ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gi...@apache.org
Subject svn commit: r1416670 [2/2] - in /webservices/wss4j/trunk: ./ integration/ integration/src/ integration/src/main/ integration/src/main/java/ integration/src/main/resources/ integration/src/test/ integration/src/test/java/ integration/src/test/java/org/ ...
Date Mon, 03 Dec 2012 21:26:22 GMT
Modified: webservices/wss4j/trunk/parent/pom.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/parent/pom.xml?rev=1416670&r1=1416669&r2=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/parent/pom.xml (original)
+++ webservices/wss4j/trunk/parent/pom.xml Mon Dec  3 21:26:13 2012
@@ -92,6 +92,11 @@
             </dependency>
             <dependency>
                 <groupId>org.slf4j</groupId>
+                <artifactId>slf4j-api</artifactId>
+                <version>${slf4j.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.slf4j</groupId>
                 <artifactId>slf4j-log4j12</artifactId>
                 <version>${slf4j.version}</version>
             </dependency>

Modified: webservices/wss4j/trunk/pom.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/pom.xml?rev=1416670&r1=1416669&r2=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/pom.xml (original)
+++ webservices/wss4j/trunk/pom.xml Mon Dec  3 21:26:13 2012
@@ -111,6 +111,7 @@
         <module>ws-security-common</module>
         <module>ws-security-dom</module>
         <module>ws-security-stax</module>
+        <module>integration</module>
         <module>ws-security-policy-stax</module>
         <module>cxf-integration</module>
     </modules>

Modified: webservices/wss4j/trunk/ws-security-common/pom.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/pom.xml?rev=1416670&r1=1416669&r2=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/pom.xml (original)
+++ webservices/wss4j/trunk/ws-security-common/pom.xml Mon Dec  3 21:26:13 2012
@@ -101,6 +101,18 @@
                     </instructions>
                 </configuration>
             </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-jar-plugin</artifactId>
+                <version>2.3.1</version>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>test-jar</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
         </plugins>
     </build>
 
@@ -191,6 +203,77 @@
             </exclusions>
         </dependency>
         <dependency>
+            <groupId>org.apache.directory.server</groupId>
+            <artifactId>apacheds-kerberos-shared</artifactId>
+            <version>1.5.7</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>bouncycastle</groupId>
+                    <artifactId>bcprov-jdk15</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.directory.server</groupId>
+                    <artifactId>apacheds-i18n</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.directory.server</groupId>
+                    <artifactId>apacheds-core-jndi</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.directory.server</groupId>
+                    <artifactId>apacheds-protocol-shared</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.directory.shared</groupId>
+                    <artifactId>shared-ldap</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.directory.shared</groupId>
+                    <artifactId>shared-ldap-schema</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.directory.shared</groupId>
+                    <artifactId>shared-ldap-schema-loader</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.directory.shared</groupId>
+                    <artifactId>shared-ldap-schema-manager</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.directory.shared</groupId>
+                    <artifactId>shared-cursor</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.directory.shared</groupId>
+                    <artifactId>shared-ldap-jndi</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.directory.shared</groupId>
+                    <artifactId>shared-asn1-codec</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.directory.shared</groupId>
+                    <artifactId>shared-ldap-constants</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.directory.shared</groupId>
+                    <artifactId>shared-ldap-converter</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.directory.shared</groupId>
+                    <artifactId>shared-ldap-schema-dao</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.directory.shared</groupId>
+                    <artifactId>shared-ldif</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.directory.shared</groupId>
+                    <artifactId>shared-dsml-parser</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
             <groupId>junit</groupId>
             <artifactId>junit</artifactId>
             <scope>test</scope>

Copied: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosClientAction.java (from r1400458, webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/token/KerberosClientAction.java)
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosClientAction.java?p2=webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosClientAction.java&p1=webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/token/KerberosClientAction.java&r1=1400458&r2=1416670&rev=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/token/KerberosClientAction.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosClientAction.java Mon Dec  3 21:26:13 2012
@@ -17,7 +17,7 @@
  * under the License.
  */
 
-package org.apache.ws.security.dom.message.token;
+package org.apache.ws.security.common.kerberos;
 
 import java.security.Principal;
 import java.security.PrivilegedAction;

Propchange: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosClientAction.java
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision

Added: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosContextAndServiceNameCallback.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosContextAndServiceNameCallback.java?rev=1416670&view=auto
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosContextAndServiceNameCallback.java (added)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosContextAndServiceNameCallback.java Mon Dec  3 21:26:13 2012
@@ -0,0 +1,47 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ws.security.common.kerberos;
+
+import javax.security.auth.callback.Callback;
+
+/**
+ * @author $Author$
+ * @version $Revision$ $Date$
+ */
+public class KerberosContextAndServiceNameCallback implements Callback {
+
+    private String contextName;
+    private String serviceName;
+
+    public String getContextName() {
+        return contextName;
+    }
+
+    public void setContextName(String contextName) {
+        this.contextName = contextName;
+    }
+
+    public String getServiceName() {
+        return serviceName;
+    }
+
+    public void setServiceName(String serviceName) {
+        this.serviceName = serviceName;
+    }
+}

Propchange: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosContextAndServiceNameCallback.java
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision

Copied: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosServiceAction.java (from r1400458, webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/token/KerberosServiceAction.java)
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosServiceAction.java?p2=webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosServiceAction.java&p1=webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/token/KerberosServiceAction.java&r1=1400458&r2=1416670&rev=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/token/KerberosServiceAction.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosServiceAction.java Mon Dec  3 21:26:13 2012
@@ -17,7 +17,7 @@
  * under the License.
  */
 
-package org.apache.ws.security.dom.message.token;
+package org.apache.ws.security.common.kerberos;
 
 import java.security.Principal;
 import java.security.PrivilegedAction;

Propchange: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosServiceAction.java
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision

Copied: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosTokenDecoder.java (from r1400458, webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/KerberosTokenDecoder.java)
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosTokenDecoder.java?p2=webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosTokenDecoder.java&p1=webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/KerberosTokenDecoder.java&r1=1400458&r2=1416670&rev=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/KerberosTokenDecoder.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosTokenDecoder.java Mon Dec  3 21:26:13 2012
@@ -17,7 +17,7 @@
  * under the License.
  */
 
-package org.apache.ws.security.dom.validate;
+package org.apache.ws.security.common.kerberos;
 
 import javax.security.auth.Subject;
 

Propchange: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosTokenDecoder.java
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision

Added: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosTokenDecoderImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosTokenDecoderImpl.java?rev=1416670&view=auto
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosTokenDecoderImpl.java (added)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosTokenDecoderImpl.java Mon Dec  3 21:26:13 2012
@@ -0,0 +1,159 @@
+package org.apache.ws.security.common.kerberos;
+
+import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
+import org.apache.directory.server.kerberos.shared.io.decoder.ApplicationRequestDecoder;
+import org.apache.directory.server.kerberos.shared.messages.ApplicationRequest;
+import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPart;
+import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
+
+import javax.security.auth.Subject;
+import javax.security.auth.kerberos.KerberosKey;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Iterator;
+import java.util.Set;
+
+public class KerberosTokenDecoderImpl implements KerberosTokenDecoder {
+
+    private static final String KERBEROS_OID = "1.2.840.113554.1.2.2";
+
+    private byte[] serviceTicket;
+    private Subject subject;
+
+    private boolean decoded = false;
+    private EncTicketPart encTicketPart;
+
+    /**
+     * Clear all internal information
+     */
+    public void clear() {
+        serviceTicket = null;
+        subject = null;
+        decoded = false;
+        encTicketPart = null;
+    }
+
+    /**
+     * Set the AP-REQ Kerberos Token
+     *
+     * @param token the AP-REQ Kerberos Token
+     */
+    public void setToken(byte[] token) {
+        serviceTicket = token;
+    }
+
+    /**
+     * Set the Subject
+     *
+     * @param subject the Subject
+     */
+    public void setSubject(Subject subject) {
+        this.subject = subject;
+    }
+
+    /**
+     * Get the session key from the token
+     *
+     * @return the session key from the token
+     */
+    public byte[] getSessionKey() {
+        if (!decoded) {
+            decodeServiceTicket();
+        }
+        return encTicketPart.getSessionKey().getKeyValue();
+    }
+
+    /**
+     * Get the client principal name from the decoded service ticket.
+     *
+     * @return the client principal name
+     */
+    public String getClientPrincipalName() {
+        if (!decoded) {
+            decodeServiceTicket();
+        }
+        return encTicketPart.getClientPrincipal().toString();
+    }
+
+    // Decode the service ticket.
+    private synchronized void decodeServiceTicket() {
+        try {
+            parseServiceTicket(serviceTicket);
+            decoded = true;
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    // Parses the service ticket (GSS AP-REQ token)
+    private void parseServiceTicket(byte[] ticket) throws Exception {
+
+        // I didn't find a better way how to parse this Kerberos Message...
+
+        org.bouncycastle.asn1.ASN1InputStream asn1InputStream =
+                new org.bouncycastle.asn1.ASN1InputStream(new ByteArrayInputStream(ticket));
+        org.bouncycastle.asn1.DERApplicationSpecific derToken =
+                (org.bouncycastle.asn1.DERApplicationSpecific) asn1InputStream.readObject();
+        if (derToken == null || !derToken.isConstructed()) {
+            asn1InputStream.close();
+            throw new IllegalArgumentException("invalid kerberos token");
+        }
+        asn1InputStream.close();
+
+        asn1InputStream = new org.bouncycastle.asn1.ASN1InputStream(new ByteArrayInputStream(derToken.getContents()));
+        org.bouncycastle.asn1.DERObjectIdentifier kerberosOid =
+                (org.bouncycastle.asn1.DERObjectIdentifier) asn1InputStream.readObject();
+        if (!kerberosOid.getId().equals(KERBEROS_OID)) {
+            asn1InputStream.close();
+            throw new IllegalArgumentException("invalid kerberos token");
+        }
+
+        int readLowByte = asn1InputStream.read() & 0xff;
+        int readHighByte = asn1InputStream.read() & 0xff;
+        int read = (readHighByte << 8) + readLowByte;
+        if (read != 0x01) {
+            throw new IllegalArgumentException("invalid kerberos token");
+        }
+
+        ApplicationRequestDecoder applicationRequestDecoder = new ApplicationRequestDecoder();
+        ApplicationRequest applicationRequest = applicationRequestDecoder.decode(toByteArray(asn1InputStream));
+
+        final int encryptionType = applicationRequest.getTicket().getEncPart().getEType().getOrdinal();
+        KerberosKey kerberosKey = getKrbKey(subject, encryptionType);
+
+        EncryptionKey encryptionKey =
+                new EncryptionKey(EncryptionType.getTypeByOrdinal(encryptionType), kerberosKey.getEncoded());
+
+        CipherTextHandler cipherTextHandler = new CipherTextHandler();
+        this.encTicketPart = (EncTicketPart) cipherTextHandler.unseal(
+                EncTicketPart.class, encryptionKey, applicationRequest.getTicket().getEncPart(), KeyUsage.NUMBER2);
+    }
+
+    private KerberosKey getKrbKey(Subject sub, int keyType) throws Exception {
+        Set<Object> creds = sub.getPrivateCredentials(Object.class);
+        for (Iterator<Object> i = creds.iterator(); i.hasNext(); ) {
+            Object cred = i.next();
+            if (cred instanceof KerberosKey) {
+                KerberosKey key = (KerberosKey) cred;
+                if (key.getKeyType() == keyType) {
+                    return (KerberosKey) cred;
+                }
+            }
+        }
+        return null;
+    }
+
+    private static byte[] toByteArray(InputStream inputStream) throws IOException {
+        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
+        int read;
+        byte[] buf = new byte[1024];
+        while ((read = inputStream.read(buf)) != -1) {
+            byteArrayOutputStream.write(buf, 0, read);
+        }
+        return byteArrayOutputStream.toByteArray();
+    }
+}

Propchange: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/kerberos/KerberosTokenDecoderImpl.java
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision

Modified: webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties?rev=1416670&r1=1416669&r2=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties Mon Dec  3 21:26:13 2012
@@ -36,6 +36,8 @@ ioError00 = Failed to load credentials.
 kerberosLoginError = An error occurred in trying to obtain a TGT: {0}
 kerberosServiceTicketError = An error occurred in trying to obtain a service ticket
 kerberosTicketValidationError = An error occurred in trying to validate a ticket
+kerberosCallbackContextNameNotSupplied = Callback supplied no context name
+kerberosCallbackServiceNameNotSupplied = Callback supplied no service name
 keystore = Cannot access/read keystore data
 missingCreated = Created time is missing
 missingSecurityHeader = Security header is missing
@@ -90,3 +92,4 @@ unsupportedCertType = Certificate type n
 unsupportedKeyId = Unsupported key identification: {0}
 unsupportedKeyInfo = Unsupported KeyInfo type
 unsupportedKeyTransp = unsupported key transport encryption algorithm: {0}
+unsupportedSecurityToken = Unsupported SecurityToken {0}

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/WSSecEncrypt.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/WSSecEncrypt.java?rev=1416670&r1=1416669&r2=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/WSSecEncrypt.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/WSSecEncrypt.java Mon Dec  3 21:26:13 2012
@@ -42,6 +42,7 @@ import org.w3c.dom.Node;
 
 import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
 
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
@@ -286,9 +287,13 @@ public class WSSecEncrypt extends WSSecE
     ) throws WSSecurityException {
 
         KeyInfo keyInfo = createKeyInfo();
+        //the sun ähm oracle jce provider doesn't like a foreign SecretKey impl.
+        //this occurs e.g. with a kerberos session-key. It doesn't matter for the bouncy-castle provider
+        //so create a new secretKeySpec to make everybody happy.
+        SecretKeySpec secretKeySpec = new SecretKeySpec(symmetricKey.getEncoded(), symmetricKey.getAlgorithm());
         List<String> encDataRefs = 
             doEncryption(
-                document, getWsConfig(), keyInfo, symmetricKey, symEncAlgo, references, callbackLookup
+                document, getWsConfig(), keyInfo, secretKeySpec, symEncAlgo, references, callbackLookup
             );
         if (dataRef == null) {
             dataRef = 

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/token/KerberosSecurity.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/token/KerberosSecurity.java?rev=1416670&r1=1416669&r2=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/token/KerberosSecurity.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/token/KerberosSecurity.java Mon Dec  3 21:26:13 2012
@@ -29,6 +29,7 @@ import javax.security.auth.kerberos.Kerb
 import javax.security.auth.login.LoginContext;
 import javax.security.auth.login.LoginException;
 
+import org.apache.ws.security.common.kerberos.KerberosClientAction;
 import org.apache.ws.security.dom.WSConstants;
 import org.apache.ws.security.dom.bsp.BSPEnforcer;
 import org.apache.ws.security.common.bsp.BSPRule;
@@ -146,7 +147,7 @@ public class KerberosSecurity extends Bi
         KerberosTicket tgt = getKerberosTicket(clientSubject, null);
         
         // Get the service ticket
-        KerberosClientAction action = 
+        KerberosClientAction action =
             new KerberosClientAction(clientPrincipals.iterator().next(), serviceName);
         byte[] ticket = (byte[])Subject.doAs(clientSubject, action);
         if (ticket == null) {

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/KerberosTokenValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/KerberosTokenValidator.java?rev=1416670&r1=1416669&r2=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/KerberosTokenValidator.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/KerberosTokenValidator.java Mon Dec  3 21:26:13 2012
@@ -28,10 +28,12 @@ import javax.security.auth.login.LoginCo
 import javax.security.auth.login.LoginException;
 
 import org.apache.ws.security.common.ext.WSSecurityException;
+import org.apache.ws.security.common.kerberos.KerberosTokenDecoder;
+import org.apache.ws.security.common.kerberos.KerberosTokenDecoderImpl;
 import org.apache.ws.security.dom.handler.RequestData;
 import org.apache.ws.security.dom.message.token.BinarySecurity;
 import org.apache.ws.security.dom.message.token.KerberosSecurity;
-import org.apache.ws.security.dom.message.token.KerberosServiceAction;
+import org.apache.ws.security.common.kerberos.KerberosServiceAction;
 
 /**
  */
@@ -162,10 +164,12 @@ public class KerberosTokenValidator impl
         // Get a TGT from the KDC using JAAS
         LoginContext loginContext = null;
         try {
-            if (callbackHandler == null) {
-                loginContext = new LoginContext(getContextName());
-            } else {
+            if (callbackHandler != null) {
                 loginContext = new LoginContext(getContextName(), callbackHandler);
+            } else if (data.getCallbackHandler() != null) {
+                loginContext = new LoginContext(getContextName(), data.getCallbackHandler());
+            } else {
+                loginContext = new LoginContext(getContextName());
             }
             loginContext.login();
         } catch (LoginException ex) {
@@ -202,7 +206,7 @@ public class KerberosTokenValidator impl
         
         // Validate the ticket
         KerberosServiceAction action = new KerberosServiceAction(token, service);
-        Principal principal = (Principal)Subject.doAs(subject, action);
+        Principal principal = Subject.doAs(subject, action);
         if (principal == null) {
             throw new WSSecurityException(
                 WSSecurityException.ErrorCode.FAILURE, "kerberosTicketValidationError"
@@ -211,21 +215,21 @@ public class KerberosTokenValidator impl
         credential.setPrincipal(principal);
         credential.setSubject(subject);
         
-        // Try to extract the session key from the token if a KerberosTokenDecoder implementation is
-        // available
-        if (kerberosTokenDecoder != null) {
-            kerberosTokenDecoder.clear();
-            kerberosTokenDecoder.setToken(token);
-            kerberosTokenDecoder.setSubject(subject);
-            byte[] sessionKey = kerberosTokenDecoder.getSessionKey();
-            credential.setSecretKey(sessionKey);
+        KerberosTokenDecoder kerberosTokenDecoder = this.kerberosTokenDecoder;
+        if (kerberosTokenDecoder == null) {
+            kerberosTokenDecoder = new KerberosTokenDecoderImpl();
         }
-        
+
+        kerberosTokenDecoder.clear();
+        kerberosTokenDecoder.setToken(token);
+        kerberosTokenDecoder.setSubject(subject);
+        byte[] sessionKey = kerberosTokenDecoder.getSessionKey();
+        credential.setSecretKey(sessionKey);
+
         if (log.isDebugEnabled()) {
             log.debug("Successfully validated a ticket");
         }
         
         return credential;
     }
-    
 }

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/WSSec.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/WSSec.java?rev=1416670&r1=1416669&r2=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/WSSec.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/WSSec.java Mon Dec  3 21:26:13 2012
@@ -292,6 +292,32 @@ public class WSSec {
             } else if (action.equals(WSSConstants.SAML_TOKEN_UNSIGNED) && 
                     (securityProperties.getCallbackHandler() == null)) {
                 throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noCallback");
+            } else if (action.equals(WSSConstants.SIGNATURE_WITH_KERBEROS_TOKEN)) {
+                if (securityProperties.getCallbackHandler() == null) {
+                    throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noCallback");
+                }
+                if (securityProperties.getSignatureAlgorithm() == null) {
+                    securityProperties.setSignatureAlgorithm("http://www.w3.org/2000/09/xmldsig#hmac-sha1");
+                }
+                if (securityProperties.getSignatureDigestAlgorithm() == null) {
+                    securityProperties.setSignatureDigestAlgorithm("http://www.w3.org/2000/09/xmldsig#sha1");
+                }
+                if (securityProperties.getSignatureCanonicalizationAlgorithm() == null) {
+                    securityProperties.setSignatureCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
+                }
+                if (securityProperties.getSignatureKeyIdentifierType() == null) {
+                    securityProperties.setSignatureKeyIdentifierType(WSSConstants.WSSKeyIdentifierType.SECURITY_TOKEN_DIRECT_REFERENCE);
+                }
+            } else if (action.equals(WSSConstants.ENCRYPT_WITH_KERBEROS_TOKEN)) {
+                if (securityProperties.getCallbackHandler() == null) {
+                    throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noCallback");
+                }
+                if (securityProperties.getEncryptionSymAlgorithm() == null) {
+                    securityProperties.setEncryptionSymAlgorithm("http://www.w3.org/2001/04/xmlenc#aes256-cbc");
+                }
+                if (securityProperties.getSignatureKeyIdentifierType() == null) {
+                    securityProperties.setSignatureKeyIdentifierType(WSSConstants.WSSKeyIdentifierType.SECURITY_TOKEN_DIRECT_REFERENCE);
+                }
             }
         }
         return new WSSSecurityProperties(securityProperties);

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/OutboundWSSec.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/OutboundWSSec.java?rev=1416670&r1=1416669&r2=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/OutboundWSSec.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/OutboundWSSec.java Mon Dec  3 21:26:13 2012
@@ -133,7 +133,7 @@ public class OutboundWSSec {
                             new BinarySecurityTokenOutputProcessor();
                     initializeOutputProcessor(outputProcessorChain, binarySecurityTokenOutputProcessor, action);
 
-                    WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
+                    final WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
                     initializeOutputProcessor(outputProcessorChain, signatureOutputProcessor, action);
 
                 } else if (action.equals(WSSConstants.ENCRYPT)) {
@@ -148,23 +148,23 @@ public class OutboundWSSec {
                     initializeOutputProcessor(outputProcessorChain, encryptOutputProcessor, action);
 
                 } else if (action.equals(WSSConstants.USERNAMETOKEN)) {
-                    UsernameTokenOutputProcessor usernameTokenOutputProcessor = new UsernameTokenOutputProcessor();
+                    final UsernameTokenOutputProcessor usernameTokenOutputProcessor = new UsernameTokenOutputProcessor();
                     initializeOutputProcessor(outputProcessorChain, usernameTokenOutputProcessor, action);
 
                 } else if (action.equals(WSSConstants.USERNAMETOKEN_SIGNED)) {
                     final UsernameTokenOutputProcessor usernameTokenOutputProcessor = new UsernameTokenOutputProcessor();
                     initializeOutputProcessor(outputProcessorChain, usernameTokenOutputProcessor, action);
 
-                    WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
+                    final WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
                     initializeOutputProcessor(outputProcessorChain, signatureOutputProcessor, action);
 
                 } else if (action.equals(WSSConstants.SIGNATURE_CONFIRMATION)) {
-                    SignatureConfirmationOutputProcessor signatureConfirmationOutputProcessor =
+                    final SignatureConfirmationOutputProcessor signatureConfirmationOutputProcessor =
                             new SignatureConfirmationOutputProcessor();
                     initializeOutputProcessor(outputProcessorChain, signatureConfirmationOutputProcessor, action);
 
                 } else if (action.equals(WSSConstants.SIGNATURE_WITH_DERIVED_KEY)) {
-                    BinarySecurityTokenOutputProcessor binarySecurityTokenOutputProcessor =
+                    final BinarySecurityTokenOutputProcessor binarySecurityTokenOutputProcessor =
                             new BinarySecurityTokenOutputProcessor();
                     initializeOutputProcessor(outputProcessorChain, binarySecurityTokenOutputProcessor, action);
 
@@ -181,7 +181,7 @@ public class OutboundWSSec {
                     final DerivedKeyTokenOutputProcessor derivedKeyTokenOutputProcessor = new DerivedKeyTokenOutputProcessor();
                     initializeOutputProcessor(outputProcessorChain, derivedKeyTokenOutputProcessor, action);
 
-                    WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
+                    final WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
                     initializeOutputProcessor(outputProcessorChain, signatureOutputProcessor, action);
 
                 } else if (action.equals(WSSConstants.ENCRYPT_WITH_DERIVED_KEY)) {
@@ -209,12 +209,26 @@ public class OutboundWSSec {
                     final SAMLTokenOutputProcessor samlTokenOutputProcessor = new SAMLTokenOutputProcessor();
                     initializeOutputProcessor(outputProcessorChain, samlTokenOutputProcessor, action);
 
-                    WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
+                    final WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
                     initializeOutputProcessor(outputProcessorChain, signatureOutputProcessor, action);
 
                 } else if (action.equals(WSSConstants.SAML_TOKEN_UNSIGNED)) {
                     final SAMLTokenOutputProcessor samlTokenOutputProcessor = new SAMLTokenOutputProcessor();
                     initializeOutputProcessor(outputProcessorChain, samlTokenOutputProcessor, action);
+                } else if (action.equals(WSSConstants.SIGNATURE_WITH_KERBEROS_TOKEN)) {
+                    final KerberosSecurityTokenOutputProcessor kerberosTokenOutputProcessor =
+                            new KerberosSecurityTokenOutputProcessor();
+                    initializeOutputProcessor(outputProcessorChain, kerberosTokenOutputProcessor, action);
+
+                    final WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
+                    initializeOutputProcessor(outputProcessorChain, signatureOutputProcessor, action);
+                } else if (action.equals(WSSConstants.ENCRYPT_WITH_KERBEROS_TOKEN)) {
+                    final KerberosSecurityTokenOutputProcessor kerberosTokenOutputProcessor =
+                            new KerberosSecurityTokenOutputProcessor();
+                    initializeOutputProcessor(outputProcessorChain, kerberosTokenOutputProcessor, action);
+
+                    final EncryptOutputProcessor encryptOutputProcessor = new EncryptOutputProcessor();
+                    initializeOutputProcessor(outputProcessorChain, encryptOutputProcessor, action);
                 }
             }
             if (output instanceof OutputStream) {

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java?rev=1416670&r1=1416669&r2=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java Mon Dec  3 21:26:13 2012
@@ -217,6 +217,10 @@ public class WSSConstants extends XMLSec
     public static final String NS_SAML11_TOKEN_PROFILE_TYPE = NS_SAML11_TOKEN_PROFILE + "#SAMLV1.1";
     public static final String NS_SAML20_TOKEN_PROFILE_TYPE = NS_SAML11_TOKEN_PROFILE + "#SAMLV2.0";
 
+    public static final String NS_KERBEROS11_TOKEN_PROFILE = "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#";
+    public static final String NS_GSS_Kerberos5_AP_REQ = NS_KERBEROS11_TOKEN_PROFILE + "GSS_Kerberosv5_AP_REQ";
+    public static final String NS_Kerberos5_AP_REQ_SHA1 = NS_KERBEROS11_TOKEN_PROFILE + "Kerberosv5APREQSHA1";
+
     public static final QName ATT_NULL_AssertionID = new QName(null, "AssertionID");
     public static final QName ATT_NULL_ID = new QName(null, "ID");
 
@@ -272,6 +276,8 @@ public class WSSConstants extends XMLSec
     public static final Action ENCRYPT_WITH_DERIVED_KEY = new Action("ENCRYPT_WITH_DERIVED_KEY");
     public static final Action SAML_TOKEN_SIGNED = new Action("SAML_TOKEN_SIGNED");
     public static final Action SAML_TOKEN_UNSIGNED = new Action("SAML_TOKEN_UNSIGNED");
+    public static final Action SIGNATURE_WITH_KERBEROS_TOKEN = new Action("SIGNATURE_WITH_KERBEROS_TOKEN");
+    public static final Action ENCRYPT_WITH_KERBEROS_TOKEN = new Action("ENCRYPT_WITH_KERBEROS_TOKEN");
 
     public static class Action extends XMLSecurityConstants.Action {
         protected Action(String name) {

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/BinarySecurityTokenInputHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/BinarySecurityTokenInputHandler.java?rev=1416670&r1=1416669&r2=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/BinarySecurityTokenInputHandler.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/BinarySecurityTokenInputHandler.java Mon Dec  3 21:26:13 2012
@@ -29,12 +29,13 @@ import org.apache.ws.security.stax.ext.W
 import org.apache.ws.security.stax.ext.WSSConstants;
 import org.apache.ws.security.stax.ext.WSSSecurityProperties;
 import org.apache.ws.security.stax.ext.WSSecurityContext;
+import org.apache.ws.security.stax.impl.securityToken.KerberosServiceSecurityToken;
 import org.apache.ws.security.stax.impl.securityToken.X509PKIPathv1SecurityToken;
-import org.apache.ws.security.stax.impl.securityToken.X509SecurityToken;
 import org.apache.ws.security.stax.impl.securityToken.X509_V3SecurityToken;
 import org.apache.xml.security.exceptions.XMLSecurityException;
 import org.apache.xml.security.stax.ext.*;
 import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
+import org.apache.xml.security.stax.impl.securityToken.AbstractInboundSecurityToken;
 import org.apache.xml.security.stax.impl.util.IDGenerator;
 import org.apache.xml.security.stax.securityEvent.X509TokenSecurityEvent;
 
@@ -72,23 +73,13 @@ public class BinarySecurityTokenInputHan
 
         final SecurityTokenProvider securityTokenProvider = new SecurityTokenProvider() {
 
-            private X509SecurityToken binarySecurityToken = null;
+            private AbstractInboundSecurityToken securityToken = null;
 
             @SuppressWarnings("unchecked")
             @Override
             public SecurityToken getSecurityToken() throws XMLSecurityException {
-                if (this.binarySecurityToken != null) {
-                    return this.binarySecurityToken;
-                }
-                Crypto crypto = null;
-                try {
-                    crypto = ((WSSSecurityProperties) securityProperties).getSignatureVerificationCrypto();
-                } catch (WSSConfigurationException e) {
-                    log.debug(e.getMessage(), e);
-                    //ignore
-                }
-                if (crypto == null) {
-                    crypto = ((WSSSecurityProperties) securityProperties).getDecryptionCrypto();
+                if (this.securityToken != null) {
+                    return this.securityToken;
                 }
 
                 //only Base64Encoding is supported
@@ -100,23 +91,30 @@ public class BinarySecurityTokenInputHan
                 byte[] securityTokenData = Base64.decodeBase64(binarySecurityTokenType.getValue());
 
                 if (WSSConstants.NS_X509_V3_TYPE.equals(binarySecurityTokenType.getValueType())) {
-                    this.binarySecurityToken = new X509_V3SecurityToken(
+                    Crypto crypto = getCrypto((WSSSecurityProperties) securityProperties);
+                    this.securityToken = new X509_V3SecurityToken(
                             (WSSecurityContext) securityContext, crypto, ((WSSSecurityProperties)securityProperties).getCallbackHandler(),
                             securityTokenData, binarySecurityTokenType.getId(), WSSConstants.WSSKeyIdentifierType.SECURITY_TOKEN_DIRECT_REFERENCE
                     );
                 } else if (WSSConstants.NS_X509PKIPathv1.equals(binarySecurityTokenType.getValueType())) {
-                    this.binarySecurityToken = new X509PKIPathv1SecurityToken(
+                    Crypto crypto = getCrypto((WSSSecurityProperties) securityProperties);
+                    this.securityToken = new X509PKIPathv1SecurityToken(
                             (WSSecurityContext) securityContext, crypto, ((WSSSecurityProperties)securityProperties).getCallbackHandler(),
                             securityTokenData, binarySecurityTokenType.getId(), WSSConstants.WSSKeyIdentifierType.SECURITY_TOKEN_DIRECT_REFERENCE
                     );
+                } else if (WSSConstants.NS_GSS_Kerberos5_AP_REQ.equals(binarySecurityTokenType.getValueType())) {
+                    this.securityToken = new KerberosServiceSecurityToken(
+                            (WSSecurityContext) securityContext, ((WSSSecurityProperties)securityProperties).getCallbackHandler(),
+                            securityTokenData, binarySecurityTokenType.getId(), WSSConstants.WSSKeyIdentifierType.SECURITY_TOKEN_DIRECT_REFERENCE
+                    );
                 } else {
                     throw new WSSecurityException(
                             WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "invalidValueType", binarySecurityTokenType.getValueType());
                 }
 
-                this.binarySecurityToken.setElementPath(elementPath);
-                this.binarySecurityToken.setXMLSecEvent(responsibleXMLSecStartXMLEvent);
-                return this.binarySecurityToken;
+                this.securityToken.setElementPath(elementPath);
+                this.securityToken.setXMLSecEvent(responsibleXMLSecStartXMLEvent);
+                return this.securityToken;
             }
 
             @Override
@@ -127,6 +125,7 @@ public class BinarySecurityTokenInputHan
 
         securityContext.registerSecurityTokenProvider(binarySecurityTokenType.getId(), securityTokenProvider);
 
+        //todo most probably wrong in case of a kerberos token
         //fire a tokenSecurityEvent
         X509TokenSecurityEvent x509TokenSecurityEvent = new X509TokenSecurityEvent();
         x509TokenSecurityEvent.setSecurityToken((SecurityToken) securityTokenProvider.getSecurityToken());
@@ -134,6 +133,20 @@ public class BinarySecurityTokenInputHan
         securityContext.registerSecurityEvent(x509TokenSecurityEvent);
     }
 
+    private Crypto getCrypto(WSSSecurityProperties securityProperties) throws WSSConfigurationException {
+        Crypto crypto = null;
+        try {
+            crypto = securityProperties.getSignatureVerificationCrypto();
+        } catch (WSSConfigurationException e) {
+            log.debug(e.getMessage(), e);
+            //ignore
+        }
+        if (crypto == null) {
+            crypto = securityProperties.getDecryptionCrypto();
+        }
+        return crypto;
+    }
+
     private void checkBSPCompliance(InputProcessorChain inputProcessorChain, BinarySecurityTokenType binarySecurityTokenType)
             throws WSSecurityException {
         final WSSecurityContext securityContext = (WSSecurityContext) inputProcessorChain.getSecurityContext();

Copied: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/KerberosSecurityTokenOutputProcessor.java (from r1400458, webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/BinarySecurityTokenOutputProcessor.java)
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/KerberosSecurityTokenOutputProcessor.java?p2=webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/KerberosSecurityTokenOutputProcessor.java&p1=webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/BinarySecurityTokenOutputProcessor.java&r1=1400458&r2=1416670&rev=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/BinarySecurityTokenOutputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/KerberosSecurityTokenOutputProcessor.java Mon Dec  3 21:26:13 2012
@@ -18,35 +18,35 @@
  */
 package org.apache.ws.security.stax.impl.processor.output;
 
-import org.apache.ws.security.common.crypto.CryptoType;
-import org.apache.ws.security.common.ext.WSPasswordCallback;
+import org.apache.commons.codec.binary.Base64;
 import org.apache.ws.security.common.ext.WSSecurityException;
 import org.apache.ws.security.stax.ext.WSSConstants;
 import org.apache.ws.security.stax.ext.WSSSecurityProperties;
 import org.apache.ws.security.stax.ext.WSSUtils;
+import org.apache.ws.security.stax.impl.securityToken.KerberosClientSecurityToken;
 import org.apache.xml.security.exceptions.XMLSecurityException;
-import org.apache.xml.security.stax.ext.*;
+import org.apache.xml.security.stax.ext.AbstractOutputProcessor;
+import org.apache.xml.security.stax.ext.OutputProcessorChain;
+import org.apache.xml.security.stax.ext.SecurityTokenProvider;
+import org.apache.xml.security.stax.ext.XMLSecurityConstants;
+import org.apache.xml.security.stax.ext.stax.XMLSecAttribute;
 import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
 import org.apache.xml.security.stax.ext.stax.XMLSecStartElement;
-import org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken;
 import org.apache.xml.security.stax.impl.securityToken.OutboundSecurityToken;
 import org.apache.xml.security.stax.impl.util.IDGenerator;
-import org.apache.xml.security.stax.securityEvent.SecurityEvent;
-import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
 
 import javax.xml.stream.XMLStreamConstants;
 import javax.xml.stream.XMLStreamException;
-import java.security.Key;
-import java.security.cert.X509Certificate;
+import java.util.ArrayList;
 import java.util.List;
 
 /**
  * @author $Author$
  * @version $Revision$ $Date$
  */
-public class BinarySecurityTokenOutputProcessor extends AbstractOutputProcessor {
+public class KerberosSecurityTokenOutputProcessor extends AbstractOutputProcessor {
 
-    public BinarySecurityTokenOutputProcessor() throws XMLSecurityException {
+    public KerberosSecurityTokenOutputProcessor() throws XMLSecurityException {
         super();
     }
 
@@ -54,64 +54,22 @@ public class BinarySecurityTokenOutputPr
     public void processEvent(XMLSecEvent xmlSecEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
         try {
             final String bstId = IDGenerator.generateID(null);
-            final X509Certificate[] x509Certificates;
-            final Key key;
 
             XMLSecurityConstants.Action action = getAction();
-            if (action.equals(WSSConstants.SIGNATURE)
-                    || action.equals(WSSConstants.SAML_TOKEN_SIGNED)
-                    || action.equals(WSSConstants.SIGNATURE_WITH_DERIVED_KEY)) {
-
-                String alias = ((WSSSecurityProperties) getSecurityProperties()).getSignatureUser();
-                WSPasswordCallback pwCb = new WSPasswordCallback(alias, WSPasswordCallback.Usage.SIGNATURE);
-                WSSUtils.doPasswordCallback(((WSSSecurityProperties)getSecurityProperties()).getCallbackHandler(), pwCb);
-                String password = pwCb.getPassword();
-                if (password == null) {
-                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, "noPassword", alias);
-                }
-                key = ((WSSSecurityProperties) getSecurityProperties()).getSignatureCrypto().getPrivateKey(alias, password);
-                CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
-                cryptoType.setAlias(alias);
-                x509Certificates = ((WSSSecurityProperties) getSecurityProperties()).getSignatureCrypto().getX509Certificates(cryptoType);
-                if (x509Certificates == null || x509Certificates.length == 0) {
-                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, "noUserCertsFound", alias);
-                }
-            } else if (action.equals(WSSConstants.ENCRYPT) ||
-                    action.equals(WSSConstants.ENCRYPT_WITH_DERIVED_KEY)) {
-                X509Certificate x509Certificate = getReqSigCert(outputProcessorChain.getSecurityContext());
-                if (((WSSSecurityProperties) getSecurityProperties()).isUseReqSigCertForEncryption()) {
-                    if (x509Certificate == null) {
-                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_ENCRYPTION, "noCert");
-                    }
-                    x509Certificates = new X509Certificate[1];
-                    x509Certificates[0] = x509Certificate;
-                } else if (getSecurityProperties().getEncryptionUseThisCertificate() != null) {
-                    x509Certificate = getSecurityProperties().getEncryptionUseThisCertificate();
-                    x509Certificates = new X509Certificate[1];
-                    x509Certificates[0] = x509Certificate;
-                } else {
-                    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
-                    cryptoType.setAlias(((WSSSecurityProperties) getSecurityProperties()).getEncryptionUser());
-                    x509Certificates = ((WSSSecurityProperties) getSecurityProperties()).getEncryptionCrypto().getX509Certificates(cryptoType);
-                    if (x509Certificates == null || x509Certificates.length == 0) {
-                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_ENCRYPTION, "noUserCertsFound",
-                                ((WSSSecurityProperties) getSecurityProperties()).getEncryptionUser());
-                    }
-                }
-                key = null;
-            } else {
-                x509Certificates = null;
-                key = null;
-            }
 
-            final GenericOutboundSecurityToken binarySecurityToken =
-                    new GenericOutboundSecurityToken(bstId, WSSConstants.X509V3Token, key, x509Certificates);
-            final SecurityTokenProvider binarySecurityTokenProvider = new SecurityTokenProvider() {
+            final KerberosClientSecurityToken kerberosClientSecurityToken =
+                    new KerberosClientSecurityToken(
+                            ((WSSSecurityProperties) getSecurityProperties()).getCallbackHandler(),
+                            bstId
+                    );
+
+
+            final SecurityTokenProvider kerberosSecurityTokenProvider = new SecurityTokenProvider() {
 
                 @SuppressWarnings("unchecked")
                 @Override
                 public OutboundSecurityToken getSecurityToken() throws WSSecurityException {
-                    return binarySecurityToken;
+                    return kerberosClientSecurityToken;
                 }
 
                 @Override
@@ -120,47 +78,28 @@ public class BinarySecurityTokenOutputPr
                 }
             };
 
-            if (action.equals(WSSConstants.SIGNATURE)
-                    || action.equals(WSSConstants.SAML_TOKEN_SIGNED)) {
+            if (action.equals(WSSConstants.SIGNATURE_WITH_KERBEROS_TOKEN)) {
                 outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, bstId);
-                if (getSecurityProperties().getSignatureKeyIdentifierType() == WSSConstants.WSSKeyIdentifierType.SECURITY_TOKEN_DIRECT_REFERENCE) {
-                    outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_APPEND_SIGNATURE_ON_THIS_ID, bstId);
-                    FinalBinarySecurityTokenOutputProcessor finalBinarySecurityTokenOutputProcessor = new FinalBinarySecurityTokenOutputProcessor(binarySecurityToken);
-                    finalBinarySecurityTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
-                    finalBinarySecurityTokenOutputProcessor.setAction(getAction());
-                    finalBinarySecurityTokenOutputProcessor.addBeforeProcessor(WSSSignatureOutputProcessor.class.getName());
-                    finalBinarySecurityTokenOutputProcessor.init(outputProcessorChain);
-                    binarySecurityToken.setProcessor(finalBinarySecurityTokenOutputProcessor);
-                }
-            } else if (action.equals(WSSConstants.ENCRYPT)) {
-                outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTED_KEY, bstId);
-                if (((WSSSecurityProperties) getSecurityProperties()).getEncryptionKeyIdentifierType() == WSSConstants.WSSKeyIdentifierType.SECURITY_TOKEN_DIRECT_REFERENCE) {
-                    FinalBinarySecurityTokenOutputProcessor finalBinarySecurityTokenOutputProcessor = new FinalBinarySecurityTokenOutputProcessor(binarySecurityToken);
-                    finalBinarySecurityTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
-                    finalBinarySecurityTokenOutputProcessor.setAction(getAction());
-                    finalBinarySecurityTokenOutputProcessor.addAfterProcessor(EncryptEndingOutputProcessor.class.getName());
-                    finalBinarySecurityTokenOutputProcessor.init(outputProcessorChain);
-                    binarySecurityToken.setProcessor(finalBinarySecurityTokenOutputProcessor);
-                }
-            } else if (action.equals(WSSConstants.SIGNATURE_WITH_DERIVED_KEY)
-                    || action.equals(WSSConstants.ENCRYPT_WITH_DERIVED_KEY)) {
-
-                WSSConstants.DerivedKeyTokenReference derivedKeyTokenReference = ((WSSSecurityProperties) getSecurityProperties()).getDerivedKeyTokenReference();
-                switch (derivedKeyTokenReference) {
-
-                    case DirectReference:
-                        outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_DERIVED_KEY, bstId);
-                        break;
-                    case EncryptedKey:
-                        outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTED_KEY, bstId);
-                        break;
-                    case SecurityContextToken:
-                        outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SECURITYCONTEXTTOKEN, bstId);
-                        break;
-                }
+                outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_APPEND_SIGNATURE_ON_THIS_ID, bstId);
+                FinalKerberosSecurityTokenOutputProcessor finalKerberosSecurityTokenOutputProcessor =
+                        new FinalKerberosSecurityTokenOutputProcessor(kerberosClientSecurityToken);
+                finalKerberosSecurityTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
+                finalKerberosSecurityTokenOutputProcessor.setAction(getAction());
+                finalKerberosSecurityTokenOutputProcessor.addBeforeProcessor(WSSSignatureOutputProcessor.class.getName());
+                finalKerberosSecurityTokenOutputProcessor.init(outputProcessorChain);
+                kerberosClientSecurityToken.setProcessor(finalKerberosSecurityTokenOutputProcessor);
+            } else if (action.equals(WSSConstants.ENCRYPT_WITH_KERBEROS_TOKEN)) {
+                outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION, bstId);
+                FinalKerberosSecurityTokenOutputProcessor finalKerberosSecurityTokenOutputProcessor =
+                        new FinalKerberosSecurityTokenOutputProcessor(kerberosClientSecurityToken);
+                finalKerberosSecurityTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
+                finalKerberosSecurityTokenOutputProcessor.setAction(getAction());
+                finalKerberosSecurityTokenOutputProcessor.addAfterProcessor(EncryptEndingOutputProcessor.class.getName());
+                finalKerberosSecurityTokenOutputProcessor.init(outputProcessorChain);
+                kerberosClientSecurityToken.setProcessor(finalKerberosSecurityTokenOutputProcessor);
             }
 
-            outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(bstId, binarySecurityTokenProvider);
+            outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(bstId, kerberosSecurityTokenProvider);
 
         } finally {
             outputProcessorChain.removeProcessor(this);
@@ -168,33 +107,13 @@ public class BinarySecurityTokenOutputPr
         outputProcessorChain.processEvent(xmlSecEvent);
     }
 
-    private X509Certificate getReqSigCert(SecurityContext securityContext) throws XMLSecurityException {
-        List<SecurityEvent> securityEventList = securityContext.getAsList(SecurityEvent.class);
-        if (securityEventList != null) {
-            for (int i = 0; i < securityEventList.size(); i++) {
-                SecurityEvent securityEvent = securityEventList.get(i);
-                if (securityEvent instanceof TokenSecurityEvent) {
-                    TokenSecurityEvent tokenSecurityEvent = (TokenSecurityEvent) securityEvent;
-                    if (!tokenSecurityEvent.getSecurityToken().getTokenUsages().contains(SecurityToken.TokenUsage.MainSignature)) {
-                        continue;
-                    }
-                    X509Certificate[] x509Certificates = tokenSecurityEvent.getSecurityToken().getX509Certificates();
-                    if (x509Certificates != null && x509Certificates.length > 0) {
-                        return x509Certificates[0];
-                    }
-                }
-            }
-        }
-        return null;
-    }
-
-    class FinalBinarySecurityTokenOutputProcessor extends AbstractOutputProcessor {
+    class FinalKerberosSecurityTokenOutputProcessor extends AbstractOutputProcessor {
 
-        private final OutboundSecurityToken securityToken;
+        private final KerberosClientSecurityToken securityToken;
 
-        FinalBinarySecurityTokenOutputProcessor(OutboundSecurityToken securityToken) throws XMLSecurityException {
+        FinalKerberosSecurityTokenOutputProcessor(KerberosClientSecurityToken securityToken) throws XMLSecurityException {
             super();
-            this.addAfterProcessor(BinarySecurityTokenOutputProcessor.class.getName());
+            this.addAfterProcessor(KerberosSecurityTokenOutputProcessor.class.getName());
             this.securityToken = securityToken;
         }
 
@@ -207,9 +126,18 @@ public class BinarySecurityTokenOutputPr
                         && WSSUtils.isInSecurityHeader(xmlSecStartElement, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
                     OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
 
-                    boolean useSingleCertificate = getSecurityProperties().isUseSingleCert();
-                    WSSUtils.createBinarySecurityTokenStructure(this, subOutputProcessorChain, securityToken.getId(), securityToken.getX509Certificates(), useSingleCertificate);
-
+                    List<XMLSecAttribute> attributes = new ArrayList<XMLSecAttribute>(3);
+                    attributes.add(createAttribute(WSSConstants.ATT_NULL_EncodingType, WSSConstants.SOAPMESSAGE_NS10_BASE64_ENCODING));
+                    attributes.add(createAttribute(WSSConstants.ATT_NULL_ValueType, WSSConstants.NS_GSS_Kerberos5_AP_REQ));
+                    attributes.add(createAttribute(WSSConstants.ATT_wsu_Id, securityToken.getId()));
+                    createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsse_BinarySecurityToken, false, attributes);
+                    createCharactersAndOutputAsEvent(subOutputProcessorChain,
+                            new Base64(76, new byte[]{'\n'}).encodeToString(securityToken.getTicket())
+                    );
+                    createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsse_BinarySecurityToken);
+                    if (getAction() == WSSConstants.ENCRYPT_WITH_KERBEROS_TOKEN) {
+                        WSSUtils.createReferenceListStructureForEncryption(this, subOutputProcessorChain);
+                    }
                     outputProcessorChain.removeProcessor(this);
                 }
             }

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/WSSSignatureEndingOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/WSSSignatureEndingOutputProcessor.java?rev=1416670&r1=1416669&r2=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/WSSSignatureEndingOutputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/WSSSignatureEndingOutputProcessor.java Mon Dec  3 21:26:13 2012
@@ -116,6 +116,8 @@ public class WSSSignatureEndingOutputPro
                 attributes.add(createAttribute(WSSConstants.ATT_wsse11_TokenType, WSSConstants.NS_SAML11_TOKEN_PROFILE_TYPE));
             } else if (WSSConstants.Saml20Token.equals(securityToken.getTokenType())) {
                 attributes.add(createAttribute(WSSConstants.ATT_wsse11_TokenType, WSSConstants.NS_SAML20_TOKEN_PROFILE_TYPE));
+            } else if (WSSConstants.KerberosToken.equals(securityToken.getTokenType())) {
+                attributes.add(createAttribute(WSSConstants.ATT_wsse11_TokenType, WSSConstants.NS_GSS_Kerberos5_AP_REQ));
             }
             createStartElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_SecurityTokenReference, false, attributes);
 
@@ -131,13 +133,16 @@ public class WSSSignatureEndingOutputPro
                 WSSUtils.createThumbprintKeyIdentifierStructure(this, outputProcessorChain, x509Certificates);
             } else if (keyIdentifierType == WSSConstants.WSSKeyIdentifierType.SECURITY_TOKEN_DIRECT_REFERENCE) {
                 String valueType;
-                if (useSingleCertificate) {
-                    valueType = WSSConstants.NS_X509_V3_TYPE;
-                } else {
-                    valueType = WSSConstants.NS_X509PKIPathv1;
-                }
                 if (WSSConstants.Saml20Token.equals(securityToken.getTokenType())) {
                     valueType = null;
+                } else if (WSSConstants.KerberosToken.equals(securityToken.getTokenType())) {
+                    valueType = WSSConstants.NS_GSS_Kerberos5_AP_REQ;
+                } else {
+                    if (useSingleCertificate) {
+                        valueType = WSSConstants.NS_X509_V3_TYPE;
+                    } else {
+                        valueType = WSSConstants.NS_X509PKIPathv1;
+                    }
                 }
                 WSSUtils.createBSTReferenceStructure(this, outputProcessorChain, tokenId, valueType);
             } else if (keyIdentifierType == WSSConstants.WSSKeyIdentifierType.EMBEDDED_KEYIDENTIFIER_REF) {
@@ -145,7 +150,7 @@ public class WSSSignatureEndingOutputPro
             } else if (keyIdentifierType == WSSConstants.WSSKeyIdentifierType.USERNAMETOKEN_REFERENCE) {
                 WSSUtils.createUsernameTokenReferenceStructure(this, outputProcessorChain, tokenId);
             } else {
-                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, "unsupportedSecurityToken");
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, "unsupportedSecurityToken", keyIdentifierType);
             }
             createEndElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_SecurityTokenReference);
         }

Added: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/KerberosClientSecurityToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/KerberosClientSecurityToken.java?rev=1416670&view=auto
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/KerberosClientSecurityToken.java (added)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/KerberosClientSecurityToken.java Mon Dec  3 21:26:13 2012
@@ -0,0 +1,151 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ws.security.stax.impl.securityToken;
+
+import org.apache.ws.security.common.ext.WSSecurityException;
+import org.apache.ws.security.common.kerberos.KerberosClientAction;
+import org.apache.ws.security.common.kerberos.KerberosContextAndServiceNameCallback;
+import org.apache.ws.security.stax.ext.WSSConstants;
+import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.config.JCEAlgorithmMapper;
+import org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken;
+
+import javax.crypto.spec.SecretKeySpec;
+import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.kerberos.KerberosTicket;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+import java.io.IOException;
+import java.security.Key;
+import java.security.Principal;
+import java.util.Set;
+
+/**
+ * @author $Author$
+ * @version $Revision$ $Date$
+ */
+public class KerberosClientSecurityToken extends GenericOutboundSecurityToken {
+
+    private CallbackHandler callbackHandler;
+    private Key secretKey;
+    private byte[] ticket;
+
+    public KerberosClientSecurityToken(CallbackHandler callbackHandler, String id) throws XMLSecurityException {
+        super(id, WSSConstants.KerberosToken);
+        this.callbackHandler = callbackHandler;
+    }
+
+    private void getTGT() throws WSSecurityException {
+        try {
+            KerberosContextAndServiceNameCallback contextAndServiceNameCallback = new KerberosContextAndServiceNameCallback();
+            callbackHandler.handle(new Callback[]{contextAndServiceNameCallback});
+
+            if (contextAndServiceNameCallback.getContextName() == null) {
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "kerberosCallbackContextNameNotSupplied");
+            }
+            if (contextAndServiceNameCallback.getServiceName() == null) {
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "kerberosCallbackServiceNameNotSupplied");
+            }
+
+            LoginContext loginContext = new LoginContext(contextAndServiceNameCallback.getContextName(), callbackHandler);
+            loginContext.login();
+
+            Subject clientSubject = loginContext.getSubject();
+            Set<Principal> clientPrincipals = clientSubject.getPrincipals();
+            if (clientPrincipals.isEmpty()) {
+                throw new WSSecurityException(
+                        WSSecurityException.ErrorCode.FAILURE,
+                        "kerberosLoginError", "No Client principals found after login"
+                );
+            }
+            // Store the TGT
+            KerberosTicket tgt = getKerberosTicket(clientSubject, null);
+
+            // Get the service ticket
+            KerberosClientAction action =
+                    new KerberosClientAction(
+                            clientPrincipals.iterator().next(), contextAndServiceNameCallback.getServiceName()
+                    );
+            byte[] ticket = Subject.doAs(clientSubject, action);
+            if (ticket == null) {
+                throw new WSSecurityException(
+                        WSSecurityException.ErrorCode.FAILURE, "kerberosServiceTicketError"
+                );
+            }
+
+            // Get the Service Ticket (private credential)
+            KerberosTicket serviceTicket = getKerberosTicket(clientSubject, tgt);
+            if (serviceTicket != null) {
+                this.secretKey = serviceTicket.getSessionKey();
+            }
+
+            this.ticket = ticket;
+
+        } catch (LoginException e) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+        } catch (UnsupportedCallbackException e) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+        } catch (IOException e) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+        }
+    }
+
+    /**
+     * Get a KerberosTicket from the clientSubject parameter, that is not equal to the supplied KerberosTicket
+     * parameter (can be null)
+     */
+    private KerberosTicket getKerberosTicket(Subject clientSubject, KerberosTicket previousTicket) {
+        Set<KerberosTicket> privateCredentials = clientSubject.getPrivateCredentials(KerberosTicket.class);
+        if (privateCredentials == null || privateCredentials.isEmpty()) {
+            return null;
+        }
+
+        for (KerberosTicket privateCredential : privateCredentials) {
+            if (!privateCredential.equals(previousTicket)) {
+                return privateCredential;
+            }
+        }
+        return null;
+    }
+
+    @Override
+    public Key getSecretKey(String algorithmURI) throws XMLSecurityException {
+        Key key = super.getSecretKey(algorithmURI);
+        if (key != null) {
+            return key;
+        }
+        if (this.secretKey == null) {
+            getTGT();
+        }
+        String algoFamily = JCEAlgorithmMapper.getJCERequiredKeyFromURI(algorithmURI);
+        key = new SecretKeySpec(this.secretKey.getEncoded(), algoFamily);
+        setSecretKey(algorithmURI, key);
+        return key;
+    }
+
+    public byte[] getTicket() throws XMLSecurityException {
+        if (this.ticket == null) {
+            getTGT();
+        }
+        return ticket;
+    }
+}

Propchange: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/KerberosClientSecurityToken.java
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision

Added: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/KerberosServiceSecurityToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/KerberosServiceSecurityToken.java?rev=1416670&view=auto
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/KerberosServiceSecurityToken.java (added)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/KerberosServiceSecurityToken.java Mon Dec  3 21:26:13 2012
@@ -0,0 +1,150 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ws.security.stax.impl.securityToken;
+
+import org.apache.ws.security.common.ext.WSSecurityException;
+import org.apache.ws.security.common.kerberos.KerberosContextAndServiceNameCallback;
+import org.apache.ws.security.common.kerberos.KerberosServiceAction;
+import org.apache.ws.security.common.kerberos.KerberosTokenDecoder;
+import org.apache.ws.security.common.kerberos.KerberosTokenDecoderImpl;
+import org.apache.ws.security.stax.ext.WSSConstants;
+import org.apache.ws.security.stax.ext.WSSecurityContext;
+import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.config.JCEAlgorithmMapper;
+import org.apache.xml.security.stax.ext.XMLSecurityConstants;
+import org.apache.xml.security.stax.impl.securityToken.AbstractInboundSecurityToken;
+
+import javax.crypto.spec.SecretKeySpec;
+import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+import java.io.IOException;
+import java.security.Key;
+import java.security.Principal;
+import java.util.Set;
+
+/**
+ * @author $Author$
+ * @version $Revision$ $Date$
+ */
+public class KerberosServiceSecurityToken extends AbstractInboundSecurityToken {
+
+    private CallbackHandler callbackHandler;
+    private byte[] binaryContent;
+
+    private KerberosTokenDecoder kerberosTokenDecoder;
+
+    public KerberosServiceSecurityToken(WSSecurityContext wsSecurityContext, CallbackHandler callbackHandler,
+                                        byte[] binaryContent, String id, WSSConstants.KeyIdentifierType keyIdentifierType)
+            throws XMLSecurityException {
+        super(wsSecurityContext, id, keyIdentifierType);
+        this.callbackHandler = callbackHandler;
+        this.binaryContent = binaryContent;
+    }
+
+    @Override
+    public boolean isAsymmetric() throws XMLSecurityException {
+        return false;
+    }
+
+    @Override
+    public XMLSecurityConstants.TokenType getTokenType() {
+        return WSSConstants.KerberosToken;
+    }
+
+    private KerberosTokenDecoder getTGT() throws WSSecurityException {
+        try {
+            KerberosContextAndServiceNameCallback contextAndServiceNameCallback = new KerberosContextAndServiceNameCallback();
+            callbackHandler.handle(new Callback[]{contextAndServiceNameCallback});
+
+            if (contextAndServiceNameCallback.getContextName() == null) {
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "kerberosCallbackContextNameNotSupplied");
+            }
+            if (contextAndServiceNameCallback.getServiceName() == null) {
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "kerberosCallbackServiceNameNotSupplied");
+            }
+
+            LoginContext loginContext = new LoginContext(contextAndServiceNameCallback.getContextName(), callbackHandler);
+            loginContext.login();
+
+            // Get the service name to use - fall back on the principal
+            Subject subject = loginContext.getSubject();
+            String service = contextAndServiceNameCallback.getServiceName();
+            if (service == null) {
+                Set<Principal> principals = subject.getPrincipals();
+                if (principals.isEmpty()) {
+                    throw new WSSecurityException(
+                            WSSecurityException.ErrorCode.FAILURE,
+                            "kerberosLoginError",
+                            "No Client principals found after login"
+                    );
+                }
+                service = principals.iterator().next().getName();
+            }
+
+            // Validate the ticket
+            KerberosServiceAction action = new KerberosServiceAction(binaryContent, service);
+            Principal principal = Subject.doAs(subject, action);
+            if (principal == null) {
+                throw new WSSecurityException(
+                        WSSecurityException.ErrorCode.FAILURE, "kerberosTicketValidationError"
+                );
+            }
+
+            KerberosTokenDecoder kerberosTokenDecoder = new KerberosTokenDecoderImpl();
+            kerberosTokenDecoder.setToken(binaryContent);
+            kerberosTokenDecoder.setSubject(subject);
+            return kerberosTokenDecoder;
+
+        } catch (LoginException e) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+        } catch (UnsupportedCallbackException e) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+        } catch (IOException e) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+        }
+    }
+
+    @Override
+    protected Key getKey(String algorithmURI, XMLSecurityConstants.KeyUsage keyUsage,
+                         String correlationID) throws XMLSecurityException {
+
+        Key key = getSecretKey().get(algorithmURI);
+        if (key != null) {
+            return key;
+        }
+
+        if (this.kerberosTokenDecoder == null) {
+            this.kerberosTokenDecoder = getTGT();
+        }
+
+        byte[] secretToken = this.kerberosTokenDecoder.getSessionKey();
+        String algoFamily = JCEAlgorithmMapper.getJCERequiredKeyFromURI(algorithmURI);
+        key = new SecretKeySpec(secretToken, algoFamily);
+        setSecretKey(algorithmURI, key);
+        return key;
+    }
+
+    public byte[] getBinaryContent() {
+        return binaryContent;
+    }
+}

Propchange: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/KerberosServiceSecurityToken.java
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/SecurityTokenFactoryImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/SecurityTokenFactoryImpl.java?rev=1416670&r1=1416669&r2=1416670&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/SecurityTokenFactoryImpl.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/SecurityTokenFactoryImpl.java Mon Dec  3 21:26:13 2012
@@ -39,6 +39,10 @@ import org.apache.xml.security.stax.impl
 import org.opensaml.common.SAMLVersion;
 
 import javax.security.auth.callback.CallbackHandler;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Arrays;
+import java.util.List;
 
 /**
  * Factory to create SecurityToken Objects from keys in XML
@@ -162,6 +166,34 @@ public class SecurityTokenFactoryImpl ex
                                 WSSecurityException.ErrorCode.SECURITY_TOKEN_UNAVAILABLE, "noToken", keyIdentifierType.getValue());
                     }
                     return securityTokenProvider.getSecurityToken();
+                } else if (WSSConstants.NS_Kerberos5_AP_REQ_SHA1.equals(valueType)) {
+                    SecurityTokenProvider securityTokenProvider = securityContext.getSecurityTokenProvider(keyIdentifierType.getValue());
+                    if (securityTokenProvider != null) {
+                        return securityTokenProvider.getSecurityToken();
+                    }
+
+                    MessageDigest messageDigest = null;
+                    try {
+                        messageDigest = MessageDigest.getInstance("SHA-1");
+                    } catch (NoSuchAlgorithmException e) {
+                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+                    }
+
+                    //ok we have to find the token via digesting...
+                    List<SecurityTokenProvider> securityTokenProviders = securityContext.getRegisteredSecurityTokenProviders();
+                    for (int i = 0; i < securityTokenProviders.size(); i++) {
+                        SecurityTokenProvider tokenProvider = securityTokenProviders.get(i);
+                        SecurityToken securityToken = tokenProvider.getSecurityToken();
+                        if (securityToken instanceof KerberosServiceSecurityToken) {
+                            KerberosServiceSecurityToken kerberosSecurityToken = (KerberosServiceSecurityToken)securityToken;
+                            byte[] tokenDigest = messageDigest.digest(kerberosSecurityToken.getBinaryContent());
+                            if (Arrays.equals(tokenDigest, binaryContent)) {
+                                return securityToken;
+                            }
+                        }
+                    }
+                    throw new WSSecurityException(
+                            WSSecurityException.ErrorCode.SECURITY_TOKEN_UNAVAILABLE, "noToken", keyIdentifierType.getValue());
                 } else {
                     //we do enforce BSP compliance here but will fail anyway since we cannot identify the referenced token
                     ((WSSecurityContext) securityContext).handleBSPRule(BSPRule.R3063);



Mime
View raw message