[jboss-cvs] Picketlink SVN: r259 - in federation/trunk: picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp and 9 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Wed May 26 00:31:33 EDT 2010
Author: anil.saldhana at jboss.com
Date: 2010-05-26 00:31:28 -0400 (Wed, 26 May 2010)
New Revision: 259
Added:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/PBEUtils.java
federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/config/PBEUtilsUnitTestCase.java
federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/wstrust/PicketLinkSTSConfigUnitTestCase.java
federation/trunk/picketlink-fed-core/src/test/resources/sts/picketlink-sts-maskedpasswd.xml
Modified:
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPRedirectWithSignatureValve.java
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/constants/PicketLinkFederationConstants.java
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/CoreConfigUtil.java
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/PicketLinkSTSConfiguration.java
federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/wstrust/PicketLinkSTSUnitTestCase.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/filters/SPFilter.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/saml/MetadataServlet.java
Log:
PLFED-73: password mask feature for PLFed config files
Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPRedirectWithSignatureValve.java
===================================================================
--- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPRedirectWithSignatureValve.java 2010-05-25 22:28:02 UTC (rev 258)
+++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPRedirectWithSignatureValve.java 2010-05-26 04:31:28 UTC (rev 259)
@@ -32,6 +32,7 @@
import java.security.Principal;
import java.security.PrivateKey;
import java.security.PublicKey;
+import java.util.List;
import javax.crypto.SecretKey;
import javax.xml.bind.JAXBException;
@@ -41,6 +42,7 @@
import org.apache.catalina.connector.Request;
import org.apache.log4j.Logger;
import org.picketlink.identity.federation.api.saml.v2.response.SAML2Response;
+import org.picketlink.identity.federation.core.config.AuthPropertyType;
import org.picketlink.identity.federation.core.config.EncryptionType;
import org.picketlink.identity.federation.core.config.KeyProviderType;
import org.picketlink.identity.federation.core.exceptions.ConfigurationException;
@@ -101,7 +103,10 @@
try
{
this.keyManager = CoreConfigUtil.getTrustKeyManager(keyProvider);
- keyManager.setAuthProperties(keyProvider.getAuth());
+
+ List<AuthPropertyType> authProperties = CoreConfigUtil.getKeyProviderProperties(keyProvider);
+ keyManager.setAuthProperties( authProperties );
+
keyManager.setValidatingAlias(keyProvider.getValidatingAlias());
}
catch(Exception e)
Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
===================================================================
--- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2010-05-25 22:28:02 UTC (rev 258)
+++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2010-05-26 04:31:28 UTC (rev 259)
@@ -53,6 +53,7 @@
import org.apache.log4j.Logger;
import org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature;
import org.picketlink.identity.federation.bindings.tomcat.TomcatRoleGenerator;
+import org.picketlink.identity.federation.core.config.AuthPropertyType;
import org.picketlink.identity.federation.core.config.IDPType;
import org.picketlink.identity.federation.core.config.KeyProviderType;
import org.picketlink.identity.federation.core.exceptions.ConfigurationException;
@@ -907,7 +908,9 @@
try
{
this.keyManager = CoreConfigUtil.getTrustKeyManager(keyProvider);
- keyManager.setAuthProperties(keyProvider.getAuth());
+
+ List<AuthPropertyType> authProperties = CoreConfigUtil.getKeyProviderProperties(keyProvider);
+ keyManager.setAuthProperties( authProperties );
keyManager.setValidatingAlias(keyProvider.getValidatingAlias());
}
catch(Exception e)
Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java
===================================================================
--- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java 2010-05-25 22:28:02 UTC (rev 258)
+++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java 2010-05-26 04:31:28 UTC (rev 259)
@@ -26,6 +26,7 @@
import java.net.URL;
import java.security.KeyPair;
import java.security.PublicKey;
+import java.util.List;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.dsig.XMLSignatureException;
@@ -34,6 +35,7 @@
import org.apache.catalina.connector.Response;
import org.apache.log4j.Logger;
import org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature;
+import org.picketlink.identity.federation.core.config.AuthPropertyType;
import org.picketlink.identity.federation.core.config.KeyProviderType;
import org.picketlink.identity.federation.core.exceptions.ConfigurationException;
import org.picketlink.identity.federation.core.exceptions.ProcessingException;
@@ -43,6 +45,7 @@
import org.picketlink.identity.federation.core.saml.v2.common.SAMLDocumentHolder;
import org.picketlink.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException;
import org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil;
+import org.picketlink.identity.federation.core.util.CoreConfigUtil;
import org.picketlink.identity.federation.core.util.XMLSignatureUtil;
import org.picketlink.identity.federation.saml.v2.protocol.ResponseType;
import org.w3c.dom.Document;
@@ -88,7 +91,9 @@
Class<?> clazz = tcl.loadClass(keyManagerClassName);
this.keyManager = (TrustKeyManager) clazz.newInstance();
- keyManager.setAuthProperties(keyProvider.getAuth());
+
+ List<AuthPropertyType> authProperties = CoreConfigUtil.getKeyProviderProperties(keyProvider);
+ keyManager.setAuthProperties( authProperties );
keyManager.setValidatingAlias(keyProvider.getValidatingAlias());
}
catch(Exception e)
Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java
===================================================================
--- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java 2010-05-25 22:28:02 UTC (rev 258)
+++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java 2010-05-26 04:31:28 UTC (rev 259)
@@ -27,6 +27,7 @@
import java.security.GeneralSecurityException;
import java.security.PrivateKey;
import java.security.PublicKey;
+import java.util.List;
import javax.xml.bind.JAXBException;
@@ -35,6 +36,7 @@
import org.apache.catalina.connector.Request;
import org.apache.log4j.Logger;
import org.picketlink.identity.federation.api.saml.v2.response.SAML2Response;
+import org.picketlink.identity.federation.core.config.AuthPropertyType;
import org.picketlink.identity.federation.core.config.KeyProviderType;
import org.picketlink.identity.federation.core.exceptions.ConfigurationException;
import org.picketlink.identity.federation.core.exceptions.ParsingException;
@@ -44,6 +46,7 @@
import org.picketlink.identity.federation.core.interfaces.TrustKeyProcessingException;
import org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil;
import org.picketlink.identity.federation.core.saml.v2.util.SignatureUtil;
+import org.picketlink.identity.federation.core.util.CoreConfigUtil;
import org.picketlink.identity.federation.core.util.XMLEncryptionUtil;
import org.picketlink.identity.federation.saml.v2.assertion.EncryptedElementType;
import org.picketlink.identity.federation.saml.v2.protocol.ResponseType;
@@ -88,7 +91,9 @@
Class<?> clazz = tcl.loadClass(keyManagerClassName);
this.keyManager = (TrustKeyManager) clazz.newInstance();
- keyManager.setAuthProperties(keyProvider.getAuth());
+
+ List<AuthPropertyType> authProperties = CoreConfigUtil.getKeyProviderProperties(keyProvider);
+ keyManager.setAuthProperties( authProperties );
keyManager.setValidatingAlias(keyProvider.getValidatingAlias());
}
catch(Exception e)
Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/constants/PicketLinkFederationConstants.java
===================================================================
--- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/constants/PicketLinkFederationConstants.java 2010-05-25 22:28:02 UTC (rev 258)
+++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/constants/PicketLinkFederationConstants.java 2010-05-26 04:31:28 UTC (rev 259)
@@ -44,4 +44,11 @@
String FILE_STORE_DIRECTORY = "/picketlink-store";
String IDP_PROPERTIES = "/identityproviders.properties";
String SP_PROPERTIES = "/serviceproviders.properties";
+
+ String SALT = "salt";
+ String ITERATION_COUNT = "iterationCount";
+
+ String PBE_ALGORITHM = "PBEwithMD5andDES";
+ //Prefix to indicate a particular configuration property value is masked
+ String PASS_MASK_PREFIX = "MASK-";
}
\ No newline at end of file
Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/CoreConfigUtil.java
===================================================================
--- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/CoreConfigUtil.java 2010-05-25 22:28:02 UTC (rev 258)
+++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/CoreConfigUtil.java 2010-05-26 04:31:28 UTC (rev 259)
@@ -21,11 +21,23 @@
*/
package org.picketlink.identity.federation.core.util;
+import java.io.UnsupportedEncodingException;
+import java.security.GeneralSecurityException;
import java.security.PublicKey;
+import java.util.ArrayList;
+import java.util.List;
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.PBEKeySpec;
+import javax.crypto.spec.PBEParameterSpec;
+
import org.apache.log4j.Logger;
+import org.picketlink.identity.federation.core.config.AuthPropertyType;
import org.picketlink.identity.federation.core.config.KeyProviderType;
+import org.picketlink.identity.federation.core.config.KeyValueType;
import org.picketlink.identity.federation.core.config.ProviderType;
+import org.picketlink.identity.federation.core.constants.PicketLinkFederationConstants;
import org.picketlink.identity.federation.core.exceptions.ConfigurationException;
import org.picketlink.identity.federation.core.exceptions.ProcessingException;
import org.picketlink.identity.federation.core.interfaces.TrustKeyManager;
@@ -110,4 +122,124 @@
return trustKeyManager.getValidatingKey(domain);
}
+
+ /**
+ * Given a {@code KeyProviderType}, return the list of auth properties that have been decrypted for any
+ * masked password
+ * @param keyProviderType
+ * @return
+ * @throws GeneralSecurityException
+ */
+ @SuppressWarnings("unchecked")
+ public static List<AuthPropertyType> getKeyProviderProperties( KeyProviderType keyProviderType ) throws GeneralSecurityException
+ {
+ List<AuthPropertyType> authProperties = keyProviderType.getAuth();
+ if( decryptionNeeded( authProperties ))
+ authProperties = decryptPasswords(authProperties);
+
+ return authProperties;
+ }
+
+ /**
+ * Given a key value list, check if decrypt of any properties is needed.
+ * Unless one of the keys is "salt", we cannot figure out is decrypt is needed
+ * @param keyValueList
+ * @return
+ */
+ public static boolean decryptionNeeded( List<? extends KeyValueType> keyValueList )
+ {
+ int length = keyValueList.size();
+
+ //Let us run through the list to see if there is any salt
+ for( int i = 0 ; i < length; i++ )
+ {
+ KeyValueType kvt = keyValueList.get( i );
+
+ String key = kvt.getKey();
+ if(PicketLinkFederationConstants.SALT.equalsIgnoreCase( key ) )
+ return true;
+ }
+ return false;
+ }
+
+ /**
+ * Given a key value pair read from PicketLink configuration, ensure
+ * that we replace the masked passwords with the decoded passwords
+ * and pass it back
+ *
+ * @param keyValueList
+ * @return
+ * @throws GeneralSecurityException
+ * @throws Exception
+ */
+ @SuppressWarnings("unchecked")
+ public static List decryptPasswords( List keyValueList ) throws GeneralSecurityException
+ {
+ String pbeAlgo = PicketLinkFederationConstants.PBE_ALGORITHM;
+
+ String salt = null;
+ int iterationCount = 0;
+
+ int length = keyValueList.size();
+
+ //Let us run through the list to see if there is any salt
+ for( int i = 0 ; i < length; i++ )
+ {
+ KeyValueType kvt = (KeyValueType) keyValueList.get( i );
+
+ String key = kvt.getKey();
+ if(PicketLinkFederationConstants.SALT.equalsIgnoreCase( key ) )
+ salt = kvt.getValue();
+ if(PicketLinkFederationConstants.ITERATION_COUNT.equalsIgnoreCase( key ) )
+ iterationCount = Integer.parseInt( kvt.getValue() );
+ }
+
+ if( salt == null )
+ return keyValueList;
+
+ //Ok. there is a salt configured. So we have some properties with masked values
+ List<KeyValueType> returningList = new ArrayList<KeyValueType>();
+
+ // Create the PBE secret key
+ SecretKeyFactory factory = SecretKeyFactory.getInstance( pbeAlgo );
+
+ char[] password = "somearbitrarycrazystringthatdoesnotmatter".toCharArray();
+ PBEParameterSpec cipherSpec = new PBEParameterSpec( salt.getBytes(), iterationCount );
+ PBEKeySpec keySpec = new PBEKeySpec(password);
+ SecretKey cipherKey = factory.generateSecret(keySpec);
+
+
+ for( int i = 0 ; i < length; i++ )
+ {
+ KeyValueType kvt = (KeyValueType) keyValueList.get( i );
+
+ String val = kvt.getValue();
+ if( val.startsWith( PicketLinkFederationConstants.PASS_MASK_PREFIX) )
+ {
+ val = val.substring( PicketLinkFederationConstants.PASS_MASK_PREFIX.length() );
+ String decodedValue;
+ try
+ {
+ decodedValue = PBEUtils.decode64( val, pbeAlgo , cipherKey, cipherSpec);
+ }
+ catch (UnsupportedEncodingException e)
+ {
+ throw new RuntimeException( e );
+ }
+
+ KeyValueType newKVT = new KeyValueType();
+ if( keyValueList.get( 0 ) instanceof AuthPropertyType )
+ newKVT = new AuthPropertyType();
+ newKVT.setKey( kvt.getKey() );
+ newKVT.setValue( new String( decodedValue ) );
+ returningList.add( newKVT );
+ }
+ else
+ {
+ returningList.add( kvt );
+ }
+ }
+
+ return returningList;
+ }
}
\ No newline at end of file
Added: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/PBEUtils.java
===================================================================
--- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/PBEUtils.java (rev 0)
+++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/PBEUtils.java 2010-05-26 04:31:28 UTC (rev 259)
@@ -0,0 +1,104 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.picketlink.identity.federation.core.util;
+
+import java.io.UnsupportedEncodingException;
+import java.security.GeneralSecurityException;
+
+import javax.crypto.Cipher;
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.PBEKeySpec;
+import javax.crypto.spec.PBEParameterSpec;
+
+/**
+ * Utility dealing with Password Based Encryption
+ * (Code is ripped off of the PBEUtils class in JBossSecurity/PicketBox)
+ * @author Scott.Stark at jboss.org
+ * @author Anil.Saldhana at redhat.com
+ * @since May 25, 2010
+ */
+public class PBEUtils
+{
+ public static byte[] encode(byte[] secret, String cipherAlgorithm,
+ SecretKey cipherKey, PBEParameterSpec cipherSpec)
+ throws Exception
+ {
+ Cipher cipher = Cipher.getInstance(cipherAlgorithm);
+ cipher.init(Cipher.ENCRYPT_MODE, cipherKey, cipherSpec);
+ byte[] encoding = cipher.doFinal(secret);
+ return encoding;
+ }
+
+ public static String encode64(byte[] secret, String cipherAlgorithm,
+ SecretKey cipherKey, PBEParameterSpec cipherSpec)
+ throws Exception
+ {
+ byte[] encoding = encode(secret, cipherAlgorithm, cipherKey, cipherSpec);
+ String b64 = Base64.encodeBytes( encoding );
+ return b64;
+ }
+
+ public static byte[] decode(byte[] secret, String cipherAlgorithm,
+ SecretKey cipherKey, PBEParameterSpec cipherSpec) throws GeneralSecurityException
+ {
+ Cipher cipher = Cipher.getInstance(cipherAlgorithm);
+ cipher.init(Cipher.DECRYPT_MODE, cipherKey, cipherSpec);
+ byte[] decode = cipher.doFinal(secret);
+ return decode;
+ }
+
+ public static String decode64(String secret, String cipherAlgorithm,
+ SecretKey cipherKey, PBEParameterSpec cipherSpec) throws GeneralSecurityException, UnsupportedEncodingException
+ {
+ byte[] encoding = Base64.decode( secret );
+ byte[] decode = decode(encoding, cipherAlgorithm, cipherKey, cipherSpec);
+ return new String(decode, "UTF-8");
+ }
+
+ public static void main(String[] args) throws Exception
+ {
+ if( args.length != 3 )
+ {
+ System.err.println(
+ "Encrypt a password"
+ + "Usage: PBEUtils salt count domain-password password"
+ +" salt : the Salt "
+ +" count : the IterationCount "
+ +" password : the plaintext password that should be encrypted"
+ );
+ throw new RuntimeException( " ERROR: please see format above" );
+ }
+
+ byte[] salt = args[0].substring(0, 8).getBytes();
+ int count = Integer.parseInt(args[1]);
+ char[] password = "somearbitrarycrazystringthatdoesnotmatter".toCharArray();
+ byte[] passwordToEncode = args[2].getBytes("UTF-8");
+ PBEParameterSpec cipherSpec = new PBEParameterSpec(salt, count);
+ PBEKeySpec keySpec = new PBEKeySpec(password);
+ SecretKeyFactory factory = SecretKeyFactory.getInstance("PBEwithMD5andDES");
+ SecretKey cipherKey = factory.generateSecret(keySpec);
+ String encodedPassword = encode64(passwordToEncode, "PBEwithMD5andDES",
+ cipherKey, cipherSpec);
+ System.err.println("Encoded password: MASK-"+encodedPassword);
+ }
+}
\ No newline at end of file
Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/PicketLinkSTSConfiguration.java
===================================================================
--- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/PicketLinkSTSConfiguration.java 2010-05-25 22:28:02 UTC (rev 258)
+++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/PicketLinkSTSConfiguration.java 2010-05-26 04:31:28 UTC (rev 259)
@@ -25,8 +25,10 @@
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.util.HashMap;
+import java.util.List;
import java.util.Map;
+import org.picketlink.identity.federation.core.config.AuthPropertyType;
import org.picketlink.identity.federation.core.config.ClaimsProcessorType;
import org.picketlink.identity.federation.core.config.ClaimsProcessorsType;
import org.picketlink.identity.federation.core.config.KeyProviderType;
@@ -37,6 +39,7 @@
import org.picketlink.identity.federation.core.config.TokenProviderType;
import org.picketlink.identity.federation.core.config.TokenProvidersType;
import org.picketlink.identity.federation.core.interfaces.TrustKeyManager;
+import org.picketlink.identity.federation.core.util.CoreConfigUtil;
/**
* <p>
@@ -80,6 +83,7 @@
*
* @param config a reference to the object that holds the configuration of the STS.
*/
+ @SuppressWarnings("unchecked")
public PicketLinkSTSConfiguration(STSType config)
{
this.delegate = config;
@@ -95,8 +99,25 @@
{
// get the properties that have been configured for the token provider.
Map<String, String> properties = new HashMap<String, String>();
+
+ List<KeyValueType> providerPropertiesList = provider.getProperty();
+
+ //Decode any passwords
+ try
+ {
+ if( CoreConfigUtil.decryptionNeeded( providerPropertiesList ))
+ providerPropertiesList = (List<KeyValueType>) CoreConfigUtil.decryptPasswords( providerPropertiesList );
+
+ for (KeyValueType propertyType : providerPropertiesList )
+ properties.put(propertyType.getKey(), propertyType.getValue());
+ }
+ catch (Exception e)
+ {
+ throw new RuntimeException( e );
+ }
+ /*
for (KeyValueType propertyType : provider.getProperty())
- properties.put(propertyType.getKey(), propertyType.getValue());
+ properties.put(propertyType.getKey(), propertyType.getValue());*/
// create and initialize the token provider.
SecurityTokenProvider tokenProvider = WSTrustServiceFactory.getInstance().createTokenProvider(
provider.getProviderClass(), properties);
@@ -115,8 +136,21 @@
{
// get the properties that have been configured for the claims processor.
Map<String, String> properties = new HashMap<String, String>();
- for (KeyValueType propertyType : processor.getProperty())
- properties.put(propertyType.getKey(), propertyType.getValue());
+ List<KeyValueType> processorPropertiesList = processor.getProperty();
+
+ //Decode any passwords
+ try
+ {
+ if( CoreConfigUtil.decryptionNeeded( processorPropertiesList ))
+ processorPropertiesList = (List<KeyValueType>) CoreConfigUtil.decryptPasswords( processorPropertiesList );
+
+ for (KeyValueType propertyType : processorPropertiesList )
+ properties.put(propertyType.getKey(), propertyType.getValue());
+ }
+ catch (Exception e)
+ {
+ throw new RuntimeException( e );
+ }
// create and initialize the claims processor.
ClaimsProcessor claimsProcessor = WSTrustServiceFactory.getInstance().createClaimsProcessor(
processor.getProcessorClass(), properties);
@@ -140,8 +174,11 @@
String keyManagerClassName = keyProviderType.getClassName();
try
{
+ //Decrypt/de-mask the passwords if any
+ List<AuthPropertyType> authProperties = CoreConfigUtil.getKeyProviderProperties(keyProviderType);
+
this.trustManager = (TrustKeyManager) SecurityActions.instantiateClass(keyManagerClassName);
- this.trustManager.setAuthProperties(keyProviderType.getAuth());
+ this.trustManager.setAuthProperties( authProperties );
this.trustManager.setValidatingAlias(keyProviderType.getValidatingAlias());
}
catch (Exception e)
Added: federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/config/PBEUtilsUnitTestCase.java
===================================================================
--- federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/config/PBEUtilsUnitTestCase.java (rev 0)
+++ federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/config/PBEUtilsUnitTestCase.java 2010-05-26 04:31:28 UTC (rev 259)
@@ -0,0 +1,69 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.picketlink.test.identity.federation.core.config;
+
+import static org.junit.Assert.assertEquals;
+
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.PBEKeySpec;
+import javax.crypto.spec.PBEParameterSpec;
+
+import org.junit.Test;
+import org.picketlink.identity.federation.core.constants.PicketLinkFederationConstants;
+import org.picketlink.identity.federation.core.util.PBEUtils;
+
+/**
+ * Test the masking of the password using {@code PBEUtils}
+ * @author Anil.Saldhana at redhat.com
+ * @since May 25, 2010
+ */
+public class PBEUtilsUnitTestCase
+{
+ @Test
+ public void testPBE() throws Exception
+ {
+ String pass = "testpass";
+
+ String salt = "18273645";
+ int iterationCount = 56;
+
+
+ String pbeAlgo = PicketLinkFederationConstants.PBE_ALGORITHM;
+ SecretKeyFactory factory = SecretKeyFactory.getInstance( pbeAlgo );
+
+ char[] password = "somearbitrarycrazystringthatdoesnotmatter".toCharArray();
+ PBEParameterSpec cipherSpec = new PBEParameterSpec( salt.getBytes(), iterationCount );
+ PBEKeySpec keySpec = new PBEKeySpec(password);
+ SecretKey cipherKey = factory.generateSecret(keySpec);
+
+ String encodedPass = PBEUtils.encode64(pass.getBytes(), pbeAlgo , cipherKey, cipherSpec);
+
+ System.out.println( getClass().getCanonicalName() + ":encoded=" + encodedPass );
+
+ //Decode the stuff
+ cipherKey = factory.generateSecret(keySpec);
+ String decodedPass = PBEUtils.decode64(encodedPass, pbeAlgo, cipherKey, cipherSpec);
+
+ assertEquals( "Passwords match", pass, decodedPass );
+ }
+}
\ No newline at end of file
Added: federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/wstrust/PicketLinkSTSConfigUnitTestCase.java
===================================================================
--- federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/wstrust/PicketLinkSTSConfigUnitTestCase.java (rev 0)
+++ federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/wstrust/PicketLinkSTSConfigUnitTestCase.java 2010-05-26 04:31:28 UTC (rev 259)
@@ -0,0 +1,52 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.picketlink.test.identity.federation.core.wstrust;
+
+import static org.junit.Assert.assertNotNull;
+
+import java.security.cert.Certificate;
+
+import org.junit.Test;
+import org.picketlink.identity.federation.core.wstrust.STSConfiguration;
+import org.picketlink.test.identity.federation.core.wstrust.PicketLinkSTSUnitTestCase.TestSTS;
+
+/**
+ * Unit test various aspects of the sts configuration
+ * @author Anil.Saldhana at redhat.com
+ * @since May 25, 2010
+ */
+public class PicketLinkSTSConfigUnitTestCase
+{
+ @Test
+ public void testMaskedPassword() throws Exception
+ {
+ PicketLinkSTSUnitTestCase plstsTest = new PicketLinkSTSUnitTestCase();
+ TestSTS sts = plstsTest.new TestSTS("sts/picketlink-sts-maskedpasswd.xml");
+
+ STSConfiguration stsConfiguration = sts.getConfiguration();
+ Certificate cert = stsConfiguration.getCertificate( "service1" );
+ assertNotNull( "cert is not null", cert );
+
+ cert = stsConfiguration.getCertificate( "service2" );
+ assertNotNull( "cert is not null", cert );
+ }
+}
\ No newline at end of file
Modified: federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/wstrust/PicketLinkSTSUnitTestCase.java
===================================================================
--- federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/wstrust/PicketLinkSTSUnitTestCase.java 2010-05-25 22:28:02 UTC (rev 258)
+++ federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/wstrust/PicketLinkSTSUnitTestCase.java 2010-05-26 04:31:28 UTC (rev 259)
@@ -1382,6 +1382,16 @@
*/
class TestSTS extends PicketLinkSTS
{
+ private String configFileName = "sts/picketlink-sts.xml";
+
+ TestSTS()
+ {
+ }
+
+ TestSTS( String configFileName )
+ {
+ this.configFileName = configFileName;
+ }
@Override
public STSConfiguration getConfiguration() throws ConfigurationException
@@ -1389,7 +1399,7 @@
InputStream stream;
try
{
- URL configURL = Thread.currentThread().getContextClassLoader().getResource("sts/picketlink-sts.xml");
+ URL configURL = Thread.currentThread().getContextClassLoader().getResource( configFileName );
stream = configURL.openStream();
STSType stsConfig = WSTrustUtil.getSTSConfiguration(stream);
Added: federation/trunk/picketlink-fed-core/src/test/resources/sts/picketlink-sts-maskedpasswd.xml
===================================================================
--- federation/trunk/picketlink-fed-core/src/test/resources/sts/picketlink-sts-maskedpasswd.xml (rev 0)
+++ federation/trunk/picketlink-fed-core/src/test/resources/sts/picketlink-sts-maskedpasswd.xml 2010-05-26 04:31:28 UTC (rev 259)
@@ -0,0 +1,33 @@
+<PicketLinkSTS xmlns="urn:picketlink:identity-federation:config:1.0"
+ STSName="Test STS" TokenTimeout="7200" EncryptToken="false">
+ <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
+ <Auth Key="KeyStoreURL" Value="keystore/sts_keystore.jks"/>
+ <Auth Key="KeyStorePass" Value="MASK-j0zEeKjP7IBywzHTUBd0MQ=="/>
+ <Auth Key="SigningKeyAlias" Value="sts"/>
+ <Auth Key="SigningKeyPass" Value="MASK-ir6cKDE6OoQ="/>
+ <Auth Key="salt" Value="18273645"/>
+ <Auth Key="iterationCount" Value="56"/>
+ <ValidatingAlias Key="http://services.testcorp.org/provider1" Value="service1"/>
+ <ValidatingAlias Key="http://services.testcorp.org/provider2" Value="service2"/>
+ </KeyProvider>
+ <RequestHandler>org.picketlink.identity.federation.core.wstrust.StandardRequestHandler</RequestHandler>
+ <TokenProviders>
+ <TokenProvider ProviderClass="org.picketlink.test.identity.federation.core.wstrust.SpecialTokenProvider"
+ TokenType="http://www.tokens.org/SpecialToken"
+ TokenElement="SpecialToken"
+ TokenElementNS="http://www.tokens.org">
+ <Property Key="Property1" Value="Value1"/>
+ <Property Key="Property2" Value="Value2"/>
+ </TokenProvider>
+ <TokenProvider ProviderClass="org.picketlink.identity.federation.core.wstrust.plugins.saml.SAML20TokenProvider"
+ TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
+ TokenElement="Assertion"
+ TokenElementNS="urn:oasis:names:tc:SAML:2.0:assertion"/>
+ </TokenProviders>
+ <ServiceProviders>
+ <ServiceProvider Endpoint="http://services.testcorp.org/provider1" TokenType="http://www.tokens.org/SpecialToken"
+ TruststoreAlias="service1"/>
+ <ServiceProvider Endpoint="http://services.testcorp.org/provider2" TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
+ TruststoreAlias="service2"/>
+ </ServiceProviders>
+</PicketLinkSTS>
\ No newline at end of file
Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/filters/SPFilter.java
===================================================================
--- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/filters/SPFilter.java 2010-05-25 22:28:02 UTC (rev 258)
+++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/filters/SPFilter.java 2010-05-26 04:31:28 UTC (rev 259)
@@ -59,6 +59,7 @@
import org.picketlink.identity.federation.api.saml.v2.request.SAML2Request;
import org.picketlink.identity.federation.api.saml.v2.response.SAML2Response;
import org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature;
+import org.picketlink.identity.federation.core.config.AuthPropertyType;
import org.picketlink.identity.federation.core.config.KeyProviderType;
import org.picketlink.identity.federation.core.config.SPType;
import org.picketlink.identity.federation.core.config.TrustType;
@@ -90,6 +91,7 @@
import org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil;
import org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil;
import org.picketlink.identity.federation.core.saml.v2.util.HandlerUtil;
+import org.picketlink.identity.federation.core.util.CoreConfigUtil;
import org.picketlink.identity.federation.core.util.StringUtil;
import org.picketlink.identity.federation.core.util.XMLSignatureUtil;
import org.picketlink.identity.federation.saml.v2.SAML2Object;
@@ -539,7 +541,10 @@
Class<?> clazz = tcl.loadClass(keyManagerClassName);
this.keyManager = (TrustKeyManager) clazz.newInstance();
- keyManager.setAuthProperties(keyProvider.getAuth());
+
+ List<AuthPropertyType> authProperties = CoreConfigUtil.getKeyProviderProperties(keyProvider);
+ keyManager.setAuthProperties( authProperties );
+
keyManager.setValidatingAlias(keyProvider.getValidatingAlias());
}
catch(Exception e)
Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java
===================================================================
--- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java 2010-05-25 22:28:02 UTC (rev 258)
+++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java 2010-05-26 04:31:28 UTC (rev 259)
@@ -42,6 +42,7 @@
import javax.servlet.http.HttpSession;
import org.apache.log4j.Logger;
+import org.picketlink.identity.federation.core.config.AuthPropertyType;
import org.picketlink.identity.federation.core.config.IDPType;
import org.picketlink.identity.federation.core.config.KeyProviderType;
import org.picketlink.identity.federation.core.exceptions.ConfigurationException;
@@ -70,6 +71,7 @@
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler.HANDLER_TYPE;
import org.picketlink.identity.federation.core.saml.v2.util.HandlerUtil;
+import org.picketlink.identity.federation.core.util.CoreConfigUtil;
import org.picketlink.identity.federation.saml.v2.SAML2Object;
import org.picketlink.identity.federation.saml.v2.protocol.RequestAbstractType;
import org.picketlink.identity.federation.saml.v2.protocol.StatusResponseType;
@@ -199,7 +201,10 @@
Class<?> clazz = tcl.loadClass(keyManagerClassName);
this.keyManager = (TrustKeyManager) clazz.newInstance();
- keyManager.setAuthProperties(keyProvider.getAuth());
+
+ List<AuthPropertyType> authProperties = CoreConfigUtil.getKeyProviderProperties(keyProvider);
+
+ keyManager.setAuthProperties( authProperties );
keyManager.setValidatingAlias(keyProvider.getValidatingAlias());
}
catch(Exception e)
Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/saml/MetadataServlet.java
===================================================================
--- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/saml/MetadataServlet.java 2010-05-25 22:28:02 UTC (rev 258)
+++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/saml/MetadataServlet.java 2010-05-26 04:31:28 UTC (rev 259)
@@ -41,6 +41,7 @@
import org.picketlink.identity.federation.api.saml.v2.metadata.KeyDescriptorMetaDataBuilder;
import org.picketlink.identity.federation.api.saml.v2.metadata.MetaDataBuilder;
import org.picketlink.identity.federation.api.util.KeyUtil;
+import org.picketlink.identity.federation.core.config.AuthPropertyType;
import org.picketlink.identity.federation.core.config.KeyProviderType;
import org.picketlink.identity.federation.core.config.KeyValueType;
import org.picketlink.identity.federation.core.config.MetadataProviderType;
@@ -48,6 +49,7 @@
import org.picketlink.identity.federation.core.interfaces.IMetadataProvider;
import org.picketlink.identity.federation.core.interfaces.TrustKeyManager;
import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLConstants;
+import org.picketlink.identity.federation.core.util.CoreConfigUtil;
import org.picketlink.identity.federation.core.util.XMLEncryptionUtil;
import org.picketlink.identity.federation.saml.v2.metadata.EntityDescriptorType;
import org.picketlink.identity.federation.saml.v2.metadata.KeyDescriptorType;
@@ -140,7 +142,9 @@
clazz = tcl.loadClass(keyManagerClassName);
this.keyManager = (TrustKeyManager) clazz.newInstance();
- keyManager.setAuthProperties(keyProvider.getAuth());
+
+ List<AuthPropertyType> authProperties = CoreConfigUtil.getKeyProviderProperties(keyProvider);
+ keyManager.setAuthProperties( authProperties );
Certificate cert = keyManager.getCertificate(signingAlias);
KeyInfoType keyInfo = KeyUtil.getKeyInfo(cert);
More information about the jboss-cvs-commits
mailing list