ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1207955 - in /webservices/wss4j/trunk/src: main/java/org/apache/ws/security/message/ main/java/org/apache/ws/security/message/token/ main/java/org/apache/ws/security/spnego/ test/java/org/apache/ws/security/message/ test/java/org/apache/ws...
Date Tue, 29 Nov 2011 16:40:47 GMT
Author: coheigea
Date: Tue Nov 29 16:40:41 2011
New Revision: 1207955

URL: http://svn.apache.org/viewvc?rev=1207955&view=rev
Log:
Added some initial support for service side SPNEGO validation.
 - Also updated the SecurityContextToken to return the correct (WS-Trust) token type depending
on the namespace of the token

Added:
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/spnego/SpnegoServiceAction.java
Modified:
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecDerivedKeyBase.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityContextToken.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityTokenReference.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/spnego/SpnegoToken.java
    webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SecurityContextTokenTest.java
    webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecDerivedKeyBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecDerivedKeyBase.java?rev=1207955&r1=1207954&r2=1207955&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecDerivedKeyBase.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecDerivedKeyBase.java
Tue Nov 29 16:40:41 2011
@@ -260,7 +260,8 @@ public abstract class WSSecDerivedKeyBas
                 } else if (KerberosSecurity.isKerberosToken(customValueType)) {
                     secRef.addTokenType(customValueType);
                     ref.setValueType(customValueType);
-                } else if (WSConstants.WSC_SCT.equals(customValueType)) {
+                } else if (WSConstants.WSC_SCT.equals(customValueType)
+                    || WSConstants.WSC_SCT_05_12.equals(customValueType)) {
                     ref.setValueType(customValueType);
                 } else if (!WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE.equals(customValueType))
{
                     secRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityContextToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityContextToken.java?rev=1207955&r1=1207954&r2=1207955&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityContextToken.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityContextToken.java
Tue Nov 29 16:40:41 2011
@@ -52,6 +52,8 @@ public class SecurityContextToken {
     
     private WSSConfig wssConfig = WSSConfig.getNewInstance();
     
+    private String tokenType = WSConstants.WSC_SCT;
+    
     /**
      * Constructor to create the SCT
      *
@@ -116,6 +118,12 @@ public class SecurityContextToken {
         element.appendChild(elementIdentifier);
 
         elementIdentifier.appendChild(doc.createTextNode(uuid));
+        
+        if (version == ConversationConstants.VERSION_05_02) {
+            tokenType = WSConstants.WSC_SCT;
+        } else {
+            tokenType = WSConstants.WSC_SCT_05_12;
+        }
     }
 
     
@@ -130,9 +138,11 @@ public class SecurityContextToken {
         QName el = new QName(element.getNamespaceURI(), element.getLocalName());
 
         // If the element is not a security context token, throw an exception
-        if (!(el.equals(ConversationConstants.SECURITY_CTX_TOKEN_QNAME_05_02) ||
-            el.equals(ConversationConstants.SECURITY_CTX_TOKEN_QNAME_05_12))
-        ) {
+        if (el.equals(ConversationConstants.SECURITY_CTX_TOKEN_QNAME_05_02)) {
+            tokenType = WSConstants.WSC_SCT;
+        } else if (el.equals(ConversationConstants.SECURITY_CTX_TOKEN_QNAME_05_12)) {
+            tokenType = WSConstants.WSC_SCT_05_12;
+        } else {
             throw new WSSecurityException(WSSecurityException.INVALID_SECURITY_TOKEN);
         }
 
@@ -171,6 +181,13 @@ public class SecurityContextToken {
         }
         return null;
     }
+    
+    /**
+     * Get the WS-Trust tokenType String associated with this token
+     */
+    public String getTokenType() {
+        return tokenType;
+    }
 
     public void setElement(Element elem) {
         element.appendChild(elem);

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityTokenReference.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityTokenReference.java?rev=1207955&r1=1207954&r2=1207955&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityTokenReference.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityTokenReference.java
Tue Nov 29 16:40:41 2011
@@ -314,6 +314,7 @@ public class SecurityTokenReference {
         // Try to find a custom token
         //
         if (cb != null && (WSConstants.WSC_SCT.equals(type)
+            || WSConstants.WSC_SCT_05_12.equals(type)
             || WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(type) 
             || WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(type)
             || KerberosSecurity.isKerberosToken(type))) {

Added: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/spnego/SpnegoServiceAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/spnego/SpnegoServiceAction.java?rev=1207955&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/spnego/SpnegoServiceAction.java
(added)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/spnego/SpnegoServiceAction.java
Tue Nov 29 16:40:41 2011
@@ -0,0 +1,70 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ws.security.spnego;
+
+import java.security.PrivilegedAction;
+
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.GSSManager;
+import org.ietf.jgss.GSSName;
+import org.ietf.jgss.Oid;
+
+/**
+ * This class represents a PrivilegedAction implementation to validate a received (SPNEGO)
ticket to a KDC.
+ */
+public class SpnegoServiceAction implements PrivilegedAction<byte[]> {
+    private static org.apache.commons.logging.Log log =
+        org.apache.commons.logging.LogFactory.getLog(SpnegoServiceAction.class);
+    
+    private byte[] ticket;
+    private String serviceName;
+    private GSSContext secContext;
+    
+    public SpnegoServiceAction(byte[] ticket, String serviceName) {
+        this.ticket = ticket;
+        this.serviceName = serviceName;
+    }
+    
+    public byte[] run() {
+        try {
+            if (secContext == null) {
+                GSSManager gssManager = GSSManager.getInstance();
+                Oid oid = new Oid("1.3.6.1.5.5.2");
+                
+                GSSName gssService = gssManager.createName(serviceName, GSSName.NT_HOSTBASED_SERVICE);
+                secContext = gssManager.createContext(gssService, oid, null, GSSContext.DEFAULT_LIFETIME);
+            }
+        
+            return secContext.acceptSecContext(ticket, 0, ticket.length);
+        } catch (GSSException e) {
+            if (log.isDebugEnabled()) {
+                log.debug("Error in obtaining a Kerberos token", e);
+            }
+        }
+
+        return null;
+    }
+    
+    public GSSContext getContext() {
+        return secContext;
+    }
+    
+}

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/spnego/SpnegoToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/spnego/SpnegoToken.java?rev=1207955&r1=1207954&r2=1207955&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/spnego/SpnegoToken.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/spnego/SpnegoToken.java Tue
Nov 29 16:40:41 2011
@@ -33,7 +33,7 @@ import org.ietf.jgss.GSSException;
 import org.ietf.jgss.MessageProp;
 
 /**
- * SPNEGO Token.
+ * A class that wraps some functionality to obtain and validate spnego tokens.
  */
 public class SpnegoToken {
     
@@ -106,13 +106,86 @@ public class SpnegoToken {
     }
     
     /**
-     * Get the SPNEGO token that was created in retrieveServiceTicket().
+     * Validate a service ticket.
+     * @param jaasLoginModuleName
+     * @param callbackHandler
+     * @param serviceName
+     * @param ticket
+     * @throws WSSecurityException
+     */
+    public void validateServiceTicket(
+        String jaasLoginModuleName, 
+        CallbackHandler callbackHandler,
+        String serviceName,
+        byte[] ticket
+    ) throws WSSecurityException {
+        // Get a TGT from the KDC using JAAS
+        LoginContext loginContext = null;
+        try {
+            if (callbackHandler == null) {
+                loginContext = new LoginContext(jaasLoginModuleName);
+            } else {
+                loginContext = new LoginContext(jaasLoginModuleName, callbackHandler);
+            }
+            loginContext.login();
+        } catch (LoginException ex) {
+            if (LOG.isDebugEnabled()) {
+                LOG.debug(ex.getMessage(), ex);
+            }
+            throw new WSSecurityException(
+                WSSecurityException.FAILURE,
+                "kerberosLoginError", 
+                new Object[] {ex.getMessage()}
+            );
+        }
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("Successfully authenticated to the TGT");
+        }
+
+        // Get the service name to use - fall back on the principal
+        Subject subject = loginContext.getSubject();
+        String service = serviceName;
+        if (service == null) {
+            Set<Principal> principals = subject.getPrincipals();
+            if (principals.isEmpty()) {
+                throw new WSSecurityException(
+                    WSSecurityException.FAILURE, 
+                    "kerberosLoginError", 
+                    new Object[] {"No Client principals found after login"}
+                );
+            }
+            service = principals.iterator().next().getName();
+        }
+
+        // Validate the ticket
+        SpnegoServiceAction action = new SpnegoServiceAction(ticket, service);
+        token = Subject.doAs(subject, action);
+        
+        secContext = action.getContext();
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("Successfully validated a service ticket");
+        }
+
+    }
+
+    /**
+     * Get the SPNEGO token that was created.
      */
     public byte[] getToken() {
         return token;
     }
     
     /**
+     * Whether a connection has been established (at the service side)
+     */
+    public boolean isEstablished() {
+        if (secContext == null) {
+            return false;
+        }
+        return secContext.isEstablished();
+    }
+    
+    /**
      * Unwrap a key
      */
     public byte[] unwrapKey(byte[] secret) throws WSSecurityException {

Modified: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SecurityContextTokenTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SecurityContextTokenTest.java?rev=1207955&r1=1207954&r2=1207955&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SecurityContextTokenTest.java
(original)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SecurityContextTokenTest.java
Tue Nov 29 16:40:41 2011
@@ -126,6 +126,7 @@ public class SecurityContextTokenTest ex
             SecurityContextToken receivedToken = 
                 (SecurityContextToken) actionResult.get(WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN);
             assertTrue(receivedToken != null);
+            assertTrue(WSConstants.WSC_SCT.equals(receivedToken.getTokenType()));
             
             SecurityContextToken clone = new SecurityContextToken(receivedToken.getElement());
             assertTrue(clone.equals(receivedToken));
@@ -145,6 +146,7 @@ public class SecurityContextTokenTest ex
             secHeader.insertSecurityHeader(doc);
 
             WSSecSecurityContextToken sctBuilder = new WSSecSecurityContextToken();
+            sctBuilder.setWscVersion(ConversationConstants.VERSION_05_12);
             sctBuilder.prepare(doc, crypto);
 
             byte[] tempSecret = WSSecurityUtil.generateNonce(16);
@@ -167,7 +169,15 @@ public class SecurityContextTokenTest ex
                 LOG.debug(out);
             }
 
-            verify(doc);
+            List<WSSecurityEngineResult> results = verify(doc);
+            
+            WSSecurityEngineResult actionResult =
+                WSSecurityUtil.fetchActionResult(results, WSConstants.SCT);
+            SecurityContextToken receivedToken = 
+                (SecurityContextToken) actionResult.get(WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN);
+            assertTrue(receivedToken != null);
+            assertTrue(WSConstants.WSC_SCT_05_12.equals(receivedToken.getTokenType()));
+            
         } catch (Exception e) {
             e.printStackTrace();
             fail(e.getMessage());

Modified: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java?rev=1207955&r1=1207954&r2=1207955&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java
(original)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java
Tue Nov 29 16:40:41 2011
@@ -107,7 +107,7 @@ public class KerberosTest extends org.ju
     }
     
     /**
-     * Get a SPNEGO token.
+     * Get and validate a SPNEGO token.
      */
     @org.junit.Test
     @org.junit.Ignore
@@ -119,7 +119,13 @@ public class KerberosTest extends org.ju
         
         SpnegoToken spnegoToken = new SpnegoToken();
         spnegoToken.retrieveServiceTicket("alice", null, "bob@service.ws.apache.org");
-        assertNotNull(spnegoToken.getToken());
+        
+        byte[] token = spnegoToken.getToken();
+        assertNotNull(token);
+        
+        spnegoToken = new SpnegoToken();
+        spnegoToken.validateServiceTicket("bob", null, "bob@service.ws.apache.org", token);
+        assertTrue(spnegoToken.isEstablished());
     }
     
     /**



Mime
View raw message