Search in sources :

Example 66 with SecurityContext

use of org.apache.cxf.security.SecurityContext in project cxf by apache.

the class AbstractSamlInHandler method setSecurityContext.

protected void setSecurityContext(Message message, SamlAssertionWrapper wrapper) {
    if (scProvider != null) {
        SecurityContext sc = scProvider.getSecurityContext(message, wrapper);
        message.put(SecurityContext.class, sc);
    }
}
Also used : SecurityContext(org.apache.cxf.security.SecurityContext)

Example 67 with SecurityContext

use of org.apache.cxf.security.SecurityContext in project cxf by apache.

the class AbstractHTTPDestination method setupMessage.

protected void setupMessage(final Message inMessage, final ServletConfig config, final ServletContext context, final HttpServletRequest req, final HttpServletResponse resp) throws IOException {
    setupContinuation(inMessage, req, resp);
    final Exchange exchange = inMessage.getExchange();
    DelegatingInputStream in = new DelegatingInputStream(req.getInputStream()) {

        public void cacheInput() {
            if (!cached && (exchange.isOneWay() || isWSAddressingReplyToSpecified(exchange))) {
                // For one-ways and WS-Addressing invocations with ReplyTo address,
                // we need to cache the values of the HttpServletRequest
                // so they can be queried later for things like paths and schemes
                // and such like that.
                // Please note, exchange used to always get the "current" message
                exchange.getInMessage().put(HTTP_REQUEST, new HttpServletRequestSnapshot(req));
            }
            super.cacheInput();
        }

        private boolean isWSAddressingReplyToSpecified(Exchange ex) {
            AddressingProperties map = ContextUtils.retrieveMAPs(ex.getInMessage(), false, false, false);
            return map != null && !ContextUtils.isGenericAddress(map.getReplyTo());
        }
    };
    inMessage.setContent(DelegatingInputStream.class, in);
    inMessage.setContent(InputStream.class, in);
    inMessage.put(HTTP_REQUEST, req);
    inMessage.put(HTTP_RESPONSE, resp);
    inMessage.put(HTTP_CONTEXT, context);
    inMessage.put(HTTP_CONFIG, config);
    inMessage.put(HTTP_CONTEXT_MATCH_STRATEGY, contextMatchStrategy);
    inMessage.put(Message.HTTP_REQUEST_METHOD, req.getMethod());
    String requestURI = req.getRequestURI();
    inMessage.put(Message.REQUEST_URI, requestURI);
    String requestURL = req.getRequestURL().toString();
    inMessage.put(Message.REQUEST_URL, requestURL);
    String contextPath = req.getContextPath();
    if (contextPath == null) {
        contextPath = "";
    }
    String servletPath = req.getServletPath();
    if (servletPath == null) {
        servletPath = "";
    }
    String contextServletPath = contextPath + servletPath;
    String pathInfo = req.getPathInfo();
    if (pathInfo != null) {
        inMessage.put(Message.PATH_INFO, contextServletPath + pathInfo);
    } else {
        inMessage.put(Message.PATH_INFO, requestURI);
    }
    if (!StringUtils.isEmpty(requestURI)) {
        int index = requestURL.indexOf(requestURI);
        if (index > 0) {
            // Can be useful for referencing resources with URIs not covered by CXFServlet.
            // For example, if we a have web application name 'app' and CXFServlet listening
            // on "/services/*" then having HTTP_BASE_PATH pointing to say
            // http://localhost:8080/app will make it easy to refer to non CXF resources
            String schemaInfo = requestURL.substring(0, index);
            String basePathWithContextOnly = schemaInfo + contextPath;
            inMessage.put(HTTP_BASE_PATH, basePathWithContextOnly);
        }
    } else if (!StringUtils.isEmpty(servletPath) && requestURL.endsWith(servletPath)) {
        int index = requestURL.lastIndexOf(servletPath);
        if (index > 0) {
            inMessage.put(HTTP_BASE_PATH, requestURL.substring(0, index));
        }
    }
    String contentType = req.getContentType();
    inMessage.put(Message.CONTENT_TYPE, contentType);
    setEncoding(inMessage, req, contentType);
    inMessage.put(Message.QUERY_STRING, req.getQueryString());
    inMessage.put(Message.ACCEPT_CONTENT_TYPE, req.getHeader("Accept"));
    String basePath = getBasePath(contextServletPath);
    if (!StringUtils.isEmpty(basePath)) {
        inMessage.put(Message.BASE_PATH, basePath);
    }
    inMessage.put(Message.FIXED_PARAMETER_ORDER, isFixedParameterOrder());
    inMessage.put(Message.ASYNC_POST_RESPONSE_DISPATCH, Boolean.TRUE);
    SecurityContext httpSecurityContext = new SecurityContext() {

        public Principal getUserPrincipal() {
            return req.getUserPrincipal();
        }

        public boolean isUserInRole(String role) {
            return req.isUserInRole(role);
        }
    };
    inMessage.put(SecurityContext.class, httpSecurityContext);
    Headers headers = new Headers(inMessage);
    headers.copyFromRequest(req);
    String credentials = headers.getAuthorization();
    AuthorizationPolicy authPolicy = getAuthorizationPolicyFromMessage(credentials, httpSecurityContext);
    inMessage.put(AuthorizationPolicy.class, authPolicy);
    propogateSecureSession(req, inMessage);
    inMessage.put(CertConstraints.class.getName(), certConstraints);
    inMessage.put(Message.IN_INTERCEPTORS, Arrays.asList(new Interceptor[] { CertConstraintsInterceptor.INSTANCE }));
}
Also used : Exchange(org.apache.cxf.message.Exchange) AuthorizationPolicy(org.apache.cxf.configuration.security.AuthorizationPolicy) DelegatingInputStream(org.apache.cxf.io.DelegatingInputStream) SecurityContext(org.apache.cxf.security.SecurityContext) CertConstraints(org.apache.cxf.transport.https.CertConstraints) AddressingProperties(org.apache.cxf.ws.addressing.AddressingProperties) CertConstraintsInterceptor(org.apache.cxf.transport.https.CertConstraintsInterceptor) Interceptor(org.apache.cxf.interceptor.Interceptor)

Example 68 with SecurityContext

use of org.apache.cxf.security.SecurityContext in project cxf by apache.

the class WSS4JPrincipalInterceptor method handleMessage.

@Override
public void handleMessage(SoapMessage message) throws Fault {
    SecurityContext context = message.get(SecurityContext.class);
    if (context == null) {
        throw new SoapFault("No Security Context", Fault.FAULT_CODE_SERVER);
    }
    Principal principal = context.getUserPrincipal();
    if (principal == null) {
        throw new SoapFault("No Security Principal", Fault.FAULT_CODE_SERVER);
    }
    if (principalName != null && !principalName.equals(principal.getName())) {
        throw new SoapFault("Security Principal does not match", Fault.FAULT_CODE_SERVER);
    }
}
Also used : SoapFault(org.apache.cxf.binding.soap.SoapFault) SecurityContext(org.apache.cxf.security.SecurityContext) Principal(java.security.Principal)

Example 69 with SecurityContext

use of org.apache.cxf.security.SecurityContext in project cxf by apache.

the class SubjectCreatorImpl method createUserSubject.

@Override
public OidcUserSubject createUserSubject(MessageContext mc, MultivaluedMap<String, String> params) {
    OidcUserSubject oidcSub = new OidcUserSubject(OAuthUtils.createSubject(mc, (SecurityContext) mc.get(SecurityContext.class.getName())));
    final List<String> scopes;
    String requestedScope = params.getFirst(OAuthConstants.SCOPE);
    if (requestedScope != null && !requestedScope.isEmpty()) {
        scopes = OidcUtils.getScopeClaims(requestedScope.split(" "));
    } else {
        scopes = Collections.emptyList();
    }
    oidcSub.setIdToken(ID_TOKEN_PROVIDER.getIdToken(null, oidcSub, scopes));
    return oidcSub;
}
Also used : SecurityContext(org.apache.cxf.security.SecurityContext) OidcUserSubject(org.apache.cxf.rs.security.oidc.idp.OidcUserSubject)

Example 70 with SecurityContext

use of org.apache.cxf.security.SecurityContext in project cxf by apache.

the class JAXRSIntermediaryPortTypeImpl method doubleIt.

public int doubleIt(int numberToDouble) {
    URL wsdl = JAXRSIntermediaryPortTypeImpl.class.getResource("DoubleIt.wsdl");
    Service service = Service.create(wsdl, SERVICE_QNAME);
    QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML2Port");
    DoubleItPortType transportPort = service.getPort(portQName, DoubleItPortType.class);
    try {
        updateAddressPort(transportPort, KerberosDelegationTokenTest.PORT);
    } catch (Exception ex) {
        ex.printStackTrace();
    }
    // Retrieve delegated credential + set it on the outbound message
    SecurityContext securityContext = PhaseInterceptorChain.getCurrentMessage().get(SecurityContext.class);
    if (securityContext instanceof KerberosSecurityContext) {
        KerberosSecurityContext ksc = (KerberosSecurityContext) securityContext;
        try {
            GSSCredential delegatedCredential = ksc.getGSSContext().getDelegCred();
            Map<String, Object> context = ((BindingProvider) transportPort).getRequestContext();
            context.put(SecurityConstants.DELEGATED_CREDENTIAL, delegatedCredential);
        } catch (GSSException e) {
            e.printStackTrace();
        }
    }
    return transportPort.doubleIt(numberToDouble);
}
Also used : KerberosSecurityContext(org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter.KerberosSecurityContext) QName(javax.xml.namespace.QName) WebService(javax.jws.WebService) Service(javax.xml.ws.Service) BindingProvider(javax.xml.ws.BindingProvider) URL(java.net.URL) GSSException(org.ietf.jgss.GSSException) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) SecurityContext(org.apache.cxf.security.SecurityContext) KerberosSecurityContext(org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter.KerberosSecurityContext) DoubleItPortType(org.example.contract.doubleit.DoubleItPortType)

Aggregations

SecurityContext (org.apache.cxf.security.SecurityContext)76 Principal (java.security.Principal)26 Message (org.apache.cxf.message.Message)16 Subject (javax.security.auth.Subject)13 WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)12 DefaultSecurityContext (org.apache.cxf.interceptor.security.DefaultSecurityContext)11 SimplePrincipal (org.apache.cxf.common.security.SimplePrincipal)10 Test (org.junit.Test)10 SAMLSecurityContext (org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext)9 WSHandlerResult (org.apache.wss4j.dom.handler.WSHandlerResult)9 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)8 LoginSecurityContext (org.apache.cxf.security.LoginSecurityContext)7 ArrayList (java.util.ArrayList)6 QName (javax.xml.namespace.QName)6 SecurityToken (org.apache.cxf.common.security.SecurityToken)6 HashMap (java.util.HashMap)5 MessageImpl (org.apache.cxf.message.MessageImpl)5 UserSubject (org.apache.cxf.rs.security.oauth2.common.UserSubject)5 Element (org.w3c.dom.Element)5 Method (java.lang.reflect.Method)4