You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2011/10/04 14:57:34 UTC
svn commit: r1178771 - in /cxf/trunk:
rt/core/src/main/java/org/apache/cxf/interceptor/security/
rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/
rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/
rt/rs/security/xml/src/mai...
Author: sergeyb
Date: Tue Oct 4 12:57:34 2011
New Revision: 1178771
URL: http://svn.apache.org/viewvc?rev=1178771&view=rev
Log:
[CXF-3844] Adding jaxrs saml authorization test
Added:
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingFilter.java (with props)
cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/CustomSecurityContextProvider.java (with props)
cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlAuthorizationTest.java (with props)
cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookServerSaml.java (with props)
cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookStore.java (with props)
cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureClaimBookStore.java (with props)
cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/secureServer.xml (with props)
Modified:
cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java
cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java
cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/SimpleAuthorizingFilter.java
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Claims.java
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Subject.java
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/Claims.java
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SAMLSecurityContext.java
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SubjectPrincipal.java
cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/beans.xml
cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
Modified: cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java?rev=1178771&r1=1178770&r2=1178771&view=diff
==============================================================================
--- cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java (original)
+++ cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java Tue Oct 4 12:57:34 2011
@@ -90,7 +90,7 @@ public abstract class AbstractAuthorizin
return false;
}
- private boolean isUserInRole(SecurityContext sc, List<String> roles, boolean deny) {
+ protected boolean isUserInRole(SecurityContext sc, List<String> roles, boolean deny) {
if (roles.size() == 1 && ALL_ROLES.equals(roles.get(0))) {
return !deny;
@@ -120,4 +120,5 @@ public abstract class AbstractAuthorizin
protected List<String> getDenyRoles(Method method) {
return Collections.emptyList();
}
+
}
Modified: cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java?rev=1178771&r1=1178770&r2=1178771&view=diff
==============================================================================
--- cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java (original)
+++ cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java Tue Oct 4 12:57:34 2011
@@ -25,12 +25,36 @@ import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import org.apache.cxf.security.SecurityContext;
+
public class SimpleAuthorizingInterceptor extends AbstractAuthorizingInInterceptor {
- private Map<String, List<String>> methodRolesMap = Collections.emptyMap();
+ private Map<String, List<String>> methodRolesMap = new HashMap<String, List<String>>();
+ private Map<String, List<String>> userRolesMap = Collections.emptyMap();
private List<String> globalRoles = Collections.emptyList();
+ @Override
+ protected boolean isUserInRole(SecurityContext sc, List<String> roles, boolean deny) {
+ if (!super.isUserInRole(sc, roles, deny)) {
+ return false;
+ }
+ // Additional check.
+ if (!userRolesMap.isEmpty()) {
+ List<String> userRoles = userRolesMap.get(sc.getUserPrincipal().getName());
+ if (userRoles == null) {
+ return false;
+ }
+ for (String role : roles) {
+ if (userRoles.contains(role)) {
+ return true;
+ }
+ }
+ return false;
+ } else {
+ return true;
+ }
+ }
@Override
protected List<String> getExpectedRoles(Method method) {
@@ -42,20 +66,23 @@ public class SimpleAuthorizingIntercepto
}
-
public void setMethodRolesMap(Map<String, String> rolesMap) {
- methodRolesMap = new HashMap<String, List<String>>();
- for (Map.Entry<String, String> entry : rolesMap.entrySet()) {
- methodRolesMap.put(entry.getKey(), Arrays.asList(entry.getValue().split(" ")));
- }
+ methodRolesMap.putAll(parseRolesMap(rolesMap));
+ }
+
+ public void setUserRolesMap(Map<String, String> rolesMap) {
+ userRolesMap = parseRolesMap(rolesMap);
}
public void setGlobalRoles(String roles) {
globalRoles = Arrays.asList(roles.split(" "));
}
-
-
-
-
+ private static Map<String, List<String>> parseRolesMap(Map<String, String> rolesMap) {
+ Map<String, List<String>> map = new HashMap<String, List<String>>();
+ for (Map.Entry<String, String> entry : rolesMap.entrySet()) {
+ map.put(entry.getKey(), Arrays.asList(entry.getValue().split(" ")));
+ }
+ return map;
+ }
}
Modified: cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/SimpleAuthorizingFilter.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/SimpleAuthorizingFilter.java?rev=1178771&r1=1178770&r2=1178771&view=diff
==============================================================================
--- cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/SimpleAuthorizingFilter.java (original)
+++ cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/SimpleAuthorizingFilter.java Tue Oct 4 12:57:34 2011
@@ -18,14 +18,10 @@
*/
package org.apache.cxf.jaxrs.security;
-import java.util.Map;
-
import javax.ws.rs.core.Response;
import org.apache.cxf.interceptor.security.AbstractAuthorizingInInterceptor;
import org.apache.cxf.interceptor.security.AccessDeniedException;
-import org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor;
-import org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor;
import org.apache.cxf.jaxrs.ext.RequestHandler;
import org.apache.cxf.jaxrs.model.ClassResourceInfo;
import org.apache.cxf.message.Message;
@@ -43,23 +39,7 @@ public class SimpleAuthorizingFilter imp
}
}
- public void setMethodRolesMap(Map<String, String> rolesMap) {
- checkInterceptor();
- SimpleAuthorizingInterceptor simple = new SimpleAuthorizingInterceptor();
- simple.setMethodRolesMap(rolesMap);
- interceptor = simple;
- }
-
- public void setSecuredObject(Object securedObject) {
- checkInterceptor();
- SecureAnnotationsInterceptor simple = new SecureAnnotationsInterceptor();
- simple.setSecuredObject(securedObject);
- interceptor = simple;
- }
-
- private void checkInterceptor() {
- if (interceptor != null) {
- throw new IllegalStateException("Filter has already been initialized");
- }
+ public void setInterceptor(AbstractAuthorizingInInterceptor in) {
+ interceptor = in;
}
}
Modified: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java?rev=1178771&r1=1178770&r2=1178771&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java (original)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java Tue Oct 4 12:57:34 2011
@@ -144,7 +144,7 @@ public abstract class AbstractSamlInHand
protected void setSecurityContext(Message message, AssertionWrapper wrapper) {
if (scProvider != null) {
SecurityContext sc = scProvider.getSecurityContext(message, wrapper);
- message.setContent(SecurityContext.class, sc);
+ message.put(SecurityContext.class, sc);
}
}
Modified: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Claims.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Claims.java?rev=1178771&r1=1178770&r2=1178771&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Claims.java (original)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Claims.java Tue Oct 4 12:57:34 2011
@@ -23,11 +23,20 @@ import java.util.List;
public class Claims {
private List<Claim> claims;
+ private String realm;
public Claims(List<Claim> claims) {
this.claims = claims;
}
+
+ public Claims(List<Claim> claims, String realm) {
+ this.claims = claims;
+ this.realm = realm;
+ }
+ public String getRealm() {
+ return realm;
+ }
public List<Claim> getClaims() {
return claims;
}
Modified: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Subject.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Subject.java?rev=1178771&r1=1178770&r2=1178771&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Subject.java (original)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Subject.java Tue Oct 4 12:57:34 2011
@@ -25,8 +25,6 @@ public class Subject {
private String spQualifier;
private String spId;
- private String alternateName;
-
public Subject() {
}
@@ -74,12 +72,4 @@ public class Subject {
public String getSpQualifier() {
return spQualifier;
}
-
- public void setAlternateName(String alternateName) {
- this.alternateName = alternateName;
- }
-
- public String getAlternateName() {
- return alternateName;
- }
}
Modified: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/Claims.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/Claims.java?rev=1178771&r1=1178770&r2=1178771&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/Claims.java (original)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/Claims.java Tue Oct 4 12:57:34 2011
@@ -28,5 +28,6 @@ import java.lang.annotation.Target;
@Target({ElementType.TYPE, ElementType.METHOD })
@Retention(RetentionPolicy.RUNTIME)
public @interface Claims {
+ String realm() default "";
Claim[] value();
}
Added: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingFilter.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingFilter.java?rev=1178771&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingFilter.java (added)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingFilter.java Tue Oct 4 12:57:34 2011
@@ -0,0 +1,63 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.saml.authorization;
+
+import java.util.List;
+import java.util.Map;
+
+import javax.ws.rs.core.Response;
+
+import org.apache.cxf.interceptor.security.AccessDeniedException;
+import org.apache.cxf.jaxrs.ext.RequestHandler;
+import org.apache.cxf.jaxrs.model.ClassResourceInfo;
+import org.apache.cxf.message.Message;
+
+public class ClaimsAuthorizingFilter implements RequestHandler {
+
+ private ClaimsAuthorizingInterceptor interceptor;
+
+ public Response handleRequest(Message m, ClassResourceInfo resourceClass) {
+ try {
+ interceptor.handleMessage(m);
+ return null;
+ } catch (AccessDeniedException ex) {
+ return Response.status(Response.Status.FORBIDDEN).build();
+ }
+ }
+
+ public void setClaims(Map<String, List<ClaimBean>> claimsMap) {
+ checkInterceptor();
+ ClaimsAuthorizingInterceptor simple = new ClaimsAuthorizingInterceptor();
+ simple.setClaims(claimsMap);
+ interceptor = simple;
+ }
+
+ public void setSecuredObject(Object securedObject) {
+ checkInterceptor();
+ ClaimsAuthorizingInterceptor simple = new ClaimsAuthorizingInterceptor();
+ simple.setSecuredObject(securedObject);
+ interceptor = simple;
+ }
+
+ private void checkInterceptor() {
+ if (interceptor != null) {
+ throw new IllegalStateException("Filter has already been initialized");
+ }
+ }
+}
Propchange: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingFilter.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingFilter.java
------------------------------------------------------------------------------
svn:keywords = Rev Date
Modified: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SAMLSecurityContext.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SAMLSecurityContext.java?rev=1178771&r1=1178770&r2=1178771&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SAMLSecurityContext.java (original)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SAMLSecurityContext.java Tue Oct 4 12:57:34 2011
@@ -33,7 +33,7 @@ public class SAMLSecurityContext impleme
private Claim rolesClaim;
public SAMLSecurityContext(Subject subject, List<Claim> claims) {
- this(new SubjectPrincipal(subject), new Claims(claims));
+ this(new SubjectPrincipal(subject.getName(), subject), new Claims(claims));
}
public SAMLSecurityContext(SubjectPrincipal p, Claims claims) {
Modified: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java?rev=1178771&r1=1178770&r2=1178771&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java (original)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java Tue Oct 4 12:57:34 2011
@@ -28,21 +28,14 @@ import org.apache.ws.security.saml.ext.A
public class SecurityContextProviderImpl implements SecurityContextProvider {
- private static final String DEFAULT_NAME_ROLE_PROPERTY = "org.apache.cxf.saml.claims.role";
- private static final String DEFAULT_NAMEFORMAT_PROPERTY = "org.apache.cxf.saml.claims.format";
+ private static final String ROLE_QUALIFIER_PROPERTY = "org.apache.cxf.saml.claims.role.qualifier";
+ private static final String ROLE_NAMEFORMAT_PROPERTY = "org.apache.cxf.saml.claims.role.nameformat";
public SecurityContext getSecurityContext(Message message,
AssertionWrapper wrapper) {
Claims claims = getClaims(wrapper);
Subject subject = getSubject(message, wrapper, claims);
-
- String defaultName = (String)message.getContextualProperty(DEFAULT_NAME_ROLE_PROPERTY);
- String defaultNameFormat = (String)message.getContextualProperty(DEFAULT_NAMEFORMAT_PROPERTY);
- SecurityContext sc = new SAMLSecurityContext(new SubjectPrincipal(subject),
- claims,
- defaultName == null ? Claim.DEFAULT_ROLE_NAME : defaultName,
- defaultNameFormat == null ? Claim.DEFAULT_NAME_FORMAT : defaultNameFormat);
- return sc;
+ return doGetSecurityContext(message, subject, claims);
}
protected Claims getClaims(AssertionWrapper wrapper) {
@@ -50,15 +43,33 @@ public class SecurityContextProviderImpl
}
protected Subject getSubject(Message message, AssertionWrapper wrapper, Claims claims) {
- Subject subj = SAMLUtils.getSubject(message, wrapper);
- setSubjectPrincipalName(subj, claims);
- return subj;
+ return SAMLUtils.getSubject(message, wrapper);
}
- protected void setSubjectPrincipalName(Subject sub, Claims claims) {
- // parse/decipher subject name id, or check attributes like
- // givenName, email, firstName, etc
+ protected SecurityContext doGetSecurityContext(Message message, Subject subject, Claims claims) {
+ String defaultRoleName = (String)message.getContextualProperty(ROLE_QUALIFIER_PROPERTY);
+ String defaultNameFormat = (String)message.getContextualProperty(ROLE_NAMEFORMAT_PROPERTY);
+
+ String subjectPrincipalName = getSubjectPrincipalName(subject, claims);
+ SubjectPrincipal subjectPrincipal =
+ new SubjectPrincipal(subjectPrincipalName, subject);
- // this can be overridden, but consider also introducing dedicated handlers
+ SecurityContext sc = new SAMLSecurityContext(subjectPrincipal,
+ claims,
+ defaultRoleName == null ? Claim.DEFAULT_ROLE_NAME : defaultRoleName,
+ defaultNameFormat == null ? Claim.DEFAULT_NAME_FORMAT : defaultNameFormat);
+ return sc;
+ }
+
+ //TODO: This can be overridden, but consider also introducing dedicated handlers
+ protected String getSubjectPrincipalName(Subject subject, Claims claims) {
+ // parse/decipher subject name, or check claims such as
+ // givenName, email, firstName
+ // and use it to authenticate with the external system if needed
+
+ // Or if STS has been used to validate the SAML token on the server side then
+ // whatever name the subject has provided can probably be used as a principal name
+ // as IDP must've confirmed that this subject indeed got authenticated and such...
+ return subject.getName();
}
}
Modified: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SubjectPrincipal.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SubjectPrincipal.java?rev=1178771&r1=1178770&r2=1178771&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SubjectPrincipal.java (original)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SubjectPrincipal.java Tue Oct 4 12:57:34 2011
@@ -23,8 +23,8 @@ import org.apache.cxf.rs.security.saml.a
public class SubjectPrincipal extends SimplePrincipal {
private Subject subject;
- public SubjectPrincipal(Subject subject) {
- super(subject.getAlternateName() == null ? subject.getName() : subject.getAlternateName());
+ public SubjectPrincipal(String principalName, Subject subject) {
+ super(principalName);
this.subject = subject;
}
Modified: cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/beans.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/beans.xml?rev=1178771&r1=1178770&r2=1178771&view=diff
==============================================================================
--- cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/beans.xml (original)
+++ cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/beans.xml Tue Oct 4 12:57:34 2011
@@ -75,7 +75,7 @@ http://cxf.apache.org/schemas/jaxrs.xsd"
</bean>
<bean id="authorizationFilter" class="org.apache.cxf.jaxrs.security.SimpleAuthorizingFilter">
- <property name="methodRolesMap" ref="rolesMap"/>
+ <property name="interceptor" ref="authorizationInterceptor"/>
</bean>
<util:map id="rolesMap">
Added: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/CustomSecurityContextProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/CustomSecurityContextProvider.java?rev=1178771&view=auto
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/CustomSecurityContextProvider.java (added)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/CustomSecurityContextProvider.java Tue Oct 4 12:57:34 2011
@@ -0,0 +1,34 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.jaxrs.security.saml;
+
+import org.apache.cxf.rs.security.saml.assertion.Claims;
+import org.apache.cxf.rs.security.saml.assertion.Subject;
+import org.apache.cxf.rs.security.saml.authorization.SecurityContextProviderImpl;
+
+public class CustomSecurityContextProvider extends SecurityContextProviderImpl {
+ @Override
+ protected String getSubjectPrincipalName(Subject subject, Claims claims) {
+ int index = subject.getName().indexOf("@");
+ return index == -1
+ ? super.getSubjectPrincipalName(subject, claims)
+ : subject.getName().substring(0, index);
+ }
+
+}
Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/CustomSecurityContextProvider.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/CustomSecurityContextProvider.java
------------------------------------------------------------------------------
svn:keywords = Rev Date
Added: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlAuthorizationTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlAuthorizationTest.java?rev=1178771&view=auto
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlAuthorizationTest.java (added)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlAuthorizationTest.java Tue Oct 4 12:57:34 2011
@@ -0,0 +1,168 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.jaxrs.security.saml;
+
+import java.net.URL;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.ws.rs.core.MediaType;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.jaxrs.client.JAXRSClientFactoryBean;
+import org.apache.cxf.jaxrs.client.ServerWebApplicationException;
+import org.apache.cxf.jaxrs.client.WebClient;
+import org.apache.cxf.rs.security.saml.SamlEnvelopedOutInterceptor;
+import org.apache.cxf.systest.jaxrs.security.Book;
+import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+public class JAXRSSamlAuthorizationTest extends AbstractBusClientServerTestBase {
+ public static final String PORT = BookServerSaml.PORT;
+
+ @BeforeClass
+ public static void startServers() throws Exception {
+ assertTrue("server did not launch correctly",
+ launchServer(SecureBookServerSaml.class, true));
+ }
+
+ @Test
+ public void testPostBookUserRole() throws Exception {
+ String address = "https://localhost:" + PORT + "/saml-roles/bookstore/books";
+ WebClient wc = createWebClient(address, null);
+ wc.type(MediaType.APPLICATION_XML).accept(MediaType.APPLICATION_XML);
+ try {
+ wc.post(new Book("CXF", 125L), Book.class);
+ fail("403 is expected");
+ } catch (ServerWebApplicationException ex) {
+ assertEquals(403, ex.getStatus());
+ }
+ }
+
+ @Test
+ public void testPostBookAdminRole() throws Exception {
+ String address = "https://localhost:" + PORT + "/saml-roles/bookstore/books";
+ WebClient wc = createWebClient(address,
+ Collections.<String, Object>singletonMap("saml.roles",
+ Collections.singletonList("admin")));
+ wc.type(MediaType.APPLICATION_XML).accept(MediaType.APPLICATION_XML);
+ Book book = wc.post(new Book("CXF", 125L), Book.class);
+ assertEquals(125L, book.getId());
+ }
+
+ @Test
+ public void testPostBookAdminRoleWithWrongSubjectNameFormat() throws Exception {
+ String address = "https://localhost:" + PORT + "/saml-roles2/bookstore/books";
+ WebClient wc = createWebClient(address,
+ Collections.<String, Object>singletonMap("saml.roles",
+ Collections.singletonList("admin")));
+ wc.type(MediaType.APPLICATION_XML).accept(MediaType.APPLICATION_XML);
+ try {
+ wc.post(new Book("CXF", 125L), Book.class);
+ fail("403 is expected");
+ } catch (ServerWebApplicationException ex) {
+ assertEquals(403, ex.getStatus());
+ }
+ }
+
+ @Test
+ public void testPostBookAdminRoleWithGoodSubjectName() throws Exception {
+ String address = "https://localhost:" + PORT + "/saml-roles2/bookstore/books";
+
+ Map<String, Object> props = new HashMap<String, Object>();
+ props.put("saml.roles", Collections.singletonList("admin"));
+ props.put("saml.subject.name", "bob@mycompany.com");
+ WebClient wc = createWebClient(address, props);
+ wc.type(MediaType.APPLICATION_XML).accept(MediaType.APPLICATION_XML);
+ Book book = wc.post(new Book("CXF", 125L), Book.class);
+ assertEquals(125L, book.getId());
+ }
+
+ @Test
+ public void testPostBookAdminWithWeakClaims() throws Exception {
+ String address = "https://localhost:" + PORT + "/saml-claims/bookstore/books";
+
+ Map<String, Object> props = new HashMap<String, Object>();
+ WebClient wc = createWebClient(address, props);
+ wc.type(MediaType.APPLICATION_XML).accept(MediaType.APPLICATION_XML);
+ try {
+ wc.post(new Book("CXF", 125L), Book.class);
+ fail("403 is expected");
+ } catch (ServerWebApplicationException ex) {
+ assertEquals(403, ex.getStatus());
+ }
+ }
+
+ @Test
+ public void testPostBookAdminWithWeakClaims2() throws Exception {
+ String address = "https://localhost:" + PORT + "/saml-claims/bookstore/books";
+
+ Map<String, Object> props = new HashMap<String, Object>();
+ props.put("saml.roles", Collections.singletonList("admin"));
+ props.put("saml.auth", Collections.singletonList("password"));
+ WebClient wc = createWebClient(address, props);
+ wc.type(MediaType.APPLICATION_XML).accept(MediaType.APPLICATION_XML);
+ try {
+ wc.post(new Book("CXF", 125L), Book.class);
+ fail("403 is expected");
+ } catch (ServerWebApplicationException ex) {
+ assertEquals(403, ex.getStatus());
+ }
+ }
+
+ @Test
+ public void testPostBookAdminWithClaims() throws Exception {
+ String address = "https://localhost:" + PORT + "/saml-claims/bookstore/books";
+
+ Map<String, Object> props = new HashMap<String, Object>();
+ props.put("saml.roles", Collections.singletonList("admin"));
+ props.put("saml.auth", Collections.singletonList("smartcard"));
+ WebClient wc = createWebClient(address, props);
+ wc.type(MediaType.APPLICATION_XML).accept(MediaType.APPLICATION_XML);
+ Book book = wc.post(new Book("CXF", 125L), Book.class);
+ assertEquals(125L, book.getId());
+ }
+
+ private WebClient createWebClient(String address, Map<String, Object> extraProperties) {
+ JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
+ bean.setAddress(address);
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = JAXRSSamlAuthorizationTest.class.getResource("client.xml");
+ Bus springBus = bf.createBus(busFile.toString());
+ bean.setBus(springBus);
+
+ Map<String, Object> properties = new HashMap<String, Object>();
+ properties.put("ws-security.saml-callback-handler",
+ "org.apache.cxf.systest.jaxrs.security.saml.SamlCallbackHandler");
+ if (extraProperties != null) {
+ properties.putAll(extraProperties);
+ }
+ bean.setProperties(properties);
+
+ bean.getOutInterceptors().add(new SamlEnvelopedOutInterceptor());
+
+ return bean.createWebClient();
+ }
+}
Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlAuthorizationTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlAuthorizationTest.java
------------------------------------------------------------------------------
svn:keywords = Rev Date
Modified: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java?rev=1178771&r1=1178770&r2=1178771&view=diff
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java (original)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java Tue Oct 4 12:57:34 2011
@@ -21,16 +21,20 @@ package org.apache.cxf.systest.jaxrs.sec
import java.io.IOException;
import java.security.cert.X509Certificate;
+import java.util.ArrayList;
import java.util.Collections;
+import java.util.List;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
+import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.PhaseInterceptorChain;
import org.apache.cxf.rs.security.common.CryptoLoader;
import org.apache.cxf.rs.security.common.SecurityUtils;
+import org.apache.cxf.rs.security.saml.assertion.Claim;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.saml.ext.SAMLCallback;
@@ -67,6 +71,8 @@ public class SamlCallbackHandler impleme
}
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
+ Message m = PhaseInterceptorChain.getCurrentMessage();
+
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof SAMLCallback) {
SAMLCallback callback = (SAMLCallback) callbacks[i];
@@ -77,7 +83,10 @@ public class SamlCallbackHandler impleme
}
callback.setIssuer("https://idp.example.org/SAML2");
- String subjectName = "uid=sts-client,o=mock-sts.com";
+ String subjectName = (String)m.getContextualProperty("saml.subject.name");
+ if (subjectName == null) {
+ subjectName = "uid=sts-client,o=mock-sts.com";
+ }
String subjectQualifier = "www.mock-sts.com";
if (!saml2 && SAML2Constants.CONF_SENDER_VOUCHES.equals(confirmationMethod)) {
confirmationMethod = SAML1Constants.CONF_SENDER_VOUCHES;
@@ -88,7 +97,6 @@ public class SamlCallbackHandler impleme
);
if (SAML2Constants.CONF_HOLDER_KEY.equals(confirmationMethod)) {
- Message m = PhaseInterceptorChain.getCurrentMessage();
try {
CryptoLoader loader = new CryptoLoader();
Crypto crypto = loader.getCrypto(m,
@@ -128,11 +136,30 @@ public class SamlCallbackHandler impleme
AttributeStatementBean attrBean = new AttributeStatementBean();
attrBean.setSubject(subjectBean);
- AttributeBean attributeBean = new AttributeBean();
- attributeBean.setSimpleName("subject-role");
- attributeBean.setQualifiedName("urn:oid:1.3.6.1.4.1.5923.1.1.1.1");
- attributeBean.setAttributeValues(Collections.singletonList("system-user"));
- attrBean.setSamlAttributes(Collections.singletonList(attributeBean));
+ List<String> roles = CastUtils.cast((List)m.getContextualProperty("saml.roles"));
+ if (roles == null) {
+ roles = Collections.singletonList("user");
+ }
+ List<AttributeBean> claims = new ArrayList<AttributeBean>();
+ AttributeBean roleClaim = new AttributeBean();
+ roleClaim.setSimpleName("subject-role");
+ roleClaim.setQualifiedName(Claim.DEFAULT_ROLE_NAME);
+ roleClaim.setNameFormat(Claim.DEFAULT_NAME_FORMAT);
+ roleClaim.setAttributeValues(roles);
+ claims.add(roleClaim);
+
+ List<String> authMethods = CastUtils.cast((List)m.getContextualProperty("saml.auth"));
+ if (authMethods == null) {
+ authMethods = Collections.singletonList("password");
+ }
+
+ AttributeBean authClaim = new AttributeBean();
+ authClaim.setQualifiedName("http://claims/authentication");
+ authClaim.setNameFormat("http://claims/authentication-format");
+ authClaim.setAttributeValues(authMethods);
+ claims.add(authClaim);
+
+ attrBean.setSamlAttributes(claims);
callback.setAttributeStatementData(Collections.singletonList(attrBean));
}
}
Added: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookServerSaml.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookServerSaml.java?rev=1178771&view=auto
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookServerSaml.java (added)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookServerSaml.java Tue Oct 4 12:57:34 2011
@@ -0,0 +1,57 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.jaxrs.security.saml;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
+import org.apache.cxf.testutil.common.TestUtil;
+
+public class SecureBookServerSaml extends AbstractBusTestServerBase {
+ public static final String PORT = TestUtil.getPortNumber("jaxrs-saml");
+ private static final String SERVER_CONFIG_FILE =
+ "org/apache/cxf/systest/jaxrs/security/saml/secureServer.xml";
+
+ protected void run() {
+ SpringBusFactory bf = new SpringBusFactory();
+ Bus springBus = bf.createBus(SERVER_CONFIG_FILE);
+ BusFactory.setDefaultBus(springBus);
+ setBus(springBus);
+
+ try {
+ new SecureBookServerSaml();
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ }
+
+ public static void main(String[] args) {
+ try {
+ SecureBookServerSaml s = new SecureBookServerSaml();
+ s.start();
+ } catch (Exception ex) {
+ ex.printStackTrace();
+ System.exit(-1);
+ } finally {
+ System.out.println("done!");
+ }
+ }
+}
Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookServerSaml.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookServerSaml.java
------------------------------------------------------------------------------
svn:keywords = Rev Date
Added: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookStore.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookStore.java?rev=1178771&view=auto
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookStore.java (added)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookStore.java Tue Oct 4 12:57:34 2011
@@ -0,0 +1,48 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.jaxrs.security.saml;
+
+
+import javax.annotation.security.RolesAllowed;
+import javax.ws.rs.Consumes;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+
+import org.apache.cxf.systest.jaxrs.security.Book;
+
+@Path("/bookstore")
+public class SecureBookStore {
+
+ public SecureBookStore() {
+ }
+
+ @POST
+ @Path("/books")
+ @Produces("application/xml")
+ @Consumes("application/xml")
+ @RolesAllowed({"admin" })
+ public Book addBook(Book book) {
+ return book;
+ }
+
+}
+
+
Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookStore.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookStore.java
------------------------------------------------------------------------------
svn:keywords = Rev Date
Added: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureClaimBookStore.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureClaimBookStore.java?rev=1178771&view=auto
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureClaimBookStore.java (added)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureClaimBookStore.java Tue Oct 4 12:57:34 2011
@@ -0,0 +1,54 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.jaxrs.security.saml;
+
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+
+import org.apache.cxf.rs.security.saml.authorization.Claim;
+import org.apache.cxf.rs.security.saml.authorization.Claims;
+import org.apache.cxf.systest.jaxrs.security.Book;
+
+@Path("/bookstore")
+public class SecureClaimBookStore {
+
+ public SecureClaimBookStore() {
+ }
+
+ @POST
+ @Path("/books")
+ @Produces("application/xml")
+ @Consumes("application/xml")
+ @Claims({
+ @Claim({"admin" }),
+ @Claim(name = "http://claims/authentication",
+ format = "http://claims/authentication-format",
+ value = {"fingertip", "smartcard" })
+ })
+ public Book addBook(Book book) {
+ return book;
+ }
+
+}
+
+
Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureClaimBookStore.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureClaimBookStore.java
------------------------------------------------------------------------------
svn:keywords = Rev Date
Added: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/secureServer.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/secureServer.xml?rev=1178771&view=auto
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/secureServer.xml (added)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/secureServer.xml Tue Oct 4 12:57:34 2011
@@ -0,0 +1,149 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:http="http://cxf.apache.org/transports/http/configuration"
+ xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
+ xmlns:sec="http://cxf.apache.org/configuration/security"
+ xmlns:cxf="http://cxf.apache.org/core"
+ xmlns:jaxrs="http://cxf.apache.org/jaxrs"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xsi:schemaLocation="
+ http://www.springframework.org/schema/util
+ http://www.springframework.org/schema/util/spring-util.xsd
+ http://cxf.apache.org/jaxrs http://cxf.apache.org/schemas/jaxrs.xsd
+ http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
+ http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+ http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd
+ http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd
+ http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd
+ ">
+
+ <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+
+ <cxf:bus>
+ <cxf:features>
+ <cxf:logging/>
+ </cxf:features>
+ </cxf:bus>
+
+ <httpj:engine-factory id="port-9095-tls-config">
+ <httpj:engine port="${testutil.ports.jaxrs-saml}">
+ <httpj:tlsServerParameters>
+ <sec:keyManagers keyPassword="password">
+ <sec:keyStore type="JKS" password="password"
+ file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/>
+ </sec:keyManagers>
+ <sec:trustManagers>
+ <sec:keyStore type="JKS" password="password"
+ file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
+ </sec:trustManagers>
+ <sec:cipherSuitesFilter>
+ <sec:include>.*_EXPORT_.*</sec:include>
+ <sec:include>.*_EXPORT1024_.*</sec:include>
+ <sec:include>.*_WITH_DES_.*</sec:include>
+ <sec:include>.*_WITH_NULL_.*</sec:include>
+ <sec:exclude>.*_DH_anon_.*</sec:exclude>
+ </sec:cipherSuitesFilter>
+ <sec:clientAuthentication want="true" required="true"/>
+ </httpj:tlsServerParameters>
+ </httpj:engine>
+ </httpj:engine-factory>
+
+ <bean id="serviceBean" class="org.apache.cxf.systest.jaxrs.security.saml.SecureBookStore"/>
+ <bean id="serviceBeanClaims" class="org.apache.cxf.systest.jaxrs.security.saml.SecureClaimBookStore"/>
+ <bean id="samlEnvHandler" class="org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler"/>
+
+ <bean id="claimsHandler"
+ class="org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizingFilter">
+ <property name="securedObject" ref="serviceBeanClaims"/>
+ </bean>
+
+
+ <bean id="authorizationInterceptor" class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
+ <property name="securedObject" ref="serviceBean"/>
+ </bean>
+
+ <bean id="rolesHandler" class="org.apache.cxf.jaxrs.security.SimpleAuthorizingFilter">
+ <property name="interceptor" ref="authorizationInterceptor"/>
+ </bean>
+
+ <jaxrs:server
+ address="https://localhost:${testutil.ports.jaxrs-saml}/saml-roles">
+ <jaxrs:serviceBeans>
+ <ref bean="serviceBean"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:providers>
+ <ref bean="samlEnvHandler"/>
+ <ref bean="rolesHandler"/>
+ </jaxrs:providers>
+ <!-- If default role qualifier and format are not supported:
+
+ <jaxrs:properties>
+ <entry key="org.apache.cxf.saml.claims.role.nameformat"
+ value="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+ <entry key="org.apache.cxf.saml.claims.role.qualifier"
+ value="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"/>
+ </jaxrs:properties>
+ -->
+ </jaxrs:server>
+
+ <util:map id="userRolesMap">
+ <entry key="bob" value="admin"/>
+ <entry key="fred" value="user"/>
+ </util:map>
+
+ <bean id="authorizationInterceptorWithUserMap" class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
+ <property name="securedObject" ref="serviceBean"/>
+ <property name="userRolesMap" ref="userRolesMap"/>
+ </bean>
+
+ <bean id="rolesHandlerWithUserMap" class="org.apache.cxf.jaxrs.security.SimpleAuthorizingFilter">
+ <property name="interceptor" ref="authorizationInterceptorWithUserMap"/>
+ </bean>
+
+ <bean id="samlEnvHandlerWithCustomProvider" class="org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler">
+ <property name="securityContextProvider">
+ <bean class="org.apache.cxf.systest.jaxrs.security.saml.CustomSecurityContextProvider"/>
+ </property>
+ </bean>
+
+ <jaxrs:server
+ address="https://localhost:${testutil.ports.jaxrs-saml}/saml-roles2">
+ <jaxrs:serviceBeans>
+ <ref bean="serviceBean"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:providers>
+ <ref bean="samlEnvHandlerWithCustomProvider"/>
+ <ref bean="rolesHandlerWithUserMap"/>
+ </jaxrs:providers>
+ </jaxrs:server>
+
+ <jaxrs:server
+ address="https://localhost:${testutil.ports.jaxrs-saml}/saml-claims">
+ <jaxrs:serviceBeans>
+ <ref bean="serviceBeanClaims"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:providers>
+ <ref bean="samlEnvHandler"/>
+ <ref bean="claimsHandler"/>
+ </jaxrs:providers>
+ </jaxrs:server>
+</beans>
Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/secureServer.xml
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/secureServer.xml
------------------------------------------------------------------------------
svn:keywords = Rev Date
Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/secureServer.xml
------------------------------------------------------------------------------
svn:mime-type = text/xml