClient getClientWithIssuer(Message message, String type, Element issuer) { // Retrieve or create the STSClient - STSClient client = (STSClient)message - .getContextualProperty(SecurityConstants.STS_CLIENT); + STSClient client = + (STSClient)SecurityUtils.getSecurityPropertyValue(SecurityConstants.STS_CLIENT, message); if (client == null) { client = createSTSClient(message, type); Bus bus = message.getExchange().getBus(); @@ -130,13 +130,15 @@ public final class STSUtils { String mexLocation = findMEXLocation(epr); // Configure via WS-MEX + if (mexLocation != null - && MessageUtils.getContextualBoolean(message, - SecurityConstants.PREFER_WSMEX_OVER_STS_CLIENT_CONFIG, + && SecurityUtils.getSecurityPropertyBoolean(SecurityConstants.PREFER_WSMEX_OVER_STS_CLIENT_CONFIG, + message, false)) { // WS-MEX call. So now either get the WS-MEX specific STSClient or else create one - STSClient wsMexClient = (STSClient)message - .getContextualProperty(SecurityConstants.STS_CLIENT + ".wsmex"); + STSClient wsMexClient = + (STSClient)SecurityUtils.getSecurityPropertyValue(SecurityConstants.STS_CLIENT + ".wsmex", + message); if (wsMexClient == null) { wsMexClient = createSTSClient(message, type); } @@ -145,8 +147,8 @@ public final class STSUtils { } else if (configureViaEPR(client, epr)) { // Only use WS-MEX here if the pre-configured STSClient has no location/wsdllocation boolean useEPRWSAAddrAsMEXLocation = - !Boolean.valueOf((String)message.getContextualProperty( - SecurityConstants.DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS)); + !Boolean.valueOf((String)SecurityUtils.getSecurityPropertyValue( + SecurityConstants.DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS, message)); client.configureViaEPR(epr, useEPRWSAAddrAsMEXLocation); return client; @@ -170,7 +172,9 @@ public final class STSUtils { Endpoint ep = message.getExchange().getEndpoint(); client.setEndpointName(ep.getEndpointInfo().getName().toString() + type); client.setBeanName(ep.getEndpointInfo().getName().toString() + type); - if (MessageUtils.getContextualBoolean(message, SecurityConstants.STS_CLIENT_SOAP12_BINDING, false)) { + if (SecurityUtils.getSecurityPropertyBoolean(SecurityConstants.STS_CLIENT_SOAP12_BINDING, + message, + false)) { client.setSoap12(); } http://git-wip-us.apache.org/repos/asf/cxf/blob/91c7b090/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/asymmetric/AsymmetricBindingTest.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/asymmetric/AsymmetricBindingTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/asymmetric/AsymmetricBindingTest.java index 9c885b9..540d010 100644 --- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/asymmetric/AsymmetricBindingTest.java +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/asymmetric/AsymmetricBindingTest.java @@ -205,6 +205,9 @@ public class AsymmetricBindingTest extends AbstractBusClientServerTestBase { BindingProvider bindingProvider = (BindingProvider)asymmetricSaml1EncryptedPort; STSClient stsClient = (STSClient)bindingProvider.getRequestContext().get(SecurityConstants.STS_CLIENT); + if (stsClient == null) { + stsClient = (STSClient)bindingProvider.getRequestContext().get("ws-" + SecurityConstants.STS_CLIENT); + } Crypto crypto = CryptoFactory.getInstance("clientKeystore.properties"); CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS); cryptoType.setAlias("myclientkey"); http://git-wip-us.apache.org/repos/asf/cxf/blob/91c7b090/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/TokenTestUtils.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/TokenTestUtils.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/TokenTestUtils.java index cffc087..85e59c1 100644 --- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/TokenTestUtils.java +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/TokenTestUtils.java @@ -52,6 +52,9 @@ public final class TokenTestUtils { org.apache.cxf.ws.security.tokenstore.SecurityToken tok = store.getToken(id); assertNotNull(tok); STSClient sts = (STSClient)ep.get(SecurityConstants.STS_CLIENT); + if (sts == null) { + sts = (STSClient)ep.get("ws-" + SecurityConstants.STS_CLIENT); + } List<SecurityToken> validTokens = sts.validateSecurityToken(tok); assertTrue(validTokens != null && !validTokens.isEmpty()); @@ -75,6 +78,9 @@ public final class TokenTestUtils { public static void updateSTSPort(BindingProvider p, String port) { STSClient stsClient = (STSClient)p.getRequestContext().get(SecurityConstants.STS_CLIENT); + if (stsClient == null) { + stsClient = (STSClient)p.getRequestContext().get("ws-" + SecurityConstants.STS_CLIENT); + } if (stsClient != null) { String location = stsClient.getWsdlLocation(); if (location != null && location.contains("8080")) { @@ -84,6 +90,9 @@ public final class TokenTestUtils { } } stsClient = (STSClient)p.getRequestContext().get(SecurityConstants.STS_CLIENT + ".sct"); + if (stsClient == null) { + stsClient = (STSClient)p.getRequestContext().get("ws-" + SecurityConstants.STS_CLIENT + ".sct"); + } if (stsClient != null) { String location = stsClient.getWsdlLocation(); if (location.contains("8080")) { http://git-wip-us.apache.org/repos/asf/cxf/blob/91c7b090/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryCachingPortTypeImpl.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryCachingPortTypeImpl.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryCachingPortTypeImpl.java index a0e36ef..add6aeb 100644 --- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryCachingPortTypeImpl.java +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryCachingPortTypeImpl.java @@ -69,6 +69,9 @@ public class IntermediaryCachingPortTypeImpl extends AbstractBusClientServerTest if ("standalone".equals(System.getProperty("sts.deployment"))) { Map<String, Object> context = ((BindingProvider)transportPort).getRequestContext(); STSClient stsClient = (STSClient)context.get(SecurityConstants.STS_CLIENT); + if (stsClient == null) { + stsClient = (STSClient)context.get("ws-" + SecurityConstants.STS_CLIENT); + } if (stsClient != null) { String location = stsClient.getWsdlLocation(); if (location.contains("8080")) { http://git-wip-us.apache.org/repos/asf/cxf/blob/91c7b090/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryPortTypeImpl.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryPortTypeImpl.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryPortTypeImpl.java index 1c17594..32b4799 100644 --- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryPortTypeImpl.java +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryPortTypeImpl.java @@ -68,6 +68,9 @@ public class IntermediaryPortTypeImpl extends AbstractBusClientServerTestBase im if ("standalone".equals(System.getProperty("sts.deployment"))) { Map<String, Object> context = ((BindingProvider)transportPort).getRequestContext(); STSClient stsClient = (STSClient)context.get(SecurityConstants.STS_CLIENT); + if (stsClient == null) { + stsClient = (STSClient)context.get("ws-" + SecurityConstants.STS_CLIENT); + } if (stsClient != null) { String location = stsClient.getWsdlLocation(); if (location.contains("8080")) { http://git-wip-us.apache.org/repos/asf/cxf/blob/91c7b090/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/UsernameActAsCachingTest.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/UsernameActAsCachingTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/UsernameActAsCachingTest.java index 94260c7..c66eea4 100644 --- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/UsernameActAsCachingTest.java +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/UsernameActAsCachingTest.java @@ -381,6 +381,9 @@ public class UsernameActAsCachingTest extends AbstractBusClientServerTestBase { // Disable appliesTo BindingProvider p = (BindingProvider)port; STSClient stsClient = (STSClient)p.getRequestContext().get(SecurityConstants.STS_CLIENT); + if (stsClient == null) { + stsClient = (STSClient)p.getRequestContext().get("ws-" + SecurityConstants.STS_CLIENT); + } stsClient.setEnableAppliesTo(false); doubleIt(port, 25); @@ -407,6 +410,9 @@ public class UsernameActAsCachingTest extends AbstractBusClientServerTestBase { private void clearSTSClient(BindingProvider p) throws BusException, EndpointException { STSClient stsClient = (STSClient)p.getRequestContext().get(SecurityConstants.STS_CLIENT); + if (stsClient == null) { + stsClient = (STSClient)p.getRequestContext().get("ws-" + SecurityConstants.STS_CLIENT); + } stsClient.getClient().destroy(); stsClient.setWsdlLocation(null); stsClient.setLocation(null); http://git-wip-us.apache.org/repos/asf/cxf/blob/91c7b090/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_onbehalfof/UsernameOnBehalfOfCachingTest.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_onbehalfof/UsernameOnBehalfOfCachingTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_onbehalfof/UsernameOnBehalfOfCachingTest.java index 644f348..555c5a2 100644 --- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_onbehalfof/UsernameOnBehalfOfCachingTest.java +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_onbehalfof/UsernameOnBehalfOfCachingTest.java @@ -381,6 +381,9 @@ public class UsernameOnBehalfOfCachingTest extends AbstractBusClientServerTestBa // Disable appliesTo BindingProvider p = (BindingProvider)port; STSClient stsClient = (STSClient)p.getRequestContext().get(SecurityConstants.STS_CLIENT); + if (stsClient == null) { + stsClient = (STSClient)p.getRequestContext().get("ws-" + SecurityConstants.STS_CLIENT); + } stsClient.setEnableAppliesTo(false); doubleIt(port, 25); @@ -407,6 +410,9 @@ public class UsernameOnBehalfOfCachingTest extends AbstractBusClientServerTestBa private void clearSTSClient(BindingProvider p) throws BusException, EndpointException { STSClient stsClient = (STSClient)p.getRequestContext().get(SecurityConstants.STS_CLIENT); + if (stsClient == null) { + stsClient = (STSClient)p.getRequestContext().get("ws-" + SecurityConstants.STS_CLIENT); + } stsClient.getClient().destroy(); stsClient.setWsdlLocation(null); stsClient.setLocation(null);