inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-07 17:49:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged V3.1 to HEAD

Browse Source 
13957 Support for UsernameToken WS-Security.  Password Type 'PasswordText' with optional timestamp support.

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@13959 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
David Caruana
2009-04-15 14:49:17 +00:00
parent 4c99493d79
commit 09c0e208c8
5 changed files with 118 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
config/alfresco/cmis-ws-context.xml
View File

@@ -18,11 +18,13 @@
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<ref local="authenticationClearInterceptor" />
<ref local="saajOutInterceptor" />
<ref local="wss4jOutInterceptor" />
</jaxws:outInterceptors>
<jaxws:outFaultInterceptors>
<ref local="authenticationClearInterceptor" />
<ref local="saajOutInterceptor" />
<ref local="wss4jOutInterceptor" />
</jaxws:outFaultInterceptors>
@@ -45,11 +47,13 @@
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<ref local="authenticationClearInterceptor" />
<ref local="saajOutInterceptor" />
<ref local="wss4jOutInterceptor" />
</jaxws:outInterceptors>
<jaxws:outFaultInterceptors>
<ref local="authenticationClearInterceptor" />
<ref local="saajOutInterceptor" />
<ref local="wss4jOutInterceptor" />
</jaxws:outFaultInterceptors>
@@ -71,11 +75,13 @@
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<ref local="authenticationClearInterceptor" />
<ref local="saajOutInterceptor" />
<ref local="wss4jOutInterceptorWithMTOM" />
</jaxws:outInterceptors>
<jaxws:outFaultInterceptors>
<ref local="authenticationClearInterceptor" />
<ref local="saajOutInterceptor" />
<ref local="wss4jOutInterceptor" />
</jaxws:outFaultInterceptors>
@@ -99,11 +105,13 @@
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<ref local="authenticationClearInterceptor" />
<ref local="saajOutInterceptor" />
<ref local="wss4jOutInterceptor" />
</jaxws:outInterceptors>
<jaxws:outFaultInterceptors>
<ref local="authenticationClearInterceptor" />
<ref local="saajOutInterceptor" />
<ref local="wss4jOutInterceptor" />
</jaxws:outFaultInterceptors>
@@ -126,11 +134,13 @@
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<ref local="authenticationClearInterceptor" />
<ref local="saajOutInterceptor" />
<ref local="wss4jOutInterceptor" />
</jaxws:outInterceptors>
<jaxws:outFaultInterceptors>
<ref local="authenticationClearInterceptor" />
<ref local="saajOutInterceptor" />
<ref local="wss4jOutInterceptor" />
</jaxws:outFaultInterceptors>
@@ -153,11 +163,13 @@
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<ref local="authenticationClearInterceptor" />
<ref local="saajOutInterceptor" />
<ref local="wss4jOutInterceptor" />
</jaxws:outInterceptors>
<jaxws:outFaultInterceptors>
<ref local="authenticationClearInterceptor" />
<ref local="saajOutInterceptor" />
<ref local="wss4jOutInterceptor" />
</jaxws:outFaultInterceptors>
@@ -180,11 +192,13 @@
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<ref local="authenticationClearInterceptor" />
<ref local="saajOutInterceptor" />
<ref local="wss4jOutInterceptor" />
</jaxws:outInterceptors>
<jaxws:outFaultInterceptors>
<ref local="authenticationClearInterceptor" />
<ref local="saajOutInterceptor" />
<ref local="wss4jOutInterceptor" />
</jaxws:outFaultInterceptors>
@@ -206,11 +220,13 @@
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<ref local="authenticationClearInterceptor" />
<ref local="saajOutInterceptor" />
<ref local="wss4jOutInterceptor" />
</jaxws:outInterceptors>
<jaxws:outFaultInterceptors>
<ref local="authenticationClearInterceptor" />
<ref local="saajOutInterceptor" />
<ref local="wss4jOutInterceptor" />
</jaxws:outFaultInterceptors>
@@ -352,6 +368,11 @@
<bean id="authenticationTokenCallback" class="org.alfresco.repo.cmis.ws.AuthenticationTokenCallbackHandler" />
<bean id="authenticationInterceptor" class="org.alfresco.repo.cmis.ws.AuthenticationInterceptor" />
<bean id="authenticationInterceptor" class="org.alfresco.repo.cmis.ws.AuthenticationInterceptor">
<property name="authenticationService" ref="authenticationService" />
<property name="transactionService" ref="transactionService" />
</bean>
<bean id="authenticationClearInterceptor" class="org.alfresco.repo.cmis.ws.AuthenticationClearInterceptor"/>
</beans>

54
source/java/org/alfresco/repo/cmis/ws/AuthenticationClearInterceptor.java Normal file
View File

@@ -0,0 +1,54 @@
/*
* Copyright (C) 2005-2008 Alfresco Software Limited.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
* As a special exception to the terms and conditions of version 2.0 of
* the GPL, you may redistribute this Program in connection with Free/Libre
* and Open Source Software ("FLOSS") applications as described in Alfresco's
* FLOSS exception. You should have recieved a copy of the text describing
* the FLOSS exception, and it is also available here:
* http://www.alfresco.com/legal/licensing"
*/
package org.alfresco.repo.cmis.ws;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.interceptor.AbstractSoapInterceptor;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.phase.Phase;
/**
* @author Dmitry Velichkevich
*/
public class AuthenticationClearInterceptor extends AbstractSoapInterceptor
{
public AuthenticationClearInterceptor()
{
super(Phase.PRE_INVOKE);
}
public void handleMessage(SoapMessage message) throws Fault
{
AuthenticationUtil.clearCurrentSecurityContext();
}
@Override
public void handleFault(SoapMessage message)
{
AuthenticationUtil.clearCurrentSecurityContext();
super.handleFault(message);
}
}

37
source/java/org/alfresco/repo/cmis/ws/AuthenticationInterceptor.java
View File

@@ -26,7 +26,9 @@ package org.alfresco.repo.cmis.ws;
import java.util.List;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
import org.alfresco.service.cmr.security.AuthenticationService;
import org.alfresco.service.transaction.TransactionService;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.interceptor.AbstractSoapInterceptor;
import org.apache.cxf.interceptor.Fault;
@@ -36,8 +38,13 @@ import org.apache.ws.security.WSUsernameTokenPrincipal;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.handler.WSHandlerResult;
/**
* @author Dmitry Velichkevich
*/
public class AuthenticationInterceptor extends AbstractSoapInterceptor
{
private AuthenticationService authenticationService;
private TransactionService transactionService;
public AuthenticationInterceptor()
{
@@ -49,10 +56,34 @@ public class AuthenticationInterceptor extends AbstractSoapInterceptor
@SuppressWarnings("unchecked")
WSHandlerResult handlerResult = ((List<WSHandlerResult>) message.getContextualProperty(WSHandlerConstants.RECV_RESULTS)).get(0);
WSSecurityEngineResult secRes = (WSSecurityEngineResult) handlerResult.getResults().get(0);
WSUsernameTokenPrincipal principal = (WSUsernameTokenPrincipal) secRes.get(WSSecurityEngineResult.TAG_PRINCIPAL);
final WSUsernameTokenPrincipal principal = (WSUsernameTokenPrincipal) secRes.get(WSSecurityEngineResult.TAG_PRINCIPAL);
// Authenticate
AuthenticationUtil.setFullyAuthenticatedUser(principal.getName());
transactionService.getRetryingTransactionHelper().doInTransaction(new RetryingTransactionCallback<Object>()
{
public Object execute() throws Throwable
{
try
{
authenticationService.authenticate(principal.getName(), principal.getPassword().toCharArray());
}
catch (Throwable e)
{
throw new SecurityException("Invalid user name or password specified");
}
return null;
}
});
}
public void setAuthenticationService(AuthenticationService authenticationService)
{
this.authenticationService = authenticationService;
}
public void setTransactionService(TransactionService transactionService)
{
this.transactionService = transactionService;
}
}

29
source/java/org/alfresco/repo/cmis/ws/AuthenticationTokenCallbackHandler.java
View File

@@ -30,41 +30,26 @@ import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSPasswordCallback;
/**
* @author Michael Shavnev
* @author Dmitry Velichkevich
*/
public class AuthenticationTokenCallbackHandler implements CallbackHandler
{
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
{
WSPasswordCallback wssPasswordCallback = (WSPasswordCallback) callbacks[0];
String userName = wssPasswordCallback.getIdentifer();
String password = getPassword(userName);
// Check the UsernameToken element.
// Depending on the password type contained in the element the processing differs.
if (wssPasswordCallback.getUsage() == WSPasswordCallback.USERNAME_TOKEN)
if ((WSPasswordCallback.USERNAME_TOKEN_UNKNOWN != wssPasswordCallback.getUsage()) && (WSPasswordCallback.USERNAME_TOKEN != wssPasswordCallback.getUsage()))
{
// If the password type is password digest provide stored password perform
// hash algorithm and compare the result with the transmitted password
wssPasswordCallback.setPassword(password);
throw new SecurityException("Only 'UsernameToken' usage is supported.");
}
else
if (!WSConstants.PASSWORD_TEXT.equals(wssPasswordCallback.getPasswordType()))
{
// If the password is of type password text or any other yet unknown password type
// the delegate the password validation to the callback class.
if (!password.equals(wssPasswordCallback.getPassword()))
{
throw new SecurityException("Incorrect password");
}
throw new SecurityException("Password type '" + wssPasswordCallback.getPasswordType() + "' unsupported. Only '" + WSConstants.PW_TEXT + "' is supported.");
}
}
private String getPassword(String userName)
{
return userName;
}
}

2
source/test/java/org/alfresco/repo/cmis/ws/CmisServiceTestHelper.java
View File

@@ -169,7 +169,7 @@ public class CmisServiceTestHelper extends TestCase
wss4jOutInterceptorProp.put(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN + " " + WSHandlerConstants.TIMESTAMP);
wss4jOutInterceptorProp.put(WSHandlerConstants.USER, username);
wss4jOutInterceptorProp.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_DIGEST);
wss4jOutInterceptorProp.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
wss4jOutInterceptorProp.put(WSHandlerConstants.PW_CALLBACK_REF, new CallbackHandler()
{