perfsonar-dev - perfsonar: r3222 - in trunk/perfsonar_base/src/main/java/org/perfsonar: client/base/authn service/base/authn/tokens
Subject: perfsonar development work
List archive
perfsonar: r3222 - in trunk/perfsonar_base/src/main/java/org/perfsonar: client/base/authn service/base/authn/tokens
Chronological Thread
- From:
- To:
- Subject: perfsonar: r3222 - in trunk/perfsonar_base/src/main/java/org/perfsonar: client/base/authn service/base/authn/tokens
- Date: Mon, 14 Jan 2008 08:34:40 -0500
Author: rodriguez
Date: 2008-01-14 08:34:40 -0500 (Mon, 14 Jan 2008)
New Revision: 3222
Modified:
trunk/perfsonar_base/src/main/java/org/perfsonar/client/base/authn/WSSAuthNSAMLData.java
trunk/perfsonar_base/src/main/java/org/perfsonar/client/base/authn/WSSAuthNX509Data.java
trunk/perfsonar_base/src/main/java/org/perfsonar/service/base/authn/tokens/SecTokenSOAPManager.java
Log:
- Adding the timestamp information in the WS-SEC header ensuring the security
of the model
- Workaround for the WE profile
Modified:
trunk/perfsonar_base/src/main/java/org/perfsonar/client/base/authn/WSSAuthNSAMLData.java
===================================================================
---
trunk/perfsonar_base/src/main/java/org/perfsonar/client/base/authn/WSSAuthNSAMLData.java
2008-01-14 13:32:59 UTC (rev 3221)
+++
trunk/perfsonar_base/src/main/java/org/perfsonar/client/base/authn/WSSAuthNSAMLData.java
2008-01-14 13:34:40 UTC (rev 3222)
@@ -1,19 +1,33 @@
package org.perfsonar.client.base.authn;
+import java.security.Key;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
import java.security.PrivateKey;
+import java.security.Provider;
+import java.security.cert.Certificate;
import java.util.Collection;
import java.util.Date;
import java.util.Iterator;
+import java.util.Vector;
import org.apache.axis.Message;
import org.apache.axis.message.SOAPBodyElement;
import org.apache.axis.message.SOAPEnvelope;
+import org.apache.ws.security.SOAPConstants;
+import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSEncryptionPart;
+import org.apache.ws.security.components.crypto.CredentialException;
+import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.message.WSSecHeader;
-import org.apache.ws.security.message.WSSecSAMLToken;
+import org.apache.ws.security.message.WSSecSignature;
import org.apache.ws.security.message.WSSecTimestamp;
+import org.apache.ws.security.message.token.BinarySecurity;
+import org.apache.ws.security.util.Base64;
+import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.xml.security.algorithms.MessageDigestAlgorithm;
import org.apache.xml.security.signature.XMLSignature;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLAudienceRestrictionCondition;
import org.opensaml.SAMLAuthenticationStatement;
@@ -22,10 +36,12 @@
import org.opensaml.SAMLStatement;
import org.opensaml.SAMLSubject;
import org.opensaml.XML;
+import org.perfsonar.base.auxiliary.components.authn.DynamicCrypto;
import org.perfsonar.base.auxiliary.components.authn.SOAPUtil;
import org.perfsonar.base.exceptions.PerfSONARException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
+import org.w3c.dom.Text;
public class WSSAuthNSAMLData implements AuthNSAMLData {
private String sigalg = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
@@ -36,28 +52,95 @@
String cidPerfsonarResource, String
cidPerfsonarClient)
throws PerfSONARException {
if (!(message instanceof SOAPBodyElement)) {
- throw new
PerfSONARException("error.as.body","WSSAuthNData: the method
addX509STInMessage requires a SOAPBodyElement object");
+ throw new
PerfSONARException("error.as.body","WSSAuthNSAMLData: the method
addSAMLSTInMessage requires a SOAPBodyElement object");
}
+ // add the security provider
+ BouncyCastleProvider bcp = new BouncyCastleProvider();
+ java.security.Security.addProvider((Provider)bcp);
+
+ // add the private and public keys
+ Crypto crypto = null;
+ try {
+ crypto = new DynamicCrypto();
+ } catch (CredentialException e) {
+ throw new
PerfSONARException("error.as.crypto","WSSAuthNSAMLData: "+e.getMessage());
+ }
+ KeyStore ks=crypto.getKeyStore();
+ try {
+ Certificate[] certs=new Certificate[certchain.size()];
+ certs=(Certificate[])certchain.toArray(certs);
+ ks.setKeyEntry("xmlsec", (Key)key, "security".toCharArray(),
certs);
+ } catch (KeyStoreException e) {
+ throw new PerfSONARException("error.as.crypto","WSSAuthNData:
"+e.getMessage());
+ }
+
SOAPBodyElement body=(SOAPBodyElement)message;
SOAPEnvelope envelope = new SOAPEnvelope();
envelope.addBodyElement(body);
try {
+ SAMLAssertion sa=getAssertionAsSecurityToken(authAssertion,
key, certchain, cidPerfsonarResource, cidPerfsonarClient);
+
Document doc = envelope.getAsDocument();
+
WSSecHeader secHeader = new WSSecHeader();
secHeader.setActor("we");
secHeader.insertSecurityHeader(doc);
+ WSSecSignature sec509 = new WSSecSignature();
+ sec509.setUserInfo("xmlsec", "security");
+ SOAPConstants soapConstants =
WSSecurityUtil.getSOAPConstants(envelope.getAsDOM());
+ Vector<WSEncryptionPart> parts = new
Vector<WSEncryptionPart>(1,1);
+
+ // Set up to use STRTransorm to sign the signature token
+ WSEncryptionPart encP =
+ new WSEncryptionPart(
+ "STRTransform",
+ soapConstants.getEnvelopeURI(),
+ "Content");
+ parts.add(encP);
+
+ // Adding timestamp information
WSSecTimestamp timestamp = new WSSecTimestamp();
timestamp.prepare(doc);
+ WSSecurityUtil.prependChildElement(doc, secHeader
+ .getSecurityHeader(), timestamp.getElement(), false);
+ parts.add(new WSEncryptionPart(timestamp.getId()));
+
+ // Adding the SAML assertion as a binary token
+ BinarySecurity bs=new BinarySecurity(doc);
+ bs.setID("SAML");
+ bs.getElement().setAttributeNS(null, "ValueType",
"#SAMLBase64Binary");
+
((Text)bs.getElement().getFirstChild()).setData(Base64.encode(sa.toString().getBytes()));
+ WSSecurityUtil.prependChildElement(doc, secHeader
+ .getSecurityHeader(), bs.getElement(), false);
+ parts.add(new WSEncryptionPart(bs.getID()));
+
+ // Setting parts
+ sec509.setParts(parts);
+ sec509.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
+
+ // Signing the message
+ Document signedDoc = sec509.build(doc, crypto, secHeader);
+ Message signedMsg = (Message) SOAPUtil.toSOAPMessage(signedDoc);
+ envelope = signedMsg.getSOAPEnvelope();
+
+/* Document doc = envelope.getAsDocument();
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.setActor("we");
+ secHeader.insertSecurityHeader(doc);
+
+ WSSecTimestamp timestamp = new WSSecTimestamp();
+ timestamp.prepare(doc);
// sigParts.add(new WSEncryptionPart(timestamp.getId()));
WSSecSAMLToken samlToken = new WSSecSAMLToken();
- Document signedDoc = samlToken.build(doc,
getAssertionAsSecurityToken(authAssertion, key, certchain,
cidPerfsonarResource, cidPerfsonarClient), secHeader);
+ Document signedDoc = samlToken.build(doc, , secHeader);
Message signedMsg = (Message) SOAPUtil.toSOAPMessage(signedDoc);
- envelope = signedMsg.getSOAPEnvelope();
+ envelope = signedMsg.getSOAPEnvelope(); */
} catch (Exception e) {
- throw new
PerfSONARException("error.as.signing","WSSAuthNData: "+e.getMessage());
+ e.printStackTrace();
+ throw new
PerfSONARException("error.as.signing","WSSAuthNSAMLData: "+e.getMessage());
}
return envelope;
Modified:
trunk/perfsonar_base/src/main/java/org/perfsonar/client/base/authn/WSSAuthNX509Data.java
===================================================================
---
trunk/perfsonar_base/src/main/java/org/perfsonar/client/base/authn/WSSAuthNX509Data.java
2008-01-14 13:32:59 UTC (rev 3221)
+++
trunk/perfsonar_base/src/main/java/org/perfsonar/client/base/authn/WSSAuthNX509Data.java
2008-01-14 13:34:40 UTC (rev 3222)
@@ -25,6 +25,7 @@
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.message.WSSecHeader;
import org.apache.ws.security.message.WSSecSignature;
+import org.apache.ws.security.message.WSSecTimestamp;
import org.apache.ws.security.util.Base64;
import org.apache.ws.security.util.WSSecurityUtil;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
@@ -85,6 +86,11 @@
}
try {
+ Document doc = envelope.getAsDocument();
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.setActor("ac");
+ secHeader.insertSecurityHeader(doc);
+
// Adding the certificate using WSS
WSSecSignature sec509 = new WSSecSignature();
sec509.setUserInfo("xmlsec", "security");
@@ -99,14 +105,16 @@
"Content");
parts.add(encP);
+ // Adding timestamp information
+ WSSecTimestamp timestamp = new WSSecTimestamp();
+ timestamp.prepare(doc);
+ WSSecurityUtil.prependChildElement(doc, secHeader
+ .getSecurityHeader(), timestamp.getElement(), false);
+ parts.add(new WSEncryptionPart(timestamp.getId()));
+
sec509.setParts(parts);
sec509.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
- Document doc = envelope.getAsDocument();
- WSSecHeader secHeader = new WSSecHeader();
- secHeader.setActor("ac");
- secHeader.insertSecurityHeader(doc);
-
// Signing the message
Document signedDoc = sec509.build(doc, crypto, secHeader);
Modified:
trunk/perfsonar_base/src/main/java/org/perfsonar/service/base/authn/tokens/SecTokenSOAPManager.java
===================================================================
---
trunk/perfsonar_base/src/main/java/org/perfsonar/service/base/authn/tokens/SecTokenSOAPManager.java
2008-01-14 13:32:59 UTC (rev 3221)
+++
trunk/perfsonar_base/src/main/java/org/perfsonar/service/base/authn/tokens/SecTokenSOAPManager.java
2008-01-14 13:34:40 UTC (rev 3222)
@@ -76,7 +76,7 @@
return null;
Object res=null;
SOAPHeader sh=(SOAPHeader)getSTFromRequest();
- Iterator it=sh.examineAllHeaderElements();
+/* Iterator it=sh.examineAllHeaderElements();
while (it.hasNext()) {
SOAPHeaderElement he=(SOAPHeaderElement)it.next();
Node assertion=he.getFirstChild();
@@ -93,7 +93,7 @@
}
}
}
- if (res==null) {
+ if (res==null) { */
try {
Document doc=sh.getAsDocument();
Crypto crypto = new DynamicCrypto();
@@ -115,13 +115,19 @@
X509Certificate
cert=crypto.loadCertificate(bais);
res=cert;
}
+ else if
(e.getAttribute("ValueType").equals("#SAMLBase64Binary")) {
+ byte[]
bytes=Base64.decode(e.getTextContent());
+ ByteArrayInputStream bais=new
ByteArrayInputStream(bytes);
+ SAMLAssertion as=new
SAMLAssertion(bais);
+ res=as;
+ }
}
} catch (Throwable t) {
String m = "SecTokenSOAPManager:
"+t.getMessage();
logger.info(m);
throw new
PerfSONARException("error.authn.getting_sec_token",m);
}
- }
+// }
return res;
}
- perfsonar: r3222 - in trunk/perfsonar_base/src/main/java/org/perfsonar: client/base/authn service/base/authn/tokens, svnlog, 01/14/2008
Archive powered by MHonArc 2.6.16.