Repository: cxf Updated Branches: refs/heads/master 7e952df66 -> a81534d66
Extracted STSAuthParams from STSTokenOutInterceptor Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a81534d6 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a81534d6 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a81534d6 Branch: refs/heads/master Commit: a81534d6655e046e7d316e6de38095fe3f4949cb Parents: 7e952df Author: Andrei Shakirin <andrei.shaki...@gmail.com> Authored: Sun Jan 8 22:52:16 2017 +0100 Committer: Andrei Shakirin <andrei.shaki...@gmail.com> Committed: Sun Jan 8 22:52:16 2017 +0100 ---------------------------------------------------------------------- .../interceptors/STSTokenOutInterceptor.java | 61 +++++-------- .../cxf/ws/security/trust/STSAuthParams.java | 90 ++++++++++++++++++++ .../apache/cxf/ws/security/trust/STSUtils.java | 40 ++++++++- .../stsclient/STSTokenOutInterceptorTest.java | 12 +-- 4 files changed, 154 insertions(+), 49 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/a81534d6/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSTokenOutInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSTokenOutInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSTokenOutInterceptor.java index ac71eac..c5a2f7c 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSTokenOutInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSTokenOutInterceptor.java @@ -19,8 +19,6 @@ package org.apache.cxf.ws.security.policy.interceptors; -import java.util.HashMap; -import java.util.Map; import java.util.logging.Logger; import javax.xml.namespace.QName; @@ -33,30 +31,30 @@ import org.apache.cxf.phase.AbstractPhaseInterceptor; import org.apache.cxf.phase.Phase; import org.apache.cxf.ws.security.SecurityConstants; import org.apache.cxf.ws.security.tokenstore.SecurityToken; +import org.apache.cxf.ws.security.trust.STSAuthParams; import org.apache.cxf.ws.security.trust.STSClient; import org.apache.cxf.ws.security.trust.STSTokenRetriever; import org.apache.cxf.ws.security.trust.STSTokenRetriever.TokenRequestParams; +import org.apache.cxf.ws.security.trust.STSUtils; public class STSTokenOutInterceptor extends AbstractPhaseInterceptor<Message> { private static final Logger LOG = LogUtils.getL7dLogger(STSTokenOutInterceptor.class); - private static final String TOKEN_TYPE_SAML_2_0 = - "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"; private static final String KEY_TYPE_X509 = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey"; private static final String WS_TRUST_NS = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/"; - private static final QName STS_SERVICE_NAME = new QName(WS_TRUST_NS, "SecurityTokenService"); private static final QName X509_ENDPOINT = new QName(WS_TRUST_NS, "X509_Port"); private static final QName TRANSPORT_ENDPOINT = new QName(WS_TRUST_NS, "Transport_Port"); + private static final QName UT_ENDPOINT = new QName(WS_TRUST_NS, "UT_Port"); private STSClient stsClient; private TokenRequestParams tokenParams; - public STSTokenOutInterceptor(AuthParams authParams, String stsWsdlLocation, Bus bus) { + public STSTokenOutInterceptor(STSAuthParams authParams, String stsWsdlLocation, Bus bus) { this(Phase.PREPARE_SEND, authParams, stsWsdlLocation, bus); } - public STSTokenOutInterceptor(String phase, AuthParams authParams, String stsWsdlLocation, Bus bus) { + public STSTokenOutInterceptor(String phase, STSAuthParams authParams, String stsWsdlLocation, Bus bus) { super(phase); - this.stsClient = configureBasicSTSClient(authParams, stsWsdlLocation, bus); + this.stsClient = STSUtils.createSTSClient(authParams, stsWsdlLocation, bus); this.tokenParams = new TokenRequestParams(); } @@ -95,9 +93,15 @@ public class STSTokenOutInterceptor extends AbstractPhaseInterceptor<Message> { return stsClient; } + /** + * A enumeration to specify authentication mode in communication with STS. + * @deprecated use {@link org.apache.cxf.ws.security.trust.STSAuthParams.AuthMode} + */ + @Deprecated public enum AuthMode { - X509(X509_ENDPOINT, KEY_TYPE_X509), - TRANSPORT(TRANSPORT_ENDPOINT, null); + X509_ASSYMETRIC(X509_ENDPOINT, KEY_TYPE_X509), + UT_TRANSPORT(TRANSPORT_ENDPOINT, null), + UT_SYMMETRIC(UT_ENDPOINT, null); private final QName endpointName; private final String keyType; @@ -116,6 +120,11 @@ public class STSTokenOutInterceptor extends AbstractPhaseInterceptor<Message> { } } + /** + * A class to specify authentication parameters for communication with STS. + * @deprecated use {@link org.apache.cxf.ws.security.trust.STSAuthParams} + */ + @Deprecated public static class AuthParams { private final AuthMode authMode; private final String userName; @@ -152,36 +161,4 @@ public class STSTokenOutInterceptor extends AbstractPhaseInterceptor<Message> { return keystoreProperties; } } - - private STSClient configureBasicSTSClient(AuthParams authParams, String stsWsdlLocation, Bus bus) { - STSClient basicStsClient = new STSClient(bus); - basicStsClient.setWsdlLocation(stsWsdlLocation); - basicStsClient.setServiceName(STS_SERVICE_NAME.toString()); - basicStsClient.setEndpointName(authParams.getAuthMode().endpointName.toString()); - if (authParams.getAuthMode().getKeyType() != null) { - basicStsClient.setKeyType(authParams.getAuthMode().getKeyType()); - } else { - basicStsClient.setSendKeyType(false); - } - basicStsClient.setTokenType(TOKEN_TYPE_SAML_2_0); - basicStsClient.setAllowRenewingAfterExpiry(true); - basicStsClient.setEnableLifetime(true); - - Map<String, Object> props = new HashMap<String, Object>(); - if (authParams.getUserName() != null) { - props.put(SecurityConstants.USERNAME, authParams.getUserName()); - } - props.put(SecurityConstants.CALLBACK_HANDLER, authParams.getCallbackHandler()); - if (authParams.getKeystoreProperties() != null) { - props.put(SecurityConstants.ENCRYPT_USERNAME, authParams.getAlias()); - props.put(SecurityConstants.ENCRYPT_PROPERTIES, authParams.getKeystoreProperties()); - props.put(SecurityConstants.SIGNATURE_PROPERTIES, authParams.getKeystoreProperties()); - props.put(SecurityConstants.STS_TOKEN_USERNAME, authParams.getAlias()); - props.put(SecurityConstants.STS_TOKEN_PROPERTIES, authParams.getKeystoreProperties()); - props.put(SecurityConstants.STS_TOKEN_USE_CERT_FOR_KEYINFO, "true"); - } - basicStsClient.setProperties(props); - - return basicStsClient; - } } http://git-wip-us.apache.org/repos/asf/cxf/blob/a81534d6/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSAuthParams.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSAuthParams.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSAuthParams.java new file mode 100644 index 0000000..8ea3749 --- /dev/null +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSAuthParams.java @@ -0,0 +1,90 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.ws.security.trust; + +import javax.xml.namespace.QName; + +/** + * Authentication parameters to obtain SAML token from STS. + */ +public class STSAuthParams { + private static final String WS_TRUST_NS = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/"; + private static final String KEY_TYPE_X509 = WS_TRUST_NS + "PublicKey"; + private static final QName X509_ENDPOINT = new QName(WS_TRUST_NS, "X509_Port"); + private static final QName TRANSPORT_ENDPOINT = new QName(WS_TRUST_NS, "Transport_Port"); + private static final QName UT_ENDPOINT = new QName(WS_TRUST_NS, "UT_Port"); + + private final AuthMode authMode; + private final String userName; + private final String callbackHandler; + private final String alias; + private final String keystoreProperties; + + public STSAuthParams(AuthMode authMode, String userName, String callbackHandler) { + this(authMode, userName, callbackHandler, null, null); + } + + public STSAuthParams(AuthMode authMode, String userName, String callbackHandler, String alias, + String keystoreProperties) { + this.authMode = authMode; + this.userName = userName; + this.callbackHandler = callbackHandler; + this.alias = alias; + this.keystoreProperties = keystoreProperties; + } + + public AuthMode getAuthMode() { + return authMode; + } + public String getUserName() { + return userName; + } + public String getCallbackHandler() { + return callbackHandler; + } + public String getAlias() { + return alias; + } + public String getKeystoreProperties() { + return keystoreProperties; + } + + public enum AuthMode { + X509_ASSYMETRIC(X509_ENDPOINT, KEY_TYPE_X509), + UT_TRANSPORT(TRANSPORT_ENDPOINT, null), + UT_SYMMETRIC(UT_ENDPOINT, null); + + private final QName endpointName; + private final String keyType; + + AuthMode(QName endpointName, String keyType) { + this.endpointName = endpointName; + this.keyType = keyType; + } + + public QName getEndpointName() { + return endpointName; + } + + public String getKeyType() { + return keyType; + } + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/a81534d6/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java index 3cb4f3a..bd87000 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java @@ -19,6 +19,9 @@ package org.apache.cxf.ws.security.trust; +import java.util.HashMap; +import java.util.Map; + import javax.xml.bind.JAXBException; import javax.xml.namespace.QName; @@ -77,6 +80,10 @@ public final class STSUtils { public static final String TOKEN_TYPE_SCT_05_02 = SCT_NS_05_02 + "/sct"; public static final String TOKEN_TYPE_SCT_05_12 = SCT_NS_05_12 + "/sct"; + private static final String TOKEN_TYPE_SAML_2_0 = + "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"; + private static final QName STS_SERVICE_NAME = new QName(WST_NS_05_12 + "/", "SecurityTokenService"); + private STSUtils() { //utility class } @@ -181,6 +188,38 @@ public final class STSUtils { return client; } + public static STSClient createSTSClient(STSAuthParams authParams, String stsWsdlLocation, Bus bus) { + STSClient basicStsClient = new STSClient(bus); + basicStsClient.setWsdlLocation(stsWsdlLocation); + basicStsClient.setServiceName(STS_SERVICE_NAME.toString()); + basicStsClient.setEndpointName(authParams.getAuthMode().getEndpointName().toString()); + if (authParams.getAuthMode().getKeyType() != null) { + basicStsClient.setKeyType(authParams.getAuthMode().getKeyType()); + } else { + basicStsClient.setSendKeyType(false); + } + basicStsClient.setTokenType(TOKEN_TYPE_SAML_2_0); + basicStsClient.setAllowRenewingAfterExpiry(true); + basicStsClient.setEnableLifetime(true); + + Map<String, Object> props = new HashMap<String, Object>(); + if (authParams.getUserName() != null) { + props.put(SecurityConstants.USERNAME, authParams.getUserName()); + } + props.put(SecurityConstants.CALLBACK_HANDLER, authParams.getCallbackHandler()); + if (authParams.getKeystoreProperties() != null) { + props.put(SecurityConstants.ENCRYPT_USERNAME, authParams.getAlias()); + props.put(SecurityConstants.ENCRYPT_PROPERTIES, authParams.getKeystoreProperties()); + props.put(SecurityConstants.SIGNATURE_PROPERTIES, authParams.getKeystoreProperties()); + props.put(SecurityConstants.STS_TOKEN_USERNAME, authParams.getAlias()); + props.put(SecurityConstants.STS_TOKEN_PROPERTIES, authParams.getKeystoreProperties()); + props.put(SecurityConstants.STS_TOKEN_USE_CERT_FOR_KEYINFO, "true"); + } + basicStsClient.setProperties(props); + + return basicStsClient; + } + public static String findMEXLocation(EndpointReferenceType ref) { if (ref.getMetadata() != null && ref.getMetadata().getAny() != null) { for (Object any : ref.getMetadata().getAny()) { @@ -231,7 +270,6 @@ public final class STSUtils { return createSTSEndpoint(bus, namespace, transportId, location, soapVersion, policy, null, true); } - //CHECKSTYLE:OFF private static Endpoint createSTSEndpoint(Bus bus, String namespace, http://git-wip-us.apache.org/repos/asf/cxf/blob/a81534d6/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/stsclient/STSTokenOutInterceptorTest.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/stsclient/STSTokenOutInterceptorTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/stsclient/STSTokenOutInterceptorTest.java index 5a78f3e..8b7ab11 100644 --- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/stsclient/STSTokenOutInterceptorTest.java +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/stsclient/STSTokenOutInterceptorTest.java @@ -60,9 +60,9 @@ import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase; import org.apache.cxf.transport.http.HTTPConduit; import org.apache.cxf.ws.security.SecurityConstants; import org.apache.cxf.ws.security.policy.interceptors.STSTokenOutInterceptor; -import org.apache.cxf.ws.security.policy.interceptors.STSTokenOutInterceptor.AuthMode; -import org.apache.cxf.ws.security.policy.interceptors.STSTokenOutInterceptor.AuthParams; import org.apache.cxf.ws.security.tokenstore.SecurityToken; +import org.apache.cxf.ws.security.trust.STSAuthParams; +import org.apache.cxf.ws.security.trust.STSAuthParams.AuthMode; import org.apache.cxf.ws.security.trust.STSClient; import org.junit.AfterClass; @@ -119,8 +119,8 @@ public class STSTokenOutInterceptorTest extends AbstractBusClientServerTestBase public void testBasicAsymmetricBinding() throws Exception { Bus bus = BusFactory.getThreadDefaultBus(); - AuthParams authParams = new AuthParams( - AuthMode.X509, + STSAuthParams authParams = new STSAuthParams( + AuthMode.X509_ASSYMETRIC, null, "org.apache.cxf.systest.sts.common.CommonCallbackHandler", "mystskey", @@ -145,8 +145,8 @@ public class STSTokenOutInterceptorTest extends AbstractBusClientServerTestBase configureDefaultHttpsConnection(); Bus bus = BusFactory.getThreadDefaultBus(); - AuthParams authParams = new AuthParams( - AuthMode.TRANSPORT, + STSAuthParams authParams = new STSAuthParams( + AuthMode.UT_TRANSPORT, "alice", "org.apache.cxf.systest.sts.common.CommonCallbackHandler", null,