Author: mwringe Date: 2011-02-07 17:29:41 -0500 (Mon, 07 Feb 2011) New Revision: 5856 Added: components/wsrp/trunk/ws-security/ components/wsrp/trunk/ws-security/jboss5/ components/wsrp/trunk/ws-security/jboss5/pom.xml components/wsrp/trunk/ws-security/jboss5/src/ components/wsrp/trunk/ws-security/jboss5/src/main/ components/wsrp/trunk/ws-security/jboss5/src/main/java/ components/wsrp/trunk/ws-security/jboss5/src/main/java/org/ components/wsrp/trunk/ws-security/jboss5/src/main/java/org/wsrp/ components/wsrp/trunk/ws-security/jboss5/src/main/java/org/wsrp/wss/ components/wsrp/trunk/ws-security/jboss5/src/main/java/org/wsrp/wss/jboss5/ components/wsrp/trunk/ws-security/jboss5/src/main/java/org/wsrp/wss/jboss5/handlers/ components/wsrp/trunk/ws-security/jboss5/src/main/java/org/wsrp/wss/jboss5/handlers/ConsumerWSSecurityHandler.java components/wsrp/trunk/ws-security/jboss5/src/main/java/org/wsrp/wss/jboss5/handlers/ProducerWSSecurityHandler.java Log: GTNWSRP-123: initial support for wss. Is enough to get the seam example working. Added: components/wsrp/trunk/ws-security/jboss5/pom.xml =================================================================== --- components/wsrp/trunk/ws-security/jboss5/pom.xml (rev 0) +++ components/wsrp/trunk/ws-security/jboss5/pom.xml 2011-02-07 22:29:41 UTC (rev 5856) @@ -0,0 +1,126 @@ +<!-- + ~ JBoss, a division of Red Hat + ~ Copyright 2010, Red Hat Middleware, LLC, and individual + ~ contributors as indicated by the @authors tag. See the + ~ copyright.txt in the distribution for a full listing of + ~ individual contributors. + ~ + ~ This is free software; you can redistribute it and/or modify it + ~ under the terms of the GNU Lesser General Public License as + ~ published by the Free Software Foundation; either version 2.1 of + ~ the License, or (at your option) any later version. + ~ + ~ This software is distributed in the hope that it will be useful, + ~ but WITHOUT ANY WARRANTY; without even the implied warranty of + ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + ~ Lesser General Public License for more details. + ~ + ~ You should have received a copy of the GNU Lesser General Public + ~ License along with this software; if not, write to the Free + ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org. + --> + +<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> + <parent> + <groupId>org.gatein.wsrp</groupId> + <artifactId>wsrp-parent</artifactId> + <version>2.1.0-Alpha01-SNAPSHOT</version> + </parent> + <modelVersion>4.0.0</modelVersion> + <artifactId>wsrp-wss-jboss5</artifactId> + <packaging>jar</packaging> + <name>GateIn WSRP WS Security for JBoss 5</name> + + <dependencies> + <dependency> + <groupId>org.gatein.wsrp</groupId> + <artifactId>wsrp-common</artifactId> + </dependency> + <dependency> + <groupId>org.gatein.wsrp</groupId> + <artifactId>wsrp-integration-api</artifactId> + </dependency> + <dependency> + <groupId>org.gatein.wsrp</groupId> + <artifactId>wsrp-wsrp2-ws</artifactId> + </dependency> + + <dependency> + <groupId>org.gatein.common</groupId> + <artifactId>common-common</artifactId> + </dependency> + <dependency> + <groupId>org.gatein.pc</groupId> + <artifactId>pc-api</artifactId> + </dependency> + <dependency> + <groupId>org.gatein.pc</groupId> + <artifactId>pc-portlet</artifactId> + </dependency> + <dependency> + <groupId>org.gatein.pc</groupId> + <artifactId>pc-federation</artifactId> + </dependency> + +<!-- <dependency> + <groupId>org.jboss.ws</groupId> + <artifactId>jbossws-spi</artifactId> + <version>1.1.2.GA</version> + </dependency>--> + <dependency> + <groupId>org.jboss.ws.native</groupId> + <artifactId>jbossws-native-core</artifactId> + <version>3.1.2.GA</version> + <scope>provided</scope> + </dependency> + <dependency> + <groupId>org.jboss.security</groupId> + <artifactId>jbosssx-client</artifactId> + <version>2.0.3.SP1</version> + <scope>provided</scope> + </dependency> + <dependency> + <groupId>jboss.web</groupId> + <artifactId>jbossweb</artifactId> + <version>2.1.3.GA</version> + <scope>provided</scope> + </dependency> + <dependency> + <groupId>org.jboss.jbossas</groupId> + <artifactId>jboss-as-tomcat</artifactId> + <version>5.1.0.GA</version> + <scope>provided</scope> + </dependency> + </dependencies> + + <!-- Ignore all classes in the org.gatein.wsrp.test packages as they are not tests --> + <build> + <plugins> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-surefire-plugin</artifactId> + <configuration> + <excludes> + <exclude>org/gatein/wsrp/test/**</exclude> + </excludes> + <!--<parallel>classes</parallel> + <threadCount>2</threadCount>--> + </configuration> + </plugin> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-jar-plugin</artifactId> + <version>2.2</version> + <executions> + <execution> + <goals> + <goal>test-jar</goal> + </goals> + </execution> + </executions> + </plugin> + </plugins> + </build> +</project> Added: components/wsrp/trunk/ws-security/jboss5/src/main/java/org/wsrp/wss/jboss5/handlers/ConsumerWSSecurityHandler.java =================================================================== --- components/wsrp/trunk/ws-security/jboss5/src/main/java/org/wsrp/wss/jboss5/handlers/ConsumerWSSecurityHandler.java (rev 0) +++ components/wsrp/trunk/ws-security/jboss5/src/main/java/org/wsrp/wss/jboss5/handlers/ConsumerWSSecurityHandler.java 2011-02-07 22:29:41 UTC (rev 5856) @@ -0,0 +1,166 @@ +/****************************************************************************** + * JBoss, a division of Red Hat * + * Copyright 2011, Red Hat Middleware, LLC, and individual * + * contributors as indicated by the @authors tag. See the * + * copyright.txt in the distribution for a full listing of * + * individual contributors. * + * * + * This is free software; you can redistribute it and/or modify it * + * under the terms of the GNU Lesser General Public License as * + * published by the Free Software Foundation; either version 2.1 of * + * the License, or (at your option) any later version. * + * * + * This software is distributed in the hope that it will be useful, * + * but WITHOUT ANY WARRANTY; without even the implied warranty of * + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * + * Lesser General Public License for more details. * + * * + * You should have received a copy of the GNU Lesser General Public * + * License along with this software; if not, write to the Free * + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA * + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. * + ******************************************************************************/ +package org.wsrp.wss.jboss5.handlers; + +import java.security.Principal; +import java.security.cert.X509Certificate; +import java.util.Set; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpSession; +import javax.xml.namespace.QName; +import javax.xml.soap.SOAPMessage; +import javax.xml.ws.handler.MessageContext; +import javax.xml.ws.handler.soap.SOAPHandler; +import javax.xml.ws.handler.soap.SOAPMessageContext; + +import org.gatein.wci.security.Credentials; +import org.gatein.wsrp.servlet.ServletAccess; +import org.jboss.aspects.security.SecurityClientInterceptor; +import org.jboss.security.SecurityAssociation; +import org.jboss.security.SecurityContextAssociation; +import org.jboss.security.SecurityContextUtil; +import org.jboss.security.client.SecurityClient; +import org.jboss.security.client.SecurityClientFactory; +import org.jboss.web.tomcat.security.SecurityAssociationValve; +import org.jboss.ws.extensions.security.Util; +import org.jboss.ws.extensions.security.element.SecurityHeader; +import org.jboss.ws.extensions.security.element.UsernameToken; +import org.jboss.ws.extensions.security.element.X509Token; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.w3c.dom.Element; + +/** + * @author <a href="mailto:mwringe@redhat.com">Matt Wringe</a> + * @version $Revision$ + */ +public class ConsumerWSSecurityHandler implements SOAPHandler<SOAPMessageContext> +{ + private static Logger log = LoggerFactory.getLogger(ConsumerWSSecurityHandler.class); + + public void close(MessageContext arg0) + { + //Nothing to do for now + } + + public boolean handleFault(SOAPMessageContext soapMessageContext) + { + return true; + } + + public boolean handleMessage(SOAPMessageContext soapMessageContext) + { + // outbound message means request + if (Boolean.TRUE.equals(soapMessageContext.get(MessageContext.MESSAGE_OUTBOUND_PROPERTY))) + { + return handleRequest(soapMessageContext); + } + else + { + return handleResponse(soapMessageContext); + } + } + + private boolean handleRequest(SOAPMessageContext soapMessageContext) + { + try + { + + log.debug("Attempting to convert security context to WS-Security header"); + + Principal principal = SecurityAssociation.getPrincipal(); + Object credential = SecurityAssociation.getCredential(); + + SOAPMessageContext smc = (SOAPMessageContext) soapMessageContext; + SOAPMessage message = smc.getMessage(); + SecurityHeader header = new SecurityHeader(message.getSOAPHeader().getOwnerDocument()); + + if (principal == null) + { + + log.debug("No principal to put in WS-Security header"); + return true; + + } + else if (credential instanceof X509Certificate[]) + { + + log.debug("Adding X509Token to WSRP WS-Security header"); + header.addToken(new X509Token(((X509Certificate[]) credential)[0], message.getSOAPHeader() + .getOwnerDocument())); + Element soapHeader = Util.findOrCreateSoapHeader(message.getSOAPHeader().getOwnerDocument() + .getDocumentElement()); + + Element wsse = header.getElement(); + wsse.setAttributeNS(soapHeader.getNamespaceURI(), soapHeader.getPrefix() + ":mustUnderstand", "1"); + soapHeader.insertBefore(wsse, soapHeader.getFirstChild()); + + } + else if (credential instanceof String) + { + + log.debug("Adding UsernameToken to WSRP WS-Security header"); + + boolean digest = false; + String nonce = null; + String created = null; + + header.addToken(new UsernameToken(principal.getName(), (String) credential, message.getSOAPHeader() + .getOwnerDocument(), digest, nonce, created)); + Element soapHeader = Util.findOrCreateSoapHeader(message.getSOAPHeader().getOwnerDocument() + .getDocumentElement()); + + Element wsse = header.getElement(); + wsse.setAttributeNS(soapHeader.getNamespaceURI(), soapHeader.getPrefix() + ":mustUnderstand", "1"); + soapHeader.insertBefore(wsse, soapHeader.getFirstChild()); + + } + else + { + + log.warn("Principal exists, but can not propogate in WS-Security header"); + + } + } + catch (Exception e) + { + e.printStackTrace(); + //throw new JAXRPCException(e); + } + + return true; + } + + private boolean handleResponse(SOAPMessageContext soapMessageContext) + { + return false; + } + + public Set<QName> getHeaders() + { + return null; + } + +} + Added: components/wsrp/trunk/ws-security/jboss5/src/main/java/org/wsrp/wss/jboss5/handlers/ProducerWSSecurityHandler.java =================================================================== --- components/wsrp/trunk/ws-security/jboss5/src/main/java/org/wsrp/wss/jboss5/handlers/ProducerWSSecurityHandler.java (rev 0) +++ components/wsrp/trunk/ws-security/jboss5/src/main/java/org/wsrp/wss/jboss5/handlers/ProducerWSSecurityHandler.java 2011-02-07 22:29:41 UTC (rev 5856) @@ -0,0 +1,183 @@ +/****************************************************************************** + * JBoss, a division of Red Hat * + * Copyright 2011, Red Hat Middleware, LLC, and individual * + * contributors as indicated by the @authors tag. See the * + * copyright.txt in the distribution for a full listing of * + * individual contributors. * + * * + * This is free software; you can redistribute it and/or modify it * + * under the terms of the GNU Lesser General Public License as * + * published by the Free Software Foundation; either version 2.1 of * + * the License, or (at your option) any later version. * + * * + * This software is distributed in the hope that it will be useful, * + * but WITHOUT ANY WARRANTY; without even the implied warranty of * + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * + * Lesser General Public License for more details. * + * * + * You should have received a copy of the GNU Lesser General Public * + * License along with this software; if not, write to the Free * + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA * + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. * + ******************************************************************************/ +package org.wsrp.wss.jboss5.handlers; + +import java.security.Principal; +import java.security.cert.X509Certificate; +import java.util.HashSet; +import java.util.Set; + +import javax.servlet.http.HttpServletRequest; +import javax.xml.namespace.QName; +import javax.xml.soap.SOAPMessage; +import javax.xml.ws.handler.MessageContext; +import javax.xml.ws.handler.soap.SOAPHandler; +import javax.xml.ws.handler.soap.SOAPMessageContext; + +import org.apache.catalina.connector.Request; +import org.gatein.wsrp.servlet.ServletAccess; +import org.jboss.web.tomcat.security.SecurityAssociationValve; +import org.jboss.ws.extensions.security.Constants; +import org.jboss.ws.extensions.security.Util; +import org.jboss.ws.extensions.security.element.BinarySecurityToken; +import org.jboss.ws.extensions.security.element.UsernameToken; +import org.jboss.ws.extensions.security.element.X509Token; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.w3c.dom.Element; + +/** + * @author <a href="mailto:mwringe@redhat.com">Matt Wringe</a> + * @version $Revision$ + */ +public class ProducerWSSecurityHandler implements SOAPHandler<SOAPMessageContext> +{ + private static Logger log = LoggerFactory.getLogger(ProducerWSSecurityHandler.class); + + public Set<QName> getHeaders() + { + Set<QName> qNames = new HashSet<QName>(); + qNames.add(Constants.WSSE_HEADER_QNAME); + return qNames; + } + + public void close(MessageContext arg0) + { + //Nothing to do for now + } + + public boolean handleFault(SOAPMessageContext arg0) + { + return false; + } + + public boolean handleMessage(SOAPMessageContext soapMessageContext) + { + // outbound message means request + if (Boolean.TRUE.equals(soapMessageContext.get(MessageContext.MESSAGE_OUTBOUND_PROPERTY))) + { + return handleRequest(soapMessageContext); + } + else + { + return handleResponse(soapMessageContext); + } + } + + private boolean handleResponse(SOAPMessageContext soapMessageContext) + { + try + { + log.debug("Attempting to extract WS-Security header and create user context"); + //final Request r = (Request)ServletAccess.getRequest(); + final Request r = (Request) (SecurityAssociationValve.activeRequest.get()); + + SOAPMessageContext smc = (SOAPMessageContext) soapMessageContext; + SOAPMessage message = smc.getMessage(); + + Element headerElement = Util.findElement(message.getSOAPHeader().getOwnerDocument().getDocumentElement(), + "Security", Constants.WSSE_NS); + + if (headerElement != null) + { + Element child = Util.getFirstChildElement(headerElement); + String tag = child.getLocalName(); + + if (tag.equals("BinarySecurityToken")) + { + + log.debug("Attempting to authenticate with a BinarySecurityToken"); + BinarySecurityToken token = BinarySecurityToken.createBinarySecurityToken(child); + if (token instanceof X509Token) + { + X509Certificate cert = ((X509Token) token).getCert(); + Principal principal = r.getContext().getRealm().authenticate(new X509Certificate[] + {cert}); + if (principal != null) + { + r.setAuthType(tag); + r.setUserPrincipal(principal); + } + else + { + throw new Exception("Could not authenticate principal from BinarySecurityToken"); + } + } + else + { + //throw new UnsupportedSecurityTokenException(tag + ": Only an X509 BinarySecurityToken is suppported."); + System.out.println(tag + ": Only an X509 BinarySecurityToken is suppported."); + } + + } + else if (tag.equals("UsernameToken")) + { + + log.debug("Attempting to authenticate with a UsernameToken"); + UsernameToken token = new UsernameToken(child); + Principal principal = r.getContext().getRealm().authenticate(token.getUsername(), token.getPassword()); + if (principal != null) + { + r.setAuthType(tag); + r.setUserPrincipal(principal); + } + else + { + throw new Exception("Could not authenticate from UsernameToken"); + } + + } + else + { + + //throw new UnsupportedSecurityTokenException(tag + ": Only BinarySecurityToken or UsernameToken is suppported."); + System.out.println(tag + ": Only BinarySecurityToken or UsernameToken is suppported."); + + } + + if (Util.getNextSiblingElement(headerElement) != null) + { + //throw new UnsupportedSecurityTokenException(tag + ": Only a single X509 BinarySecurityToken or UsernameToken is suppported."); + System.out.println(tag + ": Only a single X509 BinarySecurityToken or UsernameToken is suppported."); + } + + //Remove the header since it's been processed + headerElement.getParentNode().removeChild(headerElement); + } + } + catch (Exception e) + { + //throw new JAXRPCException(e); + e.printStackTrace(); + } + + return true; + } + + private boolean handleRequest(SOAPMessageContext soapMessageContext) + { + //The Producer should only handle setting the header for now + return false; + } + +}