ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gi...@apache.org
Subject svn commit: r1493498 - in /webservices/wss4j/trunk: ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/ ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/ ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/
Date Sun, 16 Jun 2013 11:09:37 GMT
Author: giger
Date: Sun Jun 16 11:09:36 2013
New Revision: 1493498

URL: http://svn.apache.org/r1493498
Log:
throw an exception when a Kerberos token could not be parsed

Added:
    webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderException.java
  (with props)
Modified:
    webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoder.java
    webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderImpl.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/KerberosTokenValidator.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosServiceSecurityTokenImpl.java

Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoder.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoder.java?rev=1493498&r1=1493497&r2=1493498&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoder.java
(original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoder.java
Sun Jun 16 11:09:36 2013
@@ -45,7 +45,7 @@ public interface KerberosTokenDecoder {
      * Get the session key from the token
      * @return the session key from the token
      */
-    byte[] getSessionKey();
+    byte[] getSessionKey() throws KerberosTokenDecoderException;
     
     /**
      * Clear all internal information

Added: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderException.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderException.java?rev=1493498&view=auto
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderException.java
(added)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderException.java
Sun Jun 16 11:09:36 2013
@@ -0,0 +1,34 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.wss4j.common.kerberos;
+
+public class KerberosTokenDecoderException extends Exception {
+
+    public KerberosTokenDecoderException(String message) {
+        super(message);
+    }
+
+    public KerberosTokenDecoderException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public KerberosTokenDecoderException(Throwable cause) {
+        super(cause);
+    }
+}

Propchange: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderException.java
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderImpl.java?rev=1493498&r1=1493497&r2=1493498&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderImpl.java
(original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderImpl.java
Sun Jun 16 11:09:36 2013
@@ -3,6 +3,7 @@ package org.apache.wss4j.common.kerberos
 import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
 import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
 import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
+import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
 import org.apache.directory.server.kerberos.shared.io.decoder.ApplicationRequestDecoder;
 import org.apache.directory.server.kerberos.shared.messages.ApplicationRequest;
 import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPart;
@@ -19,9 +20,6 @@ import java.util.Set;
 
 public class KerberosTokenDecoderImpl implements KerberosTokenDecoder {
     
-    private static org.slf4j.Logger log =
-        org.slf4j.LoggerFactory.getLogger(KerberosTokenDecoderImpl.class);
-
     private static final String KERBEROS_OID = "1.2.840.113554.1.2.2";
 
     private byte[] serviceTicket;
@@ -63,7 +61,7 @@ public class KerberosTokenDecoderImpl im
      *
      * @return the session key from the token
      */
-    public byte[] getSessionKey() {
+    public byte[] getSessionKey() throws KerberosTokenDecoderException {
         if (!decoded) {
             decodeServiceTicket();
         }
@@ -78,7 +76,7 @@ public class KerberosTokenDecoderImpl im
      *
      * @return the client principal name
      */
-    public String getClientPrincipalName() {
+    public String getClientPrincipalName() throws KerberosTokenDecoderException {
         if (!decoded) {
             decodeServiceTicket();
         }
@@ -86,60 +84,60 @@ public class KerberosTokenDecoderImpl im
     }
 
     // Decode the service ticket.
-    private synchronized void decodeServiceTicket() {
-        try {
-            parseServiceTicket(serviceTicket);
-            decoded = true;
-        } catch (Exception e) {
-            log.debug("Error retrieving a service ticket", e);
-        }
+    private synchronized void decodeServiceTicket() throws KerberosTokenDecoderException
{
+        parseServiceTicket(serviceTicket);
+        decoded = true;
     }
 
     // Parses the service ticket (GSS AP-REQ token)
-    private void parseServiceTicket(byte[] ticket) throws Exception {
-
-        // I didn't find a better way how to parse this Kerberos Message...
-
-        org.bouncycastle.asn1.ASN1InputStream asn1InputStream =
-                new org.bouncycastle.asn1.ASN1InputStream(new ByteArrayInputStream(ticket));
-        org.bouncycastle.asn1.DERApplicationSpecific derToken =
-                (org.bouncycastle.asn1.DERApplicationSpecific) asn1InputStream.readObject();
-        if (derToken == null || !derToken.isConstructed()) {
+    private void parseServiceTicket(byte[] ticket) throws KerberosTokenDecoderException {
+        try {
+            // I didn't find a better way how to parse this Kerberos Message...
+            org.bouncycastle.asn1.ASN1InputStream asn1InputStream =
+                    new org.bouncycastle.asn1.ASN1InputStream(new ByteArrayInputStream(ticket));
+            org.bouncycastle.asn1.DERApplicationSpecific derToken =
+                    (org.bouncycastle.asn1.DERApplicationSpecific) asn1InputStream.readObject();
+            if (derToken == null || !derToken.isConstructed()) {
+                asn1InputStream.close();
+                throw new KerberosTokenDecoderException("invalid kerberos token");
+            }
             asn1InputStream.close();
-            throw new IllegalArgumentException("invalid kerberos token");
-        }
-        asn1InputStream.close();
 
-        asn1InputStream = new org.bouncycastle.asn1.ASN1InputStream(new ByteArrayInputStream(derToken.getContents()));
-        org.bouncycastle.asn1.DERObjectIdentifier kerberosOid =
-                (org.bouncycastle.asn1.DERObjectIdentifier) asn1InputStream.readObject();
-        if (!kerberosOid.getId().equals(KERBEROS_OID)) {
-            asn1InputStream.close();
-            throw new IllegalArgumentException("invalid kerberos token");
-        }
+            asn1InputStream = new org.bouncycastle.asn1.ASN1InputStream(new ByteArrayInputStream(derToken.getContents()));
+            org.bouncycastle.asn1.DERObjectIdentifier kerberosOid =
+                    (org.bouncycastle.asn1.DERObjectIdentifier) asn1InputStream.readObject();
+            if (!kerberosOid.getId().equals(KERBEROS_OID)) {
+                asn1InputStream.close();
+                throw new KerberosTokenDecoderException("invalid kerberos token");
+            }
 
-        int readLowByte = asn1InputStream.read() & 0xff;
-        int readHighByte = asn1InputStream.read() & 0xff;
-        int read = (readHighByte << 8) + readLowByte;
-        if (read != 0x01) {
-            throw new IllegalArgumentException("invalid kerberos token");
-        }
+            int readLowByte = asn1InputStream.read() & 0xff;
+            int readHighByte = asn1InputStream.read() & 0xff;
+            int read = (readHighByte << 8) + readLowByte;
+            if (read != 0x01) {
+                throw new KerberosTokenDecoderException("invalid kerberos token");
+            }
 
-        ApplicationRequestDecoder applicationRequestDecoder = new ApplicationRequestDecoder();
-        ApplicationRequest applicationRequest = applicationRequestDecoder.decode(toByteArray(asn1InputStream));
+            ApplicationRequestDecoder applicationRequestDecoder = new ApplicationRequestDecoder();
+            ApplicationRequest applicationRequest = applicationRequestDecoder.decode(toByteArray(asn1InputStream));
 
-        final int encryptionType = applicationRequest.getTicket().getEncPart().getEType().getOrdinal();
-        KerberosKey kerberosKey = getKrbKey(subject, encryptionType);
+            final int encryptionType = applicationRequest.getTicket().getEncPart().getEType().getOrdinal();
+            KerberosKey kerberosKey = getKrbKey(subject, encryptionType);
 
-        EncryptionKey encryptionKey =
-                new EncryptionKey(EncryptionType.getTypeByOrdinal(encryptionType), kerberosKey.getEncoded());
+            EncryptionKey encryptionKey =
+                    new EncryptionKey(EncryptionType.getTypeByOrdinal(encryptionType), kerberosKey.getEncoded());
 
-        CipherTextHandler cipherTextHandler = new CipherTextHandler();
-        this.encTicketPart = (EncTicketPart) cipherTextHandler.unseal(
-                EncTicketPart.class, encryptionKey, applicationRequest.getTicket().getEncPart(),
KeyUsage.NUMBER2);
+            CipherTextHandler cipherTextHandler = new CipherTextHandler();
+            this.encTicketPart = (EncTicketPart) cipherTextHandler.unseal(
+                    EncTicketPart.class, encryptionKey, applicationRequest.getTicket().getEncPart(),
KeyUsage.NUMBER2);
+        } catch (KerberosException e) {
+            throw new KerberosTokenDecoderException(e);
+        } catch (IOException e) {
+            throw new KerberosTokenDecoderException(e);
+        }
     }
 
-    private KerberosKey getKrbKey(Subject sub, int keyType) throws Exception {
+    private KerberosKey getKrbKey(Subject sub, int keyType) {
         Set<Object> creds = sub.getPrivateCredentials(Object.class);
         for (Iterator<Object> i = creds.iterator(); i.hasNext(); ) {
             Object cred = i.next();

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/KerberosTokenValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/KerberosTokenValidator.java?rev=1493498&r1=1493497&r2=1493498&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/KerberosTokenValidator.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/KerberosTokenValidator.java
Sun Jun 16 11:09:36 2013
@@ -29,6 +29,7 @@ import javax.security.auth.login.LoginEx
 
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.kerberos.KerberosTokenDecoder;
+import org.apache.wss4j.common.kerberos.KerberosTokenDecoderException;
 import org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl;
 import org.apache.wss4j.dom.handler.RequestData;
 import org.apache.wss4j.dom.message.token.BinarySecurity;
@@ -203,8 +204,12 @@ public class KerberosTokenValidator impl
         kerberosTokenDecoder.clear();
         kerberosTokenDecoder.setToken(token);
         kerberosTokenDecoder.setSubject(subject);
-        byte[] sessionKey = kerberosTokenDecoder.getSessionKey();
-        credential.setSecretKey(sessionKey);
+        try {
+            byte[] sessionKey = kerberosTokenDecoder.getSessionKey();
+            credential.setSecretKey(sessionKey);
+        } catch (KerberosTokenDecoderException e) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+        }
 
         if (log.isDebugEnabled()) {
             log.debug("Successfully validated a ticket");

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosServiceSecurityTokenImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosServiceSecurityTokenImpl.java?rev=1493498&r1=1493497&r2=1493498&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosServiceSecurityTokenImpl.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosServiceSecurityTokenImpl.java
Sun Jun 16 11:09:36 2013
@@ -19,10 +19,7 @@
 package org.apache.wss4j.stax.impl.securityToken;
 
 import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.kerberos.KerberosContextAndServiceNameCallback;
-import org.apache.wss4j.common.kerberos.KerberosServiceAction;
-import org.apache.wss4j.common.kerberos.KerberosTokenDecoder;
-import org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl;
+import org.apache.wss4j.common.kerberos.*;
 import org.apache.wss4j.stax.ext.WSInboundSecurityContext;
 import org.apache.wss4j.stax.securityToken.KerberosServiceSecurityToken;
 import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
@@ -139,7 +136,12 @@ public class KerberosServiceSecurityToke
             this.kerberosTokenDecoder = getTGT();
         }
 
-        byte[] sk = this.kerberosTokenDecoder.getSessionKey();
+        byte[] sk;
+        try {
+            sk = this.kerberosTokenDecoder.getSessionKey();
+        } catch (KerberosTokenDecoderException e) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN,
e);
+        }
 
         String algoFamily = JCEAlgorithmMapper.getJCEKeyAlgorithmFromURI(algorithmURI);
         int keyLength = JCEAlgorithmMapper.getKeyLengthFromURI(algorithmURI) / 8;



Mime
View raw message