You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/12/04 18:44:04 UTC
svn commit: r1547853 - in /cxf/trunk:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/
services/sts/systests/advanced/
services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/common/
services/sts/systests/advanced/src/test...
Author: coheigea
Date: Wed Dec 4 17:44:04 2013
New Revision: 1547853
URL: http://svn.apache.org/r1547853
Log:
More advanced STS systests
Added:
cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/usernametoken/StaxServer.java
cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/stax-cxf-service.xml
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
cxf/trunk/services/sts/systests/advanced/pom.xml
cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/common/TokenTestUtils.java
cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosTokenTest.java
cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/usernametoken/UsernameTokenTest.java
cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/DoubleIt.wsdl
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java?rev=1547853&r1=1547852&r2=1547853&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java Wed Dec 4 17:44:04 2013
@@ -20,42 +20,52 @@ package org.apache.cxf.ws.security.trust
import org.w3c.dom.Document;
import org.w3c.dom.Element;
-
import org.apache.commons.codec.binary.Base64;
-
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
-
+import org.apache.wss4j.binding.wss10.AttributedString;
import org.apache.wss4j.binding.wss10.BinarySecurityTokenType;
+import org.apache.wss4j.binding.wss10.EncodedString;
+import org.apache.wss4j.binding.wss10.PasswordString;
+import org.apache.wss4j.binding.wss10.UsernameTokenType;
+import org.apache.wss4j.binding.wsu10.AttributedDateTime;
import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.dom.message.token.BinarySecurity;
import org.apache.wss4j.dom.message.token.KerberosSecurity;
import org.apache.wss4j.dom.message.token.PKIPathSecurity;
+import org.apache.wss4j.dom.message.token.UsernameToken;
import org.apache.wss4j.dom.message.token.X509Security;
import org.apache.wss4j.stax.ext.WSSConstants;
+import org.apache.wss4j.stax.ext.WSSUtils;
import org.apache.wss4j.stax.impl.securityToken.KerberosServiceSecurityTokenImpl;
import org.apache.wss4j.stax.impl.securityToken.SamlSecurityTokenImpl;
+import org.apache.wss4j.stax.impl.securityToken.UsernameSecurityTokenImpl;
import org.apache.wss4j.stax.impl.securityToken.X509PKIPathv1SecurityTokenImpl;
import org.apache.wss4j.stax.impl.securityToken.X509V3SecurityTokenImpl;
import org.apache.wss4j.stax.securityToken.SamlSecurityToken;
+import org.apache.wss4j.stax.securityToken.UsernameSecurityToken;
import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
import org.apache.wss4j.stax.validate.BinarySecurityTokenValidator;
import org.apache.wss4j.stax.validate.BinarySecurityTokenValidatorImpl;
import org.apache.wss4j.stax.validate.SamlTokenValidatorImpl;
import org.apache.wss4j.stax.validate.TokenContext;
-
+import org.apache.wss4j.stax.validate.UsernameTokenValidator;
import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.ext.XMLSecurityUtils;
import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
/**
* A Streaming SAML Token Validator implementation to validate a received Token to a
* SecurityTokenService (STS).
+ *
+ * TODO Refactor this class a bit better...
*/
public class STSStaxTokenValidator
- extends SamlTokenValidatorImpl implements BinarySecurityTokenValidator {
+ extends SamlTokenValidatorImpl implements BinarySecurityTokenValidator, UsernameTokenValidator {
private boolean alwaysValidateToSts;
@@ -142,6 +152,228 @@ public class STSStaxTokenValidator
return validator.validate(binarySecurityTokenType, tokenContext);
}
+ @SuppressWarnings("unchecked")
+ @Override
+ public <T extends UsernameSecurityToken & InboundSecurityToken> T validate(UsernameTokenType usernameTokenType,
+ TokenContext tokenContext)
+ throws WSSecurityException {
+ // If the UsernameToken is to be used for key derivation, the (1.1)
+ // spec says that it cannot contain a password, and it must contain
+ // an Iteration element
+ final byte[] salt = XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_wsse11_Salt);
+ PasswordString passwordType =
+ XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_wsse_Password);
+ final Long iteration =
+ XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_wsse11_Iteration);
+ if (salt != null && (passwordType != null || iteration == null)) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "badTokenType01");
+ }
+
+ boolean handleCustomPasswordTypes =
+ tokenContext.getWssSecurityProperties().getHandleCustomPasswordTypes();
+ boolean allowUsernameTokenNoPassword =
+ tokenContext.getWssSecurityProperties().isAllowUsernameTokenNoPassword()
+ || Boolean.parseBoolean((String)tokenContext.getWsSecurityContext().get(
+ WSSConstants.PROP_ALLOW_USERNAMETOKEN_NOPASSWORD));
+
+ // Check received password type against required type
+ WSSConstants.UsernameTokenPasswordType requiredPasswordType =
+ tokenContext.getWssSecurityProperties().getUsernameTokenPasswordType();
+ if (requiredPasswordType != null) {
+ if (passwordType == null || passwordType.getType() == null) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+ }
+ WSSConstants.UsernameTokenPasswordType usernameTokenPasswordType =
+ WSSConstants.UsernameTokenPasswordType.getUsernameTokenPasswordType(passwordType.getType());
+ if (requiredPasswordType != usernameTokenPasswordType) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+ }
+ }
+
+ WSSConstants.UsernameTokenPasswordType usernameTokenPasswordType =
+ WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE;
+ if (passwordType != null && passwordType.getType() != null) {
+ usernameTokenPasswordType =
+ WSSConstants.UsernameTokenPasswordType.getUsernameTokenPasswordType(
+ passwordType.getType());
+ }
+
+ final AttributedString username = usernameTokenType.getUsername();
+ if (username == null) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN,
+ "badTokenType01");
+ }
+
+ final EncodedString encodedNonce =
+ XMLSecurityUtils.getQNameType(usernameTokenType.getAny(),
+ WSSConstants.TAG_wsse_Nonce);
+ byte[] nonceVal = null;
+ if (encodedNonce != null && encodedNonce.getValue() != null) {
+ nonceVal = Base64.decodeBase64(encodedNonce.getValue());
+ }
+
+ final AttributedDateTime attributedDateTimeCreated =
+ XMLSecurityUtils.getQNameType(usernameTokenType.getAny(),
+ WSSConstants.TAG_wsu_Created);
+
+ String created = null;
+ if (attributedDateTimeCreated != null) {
+ created = attributedDateTimeCreated.getValue();
+ }
+
+ // Validate to STS if required
+ boolean valid = false;
+ final SoapMessage message =
+ (SoapMessage)tokenContext.getWssSecurityProperties().getMsgContext();
+ if (alwaysValidateToSts) {
+ Element tokenElement =
+ convertToDOM(username.getValue(), passwordType.getValue(),
+ passwordType.getType(), usernameTokenType.getId());
+ validateTokenToSTS(tokenElement, message);
+ valid = true;
+ }
+
+ if (!valid) {
+ try {
+ if (usernameTokenPasswordType == WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST) {
+ if (encodedNonce == null || attributedDateTimeCreated == null) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN,
+ "badTokenType01");
+ }
+
+ if (!WSSConstants.SOAPMESSAGE_NS10_BASE64_ENCODING.equals(encodedNonce.getEncodingType())) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.UNSUPPORTED_SECURITY_TOKEN,
+ "badTokenType01");
+ }
+
+ verifyDigestPassword(username.getValue(), passwordType, nonceVal, created, tokenContext);
+ } else if (usernameTokenPasswordType == WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT
+ || passwordType != null && passwordType.getValue() != null
+ && usernameTokenPasswordType == WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE) {
+
+ verifyPlaintextPassword(username.getValue(), passwordType, tokenContext);
+ } else if (passwordType != null && passwordType.getValue() != null) {
+ if (!handleCustomPasswordTypes) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+ }
+ verifyPlaintextPassword(username.getValue(), passwordType, tokenContext);
+ } else {
+ if (!allowUsernameTokenNoPassword) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+ }
+ }
+ } catch (WSSecurityException ex) {
+ Element tokenElement =
+ convertToDOM(username.getValue(), passwordType.getValue(),
+ passwordType.getType(), usernameTokenType.getId());
+ validateTokenToSTS(tokenElement, message);
+ }
+ }
+
+ final String password;
+ if (passwordType != null) {
+ password = passwordType.getValue();
+ } else if (salt != null) {
+ WSPasswordCallback pwCb = new WSPasswordCallback(username.getValue(),
+ WSPasswordCallback.USERNAME_TOKEN);
+ try {
+ WSSUtils.doPasswordCallback(tokenContext.getWssSecurityProperties().getCallbackHandler(), pwCb);
+ } catch (WSSecurityException e) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e);
+ }
+ password = pwCb.getPassword();
+ } else {
+ password = null;
+ }
+
+ UsernameSecurityTokenImpl usernameSecurityToken = new UsernameSecurityTokenImpl(
+ usernameTokenPasswordType, username.getValue(), password, created,
+ nonceVal, salt, iteration,
+ tokenContext.getWsSecurityContext(), usernameTokenType.getId(),
+ WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference);
+ usernameSecurityToken.setElementPath(tokenContext.getElementPath());
+ usernameSecurityToken.setXMLSecEvent(tokenContext.getFirstXMLSecEvent());
+
+ return (T)usernameSecurityToken;
+ }
+
+ /**
+ * Verify a UsernameToken containing a password digest.
+ */
+ private void verifyDigestPassword(
+ String username,
+ PasswordString passwordType,
+ byte[] nonceVal,
+ String created,
+ TokenContext tokenContext
+ ) throws WSSecurityException {
+ WSPasswordCallback pwCb = new WSPasswordCallback(username,
+ null,
+ passwordType.getType(),
+ WSPasswordCallback.USERNAME_TOKEN);
+ try {
+ WSSUtils.doPasswordCallback(tokenContext.getWssSecurityProperties().getCallbackHandler(), pwCb);
+ } catch (WSSecurityException e) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e);
+ }
+
+ if (pwCb.getPassword() == null) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+ }
+
+ String passDigest = WSSUtils.doPasswordDigest(nonceVal, created, pwCb.getPassword());
+ if (!passwordType.getValue().equals(passDigest)) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+ }
+ passwordType.setValue(pwCb.getPassword());
+ }
+
+ /**
+ * Verify a UsernameToken containing a plaintext password.
+ */
+ private void verifyPlaintextPassword(
+ String username,
+ PasswordString passwordType,
+ TokenContext tokenContext
+ ) throws WSSecurityException {
+ WSPasswordCallback pwCb = new WSPasswordCallback(username,
+ null,
+ passwordType.getType(),
+ WSPasswordCallback.USERNAME_TOKEN);
+ try {
+ WSSUtils.doPasswordCallback(tokenContext.getWssSecurityProperties().getCallbackHandler(), pwCb);
+ } catch (WSSecurityException e) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e);
+ }
+
+ if (pwCb.getPassword() == null) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+ }
+
+ if (!passwordType.getValue().equals(pwCb.getPassword())) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+ }
+ passwordType.setValue(pwCb.getPassword());
+ }
+
+ // Convert to DOM to send the token to the STS - it does not copy Nonce/Created/Iteration
+ // values
+ private Element convertToDOM(
+ String username, String password, String passwordType, String id
+ ) {
+ Document doc = DOMUtils.newDocument();
+
+ UsernameToken usernameToken = new UsernameToken(true, doc, passwordType);
+ usernameToken.setName(username);
+ usernameToken.setPassword(password);
+ usernameToken.setID(id);
+
+ usernameToken.addWSSENamespace();
+ usernameToken.addWSUNamespace();
+
+ return usernameToken.getElement();
+ }
+
private static void validateTokenToSTS(Element tokenElement, SoapMessage message)
throws WSSecurityException {
SecurityToken token = new SecurityToken();
@@ -322,4 +554,6 @@ public class STSStaxTokenValidator
return binarySecurity.getElement();
}
}
+
+
}
Modified: cxf/trunk/services/sts/systests/advanced/pom.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/pom.xml?rev=1547853&r1=1547852&r2=1547853&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/pom.xml (original)
+++ cxf/trunk/services/sts/systests/advanced/pom.xml Wed Dec 4 17:44:04 2013
@@ -79,6 +79,17 @@
<scope>test</scope>
</dependency>
<dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcprov-jdk15on</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-kerberos-shared</artifactId>
+ <version>1.5.7</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-databinding-jaxb</artifactId>
<version>${project.version}</version>
Modified: cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/common/TokenTestUtils.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/common/TokenTestUtils.java?rev=1547853&r1=1547852&r2=1547853&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/common/TokenTestUtils.java (original)
+++ cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/common/TokenTestUtils.java Wed Dec 4 17:44:04 2013
@@ -20,8 +20,9 @@ package org.apache.cxf.systest.sts.commo
import java.util.List;
-import org.w3c.dom.Element;
+import javax.xml.ws.BindingProvider;
+import org.w3c.dom.Element;
import org.apache.cxf.endpoint.Client;
import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.frontend.ClientProxy;
@@ -72,4 +73,25 @@ public final class TokenTestUtils {
}
}
+ public static void updateSTSPort(BindingProvider p, String port) {
+ STSClient stsClient = (STSClient)p.getRequestContext().get(SecurityConstants.STS_CLIENT);
+ if (stsClient != null) {
+ String location = stsClient.getWsdlLocation();
+ if (location != null && location.contains("8080")) {
+ stsClient.setWsdlLocation(location.replace("8080", port));
+ } else if (location != null && location.contains("8443")) {
+ stsClient.setWsdlLocation(location.replace("8443", port));
+ }
+ }
+ stsClient = (STSClient)p.getRequestContext().get(SecurityConstants.STS_CLIENT + ".sct");
+ if (stsClient != null) {
+ String location = stsClient.getWsdlLocation();
+ if (location.contains("8080")) {
+ stsClient.setWsdlLocation(location.replace("8080", port));
+ } else if (location.contains("8443")) {
+ stsClient.setWsdlLocation(location.replace("8443", port));
+ }
+ }
+ }
+
}
Modified: cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosTokenTest.java?rev=1547853&r1=1547852&r2=1547853&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosTokenTest.java (original)
+++ cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosTokenTest.java Wed Dec 4 17:44:04 2013
@@ -19,18 +19,25 @@
package org.apache.cxf.systest.sts.kerberos;
import java.net.URL;
+import java.util.Arrays;
+import java.util.Collection;
import javax.xml.namespace.QName;
+import javax.xml.ws.BindingProvider;
import javax.xml.ws.Service;
import org.apache.cxf.Bus;
import org.apache.cxf.bus.spring.SpringBusFactory;
import org.apache.cxf.systest.sts.common.SecurityTestUtil;
+import org.apache.cxf.systest.sts.common.TestParam;
+import org.apache.cxf.systest.sts.common.TokenTestUtils;
import org.apache.cxf.systest.sts.deployment.STSServer;
+import org.apache.cxf.systest.sts.deployment.StaxSTSServer;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
-
import org.example.contract.doubleit.DoubleItPortType;
import org.junit.BeforeClass;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized.Parameters;
/**
* In this test, a CXF client requests a SAML2 HOK Assertion from the STS, which has a policy of requiring
@@ -42,15 +49,23 @@ import org.junit.BeforeClass;
* user principal "alice" (keytab in "/etc/alice.keytab"), and host service "bob@service.ws.apache.org"
* (keytab in "/etc/bob.keytab").
*/
+@RunWith(value = org.junit.runners.Parameterized.class)
public class KerberosTokenTest extends AbstractBusClientServerTestBase {
static final String STSPORT = allocatePort(STSServer.class);
+ static final String STAX_STSPORT = allocatePort(StaxSTSServer.class);
private static final String NAMESPACE = "http://www.example.org/contract/DoubleIt";
private static final QName SERVICE_QNAME = new QName(NAMESPACE, "DoubleItService");
private static final String PORT = allocatePort(Server.class);
+ final TestParam test;
+
+ public KerberosTokenTest(TestParam type) {
+ this.test = type;
+ }
+
@BeforeClass
public static void startServers() throws Exception {
assertTrue(
@@ -65,6 +80,22 @@ public class KerberosTokenTest extends A
// set this to false to fork
launchServer(STSServer.class, true)
);
+ assertTrue(
+ "Server failed to launch",
+ // run the server in the same process
+ // set this to false to fork
+ launchServer(StaxSTSServer.class, true)
+ );
+ }
+
+ @Parameters(name = "{0}")
+ public static Collection<TestParam[]> data() {
+
+ return Arrays.asList(new TestParam[][] {{new TestParam(PORT, false, STSPORT)},
+ {new TestParam(PORT, true, STSPORT)},
+ {new TestParam(PORT, false, STAX_STSPORT)},
+ {new TestParam(PORT, true, STAX_STSPORT)},
+ });
}
@org.junit.AfterClass
@@ -89,7 +120,9 @@ public class KerberosTokenTest extends A
QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML2Port");
DoubleItPortType transportSaml2Port =
service.getPort(portQName, DoubleItPortType.class);
- updateAddressPort(transportSaml2Port, PORT);
+ updateAddressPort(transportSaml2Port, test.getPort());
+
+ TokenTestUtils.updateSTSPort((BindingProvider)transportSaml2Port, test.getStsPort());
doubleIt(transportSaml2Port, 25);
Added: cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/usernametoken/StaxServer.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/usernametoken/StaxServer.java?rev=1547853&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/usernametoken/StaxServer.java (added)
+++ cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/usernametoken/StaxServer.java Wed Dec 4 17:44:04 2013
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.usernametoken;
+
+import java.net.URL;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
+
+public class StaxServer extends AbstractBusTestServerBase {
+
+ public StaxServer() {
+
+ }
+
+ protected void run() {
+ URL busFile = StaxServer.class.getResource("stax-cxf-service.xml");
+ Bus busLocal = new SpringBusFactory().createBus(busFile);
+ BusFactory.setDefaultBus(busLocal);
+ setBus(busLocal);
+
+ try {
+ new StaxServer();
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+}
Modified: cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/usernametoken/UsernameTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/usernametoken/UsernameTokenTest.java?rev=1547853&r1=1547852&r2=1547853&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/usernametoken/UsernameTokenTest.java (original)
+++ cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/usernametoken/UsernameTokenTest.java Wed Dec 4 17:44:04 2013
@@ -19,6 +19,8 @@
package org.apache.cxf.systest.sts.usernametoken;
import java.net.URL;
+import java.util.Arrays;
+import java.util.Collection;
import javax.xml.namespace.QName;
import javax.xml.ws.Service;
@@ -26,24 +28,36 @@ import javax.xml.ws.Service;
import org.apache.cxf.Bus;
import org.apache.cxf.bus.spring.SpringBusFactory;
import org.apache.cxf.systest.sts.common.SecurityTestUtil;
+import org.apache.cxf.systest.sts.common.TestParam;
import org.apache.cxf.systest.sts.deployment.STSServer;
+import org.apache.cxf.systest.sts.deployment.StaxSTSServer;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
-
import org.example.contract.doubleit.DoubleItPortType;
import org.junit.BeforeClass;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized.Parameters;
/**
* In this test case, a CXF client sends a Username Token via (1-way) TLS to a CXF provider.
* The provider dispatches the Username Token to an STS for validation (via TLS).
*/
+@RunWith(value = org.junit.runners.Parameterized.class)
public class UsernameTokenTest extends AbstractBusClientServerTestBase {
static final String STSPORT = allocatePort(STSServer.class);
+ static final String STAX_STSPORT = allocatePort(StaxSTSServer.class);
private static final String NAMESPACE = "http://www.example.org/contract/DoubleIt";
private static final QName SERVICE_QNAME = new QName(NAMESPACE, "DoubleItService");
private static final String PORT = allocatePort(Server.class);
+ private static final String STAX_PORT = allocatePort(StaxServer.class);
+
+ final TestParam test;
+
+ public UsernameTokenTest(TestParam type) {
+ this.test = type;
+ }
@BeforeClass
public static void startServers() throws Exception {
@@ -57,8 +71,30 @@ public class UsernameTokenTest extends A
"Server failed to launch",
// run the server in the same process
// set this to false to fork
+ launchServer(StaxServer.class, true)
+ );
+ assertTrue(
+ "Server failed to launch",
+ // run the server in the same process
+ // set this to false to fork
launchServer(STSServer.class, true)
);
+ assertTrue(
+ "Server failed to launch",
+ // run the server in the same process
+ // set this to false to fork
+ launchServer(StaxSTSServer.class, true)
+ );
+ }
+
+ @Parameters(name = "{0}")
+ public static Collection<TestParam[]> data() {
+
+ return Arrays.asList(new TestParam[][] {{new TestParam(PORT, false, "")},
+ {new TestParam(PORT, true, "")},
+ {new TestParam(STAX_PORT, false, "")},
+ {new TestParam(STAX_PORT, true, "")},
+ });
}
@org.junit.AfterClass
@@ -82,8 +118,12 @@ public class UsernameTokenTest extends A
QName portQName = new QName(NAMESPACE, "DoubleItTransportUTPort");
DoubleItPortType transportUTPort =
service.getPort(portQName, DoubleItPortType.class);
- updateAddressPort(transportUTPort, PORT);
-
+ updateAddressPort(transportUTPort, test.getPort());
+
+ if (test.isStreaming()) {
+ SecurityTestUtil.enableStreaming(transportUTPort);
+ }
+
doubleIt(transportUTPort, 25);
((java.io.Closeable)transportUTPort).close();
@@ -105,15 +145,22 @@ public class UsernameTokenTest extends A
QName portQName = new QName(NAMESPACE, "DoubleItTransportUTPort");
DoubleItPortType transportUTPort =
service.getPort(portQName, DoubleItPortType.class);
- updateAddressPort(transportUTPort, PORT);
+ updateAddressPort(transportUTPort, test.getPort());
+
+ if (test.isStreaming()) {
+ SecurityTestUtil.enableStreaming(transportUTPort);
+ }
try {
doubleIt(transportUTPort, 30);
fail("Expected failure on a bad password");
} catch (javax.xml.ws.soap.SOAPFaultException fault) {
- String message = fault.getMessage();
- assertTrue(message.contains("STS Authentication failed")
- || message.contains("Validation of security token failed"));
+ if (test.isStreaming()) {
+ String message = fault.getMessage();
+ assertTrue(message.contains("STS Authentication failed")
+ || message.contains("Validation of security token failed")
+ || message.contains("PolicyViolationException"));
+ }
}
((java.io.Closeable)transportUTPort).close();
Modified: cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/DoubleIt.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/DoubleIt.wsdl?rev=1547853&r1=1547852&r2=1547853&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/DoubleIt.wsdl (original)
+++ cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/DoubleIt.wsdl Wed Dec 4 17:44:04 2013
@@ -78,8 +78,7 @@
<sp:RequireInternalReference/>
</wsp:Policy>
<sp:Issuer>
- <wsaw:Address>http://localhost:8080/STS/STSUT
- </wsaw:Address>
+ <wsaw:Address>http://localhost:8080/STS/STSUT</wsaw:Address>
<wsaw:Metadata>
<wsx:Metadata>
<wsx:MetadataSection>
Added: cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/stax-cxf-service.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/stax-cxf-service.xml?rev=1547853&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/stax-cxf-service.xml (added)
+++ cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/stax-cxf-service.xml Wed Dec 4 17:44:04 2013
@@ -0,0 +1,79 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:cxf="http://cxf.apache.org/core" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://cxf.apache.org/configuration/security" xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" xmlns:jaxws="http://cxf.apache.org/jaxws" xsi:schemaLocation=" http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
+ <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+ <cxf:bus>
+ <cxf:features>
+ <cxf:logging/>
+ </cxf:features>
+ </cxf:bus>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="doubleittransportut" implementor="org.apache.cxf.systest.sts.common.DoubleItPortTypeImpl" endpointName="s:DoubleItTransportUTPort" serviceName="s:DoubleItService" depends-on="ClientAuthHttpsSettings" address="https://localhost:${testutil.ports.StaxServer}/doubleit/services/doubleittransportut" wsdlLocation="org/apache/cxf/systest/sts/usernametoken/DoubleIt.wsdl">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
+ <entry key="ws-security.ut.validator">
+ <bean class="org.apache.cxf.ws.security.trust.STSStaxTokenValidator"/>
+ </entry>
+ <entry key="ws-security.enable.streaming" value="true"/>
+ <entry key="ws-security.sts.client">
+ <bean class="org.apache.cxf.ws.security.trust.STSClient">
+ <constructor-arg ref="cxf"/>
+ <property name="wsdlLocation" value="https://localhost:${testutil.ports.StaxSTSServer}/SecurityTokenService/Transport?wsdl"/>
+ <property name="serviceName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"/>
+ <property name="endpointName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port"/>
+ <property name="properties">
+ <map>
+ <entry key="ws-security.username" value="bob"/>
+ <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </map>
+ </property>
+ </bean>
+ </entry>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf">
+ <httpj:engine port="${testutil.ports.StaxServer}">
+ <httpj:tlsServerParameters>
+ <sec:keyManagers keyPassword="skpass">
+ <sec:keyStore type="jks" password="sspass" resource="servicestore.jks"/>
+ </sec:keyManagers>
+ <sec:cipherSuitesFilter>
+ <sec:include>.*_EXPORT_.*</sec:include>
+ <sec:include>.*_EXPORT1024_.*</sec:include>
+ <sec:include>.*_WITH_DES_.*</sec:include>
+ <sec:include>.*_WITH_AES_.*</sec:include>
+ <sec:include>.*_WITH_NULL_.*</sec:include>
+ <sec:exclude>.*_DH_anon_.*</sec:exclude>
+ </sec:cipherSuitesFilter>
+ <sec:clientAuthentication want="false" required="false"/>
+ </httpj:tlsServerParameters>
+ </httpj:engine>
+ </httpj:engine-factory>
+ <http:conduit name="https://localhost:.*">
+ <http:tlsClientParameters disableCNCheck="true">
+ <sec:trustManagers>
+ <sec:keyStore type="jks" password="sspass" resource="servicestore.jks"/>
+ </sec:trustManagers>
+ <sec:keyManagers keyPassword="skpass">
+ <sec:keyStore type="jks" password="sspass" resource="servicestore.jks"/>
+ </sec:keyManagers>
+ </http:tlsClientParameters>
+ </http:conduit>
+</beans>