You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/04/23 17:31:37 UTC
[1/2] cxf-fediz git commit: Moving client certificate tests into
AbstractTests so to test other plugins
Repository: cxf-fediz
Updated Branches:
refs/heads/master bd0fc123e -> 9995c7b26
Moving client certificate tests into AbstractTests so to test other plugins
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/4ea42640
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/4ea42640
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/4ea42640
Branch: refs/heads/master
Commit: 4ea42640550739da4410b4b41a6b3308ea5d0a24
Parents: bd0fc12
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Apr 23 16:08:06 2015 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Thu Apr 23 16:08:06 2015 +0100
----------------------------------------------------------------------
.../sts/src/main/webapp/WEB-INF/passwords.xml | 1 +
.../sts/src/main/webapp/WEB-INF/userClaims.xml | 1 +
systests/clientcert/pom.xml | 288 -----------------
.../integrationtests/ClientCertificateTest.java | 313 -------------------
.../integrationtests/HOKCallbackHandler.java | 48 ---
.../clientcert/src/test/resources/alice.cer | Bin 808 -> 0 bytes
.../src/test/resources/alice_client.jks | Bin 1277 -> 0 bytes
.../src/test/resources/fediz_config.xml | 45 ---
.../clientcert/src/test/resources/server.jks | Bin 2701 -> 0 bytes
.../src/test/resources/sts/passwords.xml | 42 ---
.../src/test/resources/sts/ststrust.jks | Bin 4079 -> 0 bytes
.../src/test/resources/sts/userClaims.xml | 139 --------
.../clientcert/src/test/resources/ststrust.jks | Bin 2561 -> 0 bytes
.../AbstractClientCertTests.java | 176 +++++++++++
systests/tomcat7/pom.xml | 26 ++
.../integrationtests/ClientCertificateTest.java | 179 +++++++++++
systests/tomcat7/src/test/resources/alice.cer | Bin 0 -> 808 bytes
.../tomcat7/src/test/resources/alice_client.jks | Bin 0 -> 1277 bytes
.../test/resources/fediz_config_client_cert.xml | 45 +++
systests/tomcat7/src/test/resources/server.jks | Bin 1863 -> 2701 bytes
.../tomcat7/src/test/resources/sts/ststrust.jks | Bin 0 -> 4079 bytes
21 files changed, 428 insertions(+), 875 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/services/sts/src/main/webapp/WEB-INF/passwords.xml
----------------------------------------------------------------------
diff --git a/services/sts/src/main/webapp/WEB-INF/passwords.xml b/services/sts/src/main/webapp/WEB-INF/passwords.xml
index b28a217..3ad9e7c 100644
--- a/services/sts/src/main/webapp/WEB-INF/passwords.xml
+++ b/services/sts/src/main/webapp/WEB-INF/passwords.xml
@@ -30,6 +30,7 @@
<entry key="alice" value="ecila" />
<entry key="bob" value="bob" />
<entry key="ted" value="det" />
+ <entry key="idp-user" value="idp-pass" />
</util:map>
<util:map id="REALMB">
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/services/sts/src/main/webapp/WEB-INF/userClaims.xml
----------------------------------------------------------------------
diff --git a/services/sts/src/main/webapp/WEB-INF/userClaims.xml b/services/sts/src/main/webapp/WEB-INF/userClaims.xml
index 38f60ea..1a2b12f 100644
--- a/services/sts/src/main/webapp/WEB-INF/userClaims.xml
+++ b/services/sts/src/main/webapp/WEB-INF/userClaims.xml
@@ -28,6 +28,7 @@
<util:map id="userClaimsREALMA">
<entry key="alice" value-ref="REALMA_aliceClaims" />
+ <entry key="CN=alice,OU=Unknown,O=Apache,L=Dublin,ST=Unknown,C=IE" value-ref="REALMA_aliceClaims" />
<entry key="bob" value-ref="REALMA_bobClaims" />
<entry key="ted" value-ref="REALMA_tedClaims" />
</util:map>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/pom.xml
----------------------------------------------------------------------
diff --git a/systests/clientcert/pom.xml b/systests/clientcert/pom.xml
deleted file mode 100644
index 8434e48..0000000
--- a/systests/clientcert/pom.xml
+++ /dev/null
@@ -1,288 +0,0 @@
-<?xml version="1.0"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
- <modelVersion>4.0.0</modelVersion>
- <parent>
- <groupId>org.apache.cxf.fediz</groupId>
- <artifactId>fediz-systests</artifactId>
- <version>1.2.0-SNAPSHOT</version>
- <relativePath>../pom.xml</relativePath>
- </parent>
- <groupId>org.apache.cxf.fediz.systests</groupId>
- <artifactId>fediz-systests-clientcert</artifactId>
- <name>Apache Fediz Client Certificate Systests using Tomcat 7</name>
- <packaging>jar</packaging>
- <properties>
- <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
- <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
- </properties>
- <dependencies>
- <dependency>
- <groupId>org.apache.tomcat.embed</groupId>
- <artifactId>tomcat-embed-core</artifactId>
- <version>${tomcat.version}</version>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>org.apache.tomcat.embed</groupId>
- <artifactId>tomcat-embed-logging-juli</artifactId>
- <version>${tomcat.version}</version>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>org.eclipse.jdt.core.compiler</groupId>
- <artifactId>ecj</artifactId>
- <version>3.7.1</version>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>org.apache.tomcat.embed</groupId>
- <artifactId>tomcat-embed-jasper</artifactId>
- <version>${tomcat.version}</version>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>junit</groupId>
- <artifactId>junit</artifactId>
- <version>${junit.version}</version>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>org.apache.cxf.fediz</groupId>
- <artifactId>fediz-tomcat7</artifactId>
- <version>${project.version}</version>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>org.apache.cxf.fediz.systests</groupId>
- <artifactId>fediz-systests-tests</artifactId>
- <version>${project.version}</version>
- <type>test-jar</type>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-api</artifactId>
- <version>${slf4j.version}</version>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-jdk14</artifactId>
- <version>${slf4j.version}</version>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>hsqldb</groupId>
- <artifactId>hsqldb</artifactId>
- <version>${hsqldb.version}</version>
- <scope>test</scope>
- </dependency>
- </dependencies>
- <build>
- <testResources>
- <testResource>
- <directory>src/test/resources</directory>
- <filtering>true</filtering>
- <includes>
- <include>**/fediz_config*.xml</include>
- </includes>
- </testResource>
- <testResource>
- <directory>src/test/resources</directory>
- <filtering>false</filtering>
- <excludes>
- <exclude>**/fediz_config*.xml</exclude>
- </excludes>
- </testResource>
- </testResources>
- <plugins>
- <plugin>
- <groupId>org.codehaus.mojo</groupId>
- <artifactId>build-helper-maven-plugin</artifactId>
- <executions>
- <execution>
- <id>reserve-network-port</id>
- <goals>
- <goal>reserve-network-port</goal>
- </goals>
- <phase>initialize</phase>
- <configuration>
- <portNames>
- <portName>idp.https.port</portName>
- <portName>rp.https.port</portName>
- </portNames>
- </configuration>
- </execution>
- </executions>
- </plugin>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-dependency-plugin</artifactId>
- <executions>
- <execution>
- <id>copy-idp-sts</id>
- <phase>generate-resources</phase>
- <goals>
- <goal>unpack</goal>
- </goals>
- <configuration>
- <artifactItems>
- <artifactItem>
- <groupId>org.apache.cxf.fediz</groupId>
- <artifactId>fediz-idp</artifactId>
- <version>${project.version}</version>
- <type>war</type>
- <overWrite>true</overWrite>
- <outputDirectory>target/tomcat/idp/webapps/fediz-idp</outputDirectory>
- </artifactItem>
- <artifactItem>
- <groupId>org.apache.cxf.fediz</groupId>
- <artifactId>fediz-idp-sts</artifactId>
- <version>${project.version}</version>
- <type>war</type>
- <overWrite>true</overWrite>
- <outputDirectory>target/tomcat/idp/webapps/fediz-idp-sts</outputDirectory>
- </artifactItem>
- <artifactItem>
- <groupId>org.apache.cxf.fediz.systests.webapps</groupId>
- <artifactId>fediz-systests-webapps-simple</artifactId>
- <version>${project.version}</version>
- <type>war</type>
- <overWrite>true</overWrite>
- <outputDirectory>target/tomcat/rp/webapps/simpleWebapp</outputDirectory>
- </artifactItem>
- </artifactItems>
- <outputAbsoluteArtifactFilename>true</outputAbsoluteArtifactFilename>
- <overWriteSnapshots>true</overWriteSnapshots>
- <overWriteIfNewer>true</overWriteIfNewer>
- <stripVersion>true</stripVersion>
- </configuration>
- </execution>
- <execution>
- <id>copy-xalan-to-idp</id>
- <phase>generate-resources</phase>
- <goals>
- <goal>copy</goal>
- </goals>
- <configuration>
- <artifactItems>
- <artifactItem>
- <groupId>xalan</groupId>
- <artifactId>xalan</artifactId>
- <version>${xalan.version}</version>
- <outputDirectory>target/tomcat/idp/webapps/fediz-idp/WEB-INF/lib</outputDirectory>
- </artifactItem>
- </artifactItems>
- </configuration>
- </execution>
- </executions>
- </plugin>
- <plugin>
- <artifactId>maven-resources-plugin</artifactId>
- <version>2.7</version>
- <executions>
- <execution>
- <id>copy-entities-to-sts</id>
- <phase>generate-test-sources</phase>
- <goals>
- <goal>copy-resources</goal>
- </goals>
- <configuration>
- <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp-sts/WEB-INF</outputDirectory>
- <resources>
- <resource>
- <directory>${basedir}/src/test/resources/sts</directory>
- <includes>
- <include>passwords.xml</include>
- <include>userClaims.xml</include>
- </includes>
- <filtering>true</filtering>
- </resource>
- </resources>
- </configuration>
- </execution>
- <execution>
- <id>copy-entities-to-sts2</id>
- <phase>generate-test-sources</phase>
- <goals>
- <goal>copy-resources</goal>
- </goals>
- <configuration>
- <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp-sts/WEB-INF/classes</outputDirectory>
- <overwrite>true</overwrite>
- <resources>
- <resource>
- <directory>${basedir}/src/test/resources/sts</directory>
- <includes>
- <include>ststrust.jks</include>
- </includes>
- </resource>
- </resources>
- </configuration>
- </execution>
- </executions>
- </plugin>
- <plugin>
- <artifactId>maven-failsafe-plugin</artifactId>
- <inherited>true</inherited>
- <executions>
- <execution>
- <id>integration-test</id>
- <phase>integration-test</phase>
- <goals>
- <goal>integration-test</goal>
- </goals>
- <configuration>
- <skip>false</skip>
- <systemPropertyVariables>
- <wt.headless>true</wt.headless>
- <idp.https.port>${idp.https.port}</idp.https.port>
- <rp.https.port>${rp.https.port}</rp.https.port>
- </systemPropertyVariables>
- <includes>
- <include>**/integrationtests/**</include>
- </includes>
- <argLine>-Xms512m -Xmx1024m
- -XX:MaxPermSize=256m</argLine>
- </configuration>
- </execution>
- <execution>
- <id>verify</id>
- <phase>verify</phase>
- <goals>
- <goal>verify</goal>
- </goals>
- </execution>
- </executions>
- </plugin>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-surefire-plugin</artifactId>
- <inherited>true</inherited>
- <configuration>
- <excludes>
- <exclude>**/integrationtests/**</exclude>
- </excludes>
- </configuration>
- </plugin>
- </plugins>
- </build>
-</project>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java b/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java
deleted file mode 100644
index 208153a..0000000
--- a/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java
+++ /dev/null
@@ -1,313 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.integrationtests;
-
-import java.io.File;
-import java.net.URL;
-import java.util.ArrayList;
-
-import com.gargoylesoftware.htmlunit.CookieManager;
-import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
-import com.gargoylesoftware.htmlunit.HttpMethod;
-import com.gargoylesoftware.htmlunit.WebClient;
-import com.gargoylesoftware.htmlunit.WebRequest;
-import com.gargoylesoftware.htmlunit.html.DomElement;
-import com.gargoylesoftware.htmlunit.html.DomNodeList;
-import com.gargoylesoftware.htmlunit.html.HtmlForm;
-import com.gargoylesoftware.htmlunit.html.HtmlPage;
-import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
-import com.gargoylesoftware.htmlunit.util.NameValuePair;
-
-import org.apache.catalina.Context;
-import org.apache.catalina.LifecycleState;
-import org.apache.catalina.connector.Connector;
-import org.apache.catalina.startup.Tomcat;
-import org.apache.cxf.fediz.core.ClaimTypes;
-import org.apache.cxf.fediz.tomcat.FederationAuthenticator;
-import org.junit.AfterClass;
-import org.junit.Assert;
-import org.junit.BeforeClass;
-
-/**
- * In this test-case, the IdP is set up to require client authentication, rather than authenticating using a
- * username + password, or via Kerberos.
- */
-public class ClientCertificateTest {
-
- static String idpHttpsPort;
- static String rpHttpsPort;
-
- private static Tomcat idpServer;
- private static Tomcat rpServer;
-
- @BeforeClass
- public static void init() {
- System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog");
- System.setProperty("org.apache.commons.logging.simplelog.showdatetime", "true");
- System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "info");
- System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient", "info");
- System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow", "info");
- System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web", "info");
- System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz", "info");
- System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf", "info");
-
- idpHttpsPort = System.getProperty("idp.https.port");
- Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort);
- rpHttpsPort = System.getProperty("rp.https.port");
- Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort);
-
- initIdp();
- initRp();
- }
-
- private static void initIdp() {
- try {
- idpServer = new Tomcat();
- idpServer.setPort(0);
- String currentDir = new File(".").getCanonicalPath();
- idpServer.setBaseDir(currentDir + File.separator + "target");
-
- idpServer.getHost().setAppBase("tomcat/idp/webapps");
- idpServer.getHost().setAutoDeploy(true);
- idpServer.getHost().setDeployOnStartup(true);
-
- Connector httpsConnector = new Connector();
- httpsConnector.setPort(Integer.parseInt(idpHttpsPort));
- httpsConnector.setSecure(true);
- httpsConnector.setScheme("https");
- //httpsConnector.setAttribute("keyAlias", keyAlias);
- httpsConnector.setAttribute("keystorePass", "tompass");
- httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
- httpsConnector.setAttribute("truststorePass", "tompass");
- httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
- httpsConnector.setAttribute("clientAuth", "true");
- httpsConnector.setAttribute("sslProtocol", "TLS");
- httpsConnector.setAttribute("SSLEnabled", true);
-
- idpServer.getService().addConnector(httpsConnector);
-
- idpServer.addWebapp("/fediz-idp-sts", "fediz-idp-sts");
- idpServer.addWebapp("/fediz-idp", "fediz-idp");
-
- idpServer.start();
- } catch (Exception e) {
- e.printStackTrace();
- }
- }
-
- private static void initRp() {
- try {
- rpServer = new Tomcat();
- rpServer.setPort(0);
- String currentDir = new File(".").getCanonicalPath();
- rpServer.setBaseDir(currentDir + File.separator + "target");
-
- rpServer.getHost().setAppBase("tomcat/rp/webapps");
- rpServer.getHost().setAutoDeploy(true);
- rpServer.getHost().setDeployOnStartup(true);
-
- Connector httpsConnector = new Connector();
- httpsConnector.setPort(Integer.parseInt(rpHttpsPort));
- httpsConnector.setSecure(true);
- httpsConnector.setScheme("https");
- //httpsConnector.setAttribute("keyAlias", keyAlias);
- httpsConnector.setAttribute("keystorePass", "tompass");
- httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
- httpsConnector.setAttribute("truststorePass", "tompass");
- httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
- httpsConnector.setAttribute("clientAuth", "true");
- httpsConnector.setAttribute("sslProtocol", "TLS");
- httpsConnector.setAttribute("SSLEnabled", true);
-
- rpServer.getService().addConnector(httpsConnector);
-
- //Context ctx =
- Context cxt = rpServer.addWebapp("/fedizhelloworld", "simpleWebapp");
- FederationAuthenticator fa = new FederationAuthenticator();
- fa.setConfigFile(currentDir + File.separator + "target" + File.separator
- + "test-classes" + File.separator + "fediz_config.xml");
- cxt.getPipeline().addValve(fa);
-
-
- rpServer.start();
- } catch (Exception e) {
- e.printStackTrace();
- }
- }
-
- @AfterClass
- public static void cleanup() {
- try {
- if (idpServer.getServer() != null
- && idpServer.getServer().getState() != LifecycleState.DESTROYED) {
- if (idpServer.getServer().getState() != LifecycleState.STOPPED) {
- idpServer.stop();
- }
- idpServer.destroy();
- }
- } catch (Exception e) {
- e.printStackTrace();
- }
-
- try {
- if (rpServer.getServer() != null
- && rpServer.getServer().getState() != LifecycleState.DESTROYED) {
- if (rpServer.getServer().getState() != LifecycleState.STOPPED) {
- rpServer.stop();
- }
- rpServer.destroy();
- }
- } catch (Exception e) {
- e.printStackTrace();
- }
- }
-
- public String getIdpHttpsPort() {
- return idpHttpsPort;
- }
-
- public String getRpHttpsPort() {
- return rpHttpsPort;
- }
-
- public String getServletContextName() {
- return "fedizhelloworld";
- }
-
- @org.junit.Test
- public void testClientAuthentication() throws Exception {
- String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet";
-
- final WebClient webClient = new WebClient();
- webClient.getOptions().setUseInsecureSSL(true);
- webClient.getOptions().setSSLClientCertificate(
- this.getClass().getClassLoader().getResource("alice_client.jks"), "storepass", "jks");
-
- webClient.getOptions().setJavaScriptEnabled(false);
- final HtmlPage idpPage = webClient.getPage(url);
- webClient.getOptions().setJavaScriptEnabled(true);
- Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
-
- final HtmlForm form = idpPage.getFormByName("signinresponseform");
- final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
-
- // Test the Subject Confirmation method here
- DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
-
- String wresult = null;
- for (DomElement result : results) {
- if ("wresult".equals(result.getAttributeNS(null, "name"))) {
- wresult = result.getAttributeNS(null, "value");
- break;
- }
- }
- Assert.assertTrue(wresult != null
- && wresult.contains("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"));
-
- final HtmlPage rpPage = button.click();
- Assert.assertEquals("WS Federation Systests Examples", rpPage.getTitleText());
-
- final String bodyTextContent = rpPage.getBody().getTextContent();
- String user = "alice";
- Assert.assertTrue("Principal not " + user,
- bodyTextContent.contains("userPrincipal=" + user));
- Assert.assertTrue("User " + user + " does not have role Admin",
- bodyTextContent.contains("role:Admin=false"));
- Assert.assertTrue("User " + user + " does not have role Manager",
- bodyTextContent.contains("role:Manager=false"));
- Assert.assertTrue("User " + user + " must have role User",
- bodyTextContent.contains("role:User=true"));
-
- String claim = ClaimTypes.FIRSTNAME.toString();
- Assert.assertTrue("User " + user + " claim " + claim + " is not 'Alice'",
- bodyTextContent.contains(claim + "=Alice"));
- claim = ClaimTypes.LASTNAME.toString();
- Assert.assertTrue("User " + user + " claim " + claim + " is not 'Smith'",
- bodyTextContent.contains(claim + "=Smith"));
- claim = ClaimTypes.EMAILADDRESS.toString();
- Assert.assertTrue("User " + user + " claim " + claim + " is not 'alice@realma.org'",
- bodyTextContent.contains(claim + "=alice@realma.org"));
- }
-
- @org.junit.Test
- public void testDifferentClientCertificate() throws Exception {
- // Get the initial wresult from the IdP
- String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet";
-
- CookieManager cookieManager = new CookieManager();
- final WebClient webClient = new WebClient();
- webClient.setCookieManager(cookieManager);
- webClient.getOptions().setUseInsecureSSL(true);
- webClient.getOptions().setSSLClientCertificate(
- this.getClass().getClassLoader().getResource("alice_client.jks"), "storepass", "jks");
-
- webClient.getOptions().setJavaScriptEnabled(false);
- final HtmlPage idpPage = webClient.getPage(url);
- webClient.getOptions().setJavaScriptEnabled(true);
- Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
-
- // Test the Subject Confirmation method here
- DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
-
- String wresult = null;
- String wa = "wsignin1.0";
- String wctx = null;
- String wtrealm = null;
- for (DomElement result : results) {
- if ("wresult".equals(result.getAttributeNS(null, "name"))) {
- wresult = result.getAttributeNS(null, "value");
- } else if ("wctx".equals(result.getAttributeNS(null, "name"))) {
- wctx = result.getAttributeNS(null, "value");
- } else if ("wtrealm".equals(result.getAttributeNS(null, "name"))) {
- wtrealm = result.getAttributeNS(null, "value");
- }
- }
- Assert.assertTrue(wctx != null && wtrealm != null);
- Assert.assertTrue(wresult != null
- && wresult.contains("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"));
-
- // Now invoke on the RP using the saved parameters above, but a different client cert!
- final WebClient webClient2 = new WebClient();
- webClient2.setCookieManager(cookieManager);
- webClient2.getOptions().setUseInsecureSSL(true);
- webClient2.getOptions().setSSLClientCertificate(
- this.getClass().getClassLoader().getResource("server.jks"), "tompass", "jks");
-
- WebRequest request = new WebRequest(new URL(url), HttpMethod.POST);
-
- request.setRequestParameters(new ArrayList<NameValuePair>());
- request.getRequestParameters().add(new NameValuePair("wctx", wctx));
- request.getRequestParameters().add(new NameValuePair("wa", wa));
- request.getRequestParameters().add(new NameValuePair("wtrealm", wtrealm));
- request.getRequestParameters().add(new NameValuePair("wresult", wresult));
-
- try {
- webClient2.getPage(request);
- Assert.fail("Exception expected");
- } catch (FailingHttpStatusCodeException ex) {
- // expected
- Assert.assertTrue(ex.getMessage().contains("401 Unauthorized")
- || ex.getMessage().contains("401 Authentication Failed")
- || ex.getMessage().contains("403 Forbidden"));
- }
-
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java b/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java
deleted file mode 100644
index e2f402c..0000000
--- a/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java
+++ /dev/null
@@ -1,48 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.integrationtests;
-
-import java.io.IOException;
-
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.UnsupportedCallbackException;
-
-import org.apache.cxf.fediz.core.spi.WReqCallback;
-
-public class HOKCallbackHandler implements CallbackHandler {
-
- static final String HOK_WREQ =
- "<RequestSecurityToken xmlns=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\">"
- + "<KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</KeyType>"
- + "</RequestSecurityToken>";
-
- public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
- for (int i = 0; i < callbacks.length; i++) {
- if (callbacks[i] instanceof WReqCallback) {
- WReqCallback callback = (WReqCallback) callbacks[i];
- callback.setWreq(HOK_WREQ);
- } else {
- throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
- }
- }
- }
-
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/resources/alice.cer
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/resources/alice.cer b/systests/clientcert/src/test/resources/alice.cer
deleted file mode 100644
index 82ab5db..0000000
Binary files a/systests/clientcert/src/test/resources/alice.cer and /dev/null differ
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/resources/alice_client.jks
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/resources/alice_client.jks b/systests/clientcert/src/test/resources/alice_client.jks
deleted file mode 100644
index 5e1bdd2..0000000
Binary files a/systests/clientcert/src/test/resources/alice_client.jks and /dev/null differ
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/resources/fediz_config.xml
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/resources/fediz_config.xml b/systests/clientcert/src/test/resources/fediz_config.xml
deleted file mode 100644
index 8399dfc..0000000
--- a/systests/clientcert/src/test/resources/fediz_config.xml
+++ /dev/null
@@ -1,45 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<!-- Place in Tomcat conf folder or other location as designated in this sample's webapp/META-INF/context.xml file.
- Keystore referenced below must have IDP STS' public cert included in it. This example re-uses the Tomcat SSL
- keystore (tomcat-rp.jks) for this task; alternatively you may wish to use a Fediz-specific keystore instead.
--->
-<FedizConfig>
- <contextConfig name="/fedizhelloworld">
- <audienceUris>
- <audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld</audienceItem>
- </audienceUris>
- <certificateStores>
- <trustManager>
- <keyStore file="test-classes/ststrust.jks"
- password="storepass" type="JKS" />
- </trustManager>
- </certificateStores>
- <trustedIssuers>
- <issuer certificateValidation="PeerTrust" />
- </trustedIssuers>
- <maximumClockSkew>1000</maximumClockSkew>
- <signingKey keyAlias="mytomidpkey" keyPassword="tompass">
- <keyStore file="test-classes/server.jks" password="tompass" type="JKS" />
- </signingKey>
- <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:type="federationProtocolType" version="1.0.0">
- <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm>
- <issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer>
- <roleDelimiter>,</roleDelimiter>
- <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
- <freshness>10</freshness>
- <homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-A</homeRealm>
- <claimTypesRequested>
- <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" optional="false" />
- <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" optional="true" />
- <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" optional="true" />
- <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="true" />
- </claimTypesRequested>
- <authenticationType>http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl</authenticationType>
- <request type="Class">org.apache.cxf.fediz.integrationtests.HOKCallbackHandler</request>
- </protocol>
- <logoutURL>/secure/logout</logoutURL>
- <logoutRedirectTo>/index.html</logoutRedirectTo>
- </contextConfig>
-</FedizConfig>
-
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/resources/server.jks
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/resources/server.jks b/systests/clientcert/src/test/resources/server.jks
deleted file mode 100644
index a292ec9..0000000
Binary files a/systests/clientcert/src/test/resources/server.jks and /dev/null differ
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/resources/sts/passwords.xml
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/resources/sts/passwords.xml b/systests/clientcert/src/test/resources/sts/passwords.xml
deleted file mode 100644
index 3ad9e7c..0000000
--- a/systests/clientcert/src/test/resources/sts/passwords.xml
+++ /dev/null
@@ -1,42 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--->
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:util="http://www.springframework.org/schema/util"
- xsi:schemaLocation="
- http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
- http://www.springframework.org/schema/util
- http://www.springframework.org/schema/util/spring-util-2.0.xsd">
-
- <util:map id="REALMA">
- <entry key="alice" value="ecila" />
- <entry key="bob" value="bob" />
- <entry key="ted" value="det" />
- <entry key="idp-user" value="idp-pass" />
- </util:map>
-
- <util:map id="REALMB">
- <entry key="ALICE" value="ECILA" />
- <entry key="BOB" value="BOB" />
- <entry key="TED" value="DET" />
- </util:map>
-
-</beans>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/resources/sts/ststrust.jks
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/resources/sts/ststrust.jks b/systests/clientcert/src/test/resources/sts/ststrust.jks
deleted file mode 100644
index c4d1c1e..0000000
Binary files a/systests/clientcert/src/test/resources/sts/ststrust.jks and /dev/null differ
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/resources/sts/userClaims.xml
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/resources/sts/userClaims.xml b/systests/clientcert/src/test/resources/sts/userClaims.xml
deleted file mode 100644
index 1a2b12f..0000000
--- a/systests/clientcert/src/test/resources/sts/userClaims.xml
+++ /dev/null
@@ -1,139 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--->
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:util="http://www.springframework.org/schema/util"
- xsi:schemaLocation="
- http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
- http://www.springframework.org/schema/util
- http://www.springframework.org/schema/util/spring-util-2.0.xsd">
-
- <util:map id="userClaimsREALMA">
- <entry key="alice" value-ref="REALMA_aliceClaims" />
- <entry key="CN=alice,OU=Unknown,O=Apache,L=Dublin,ST=Unknown,C=IE" value-ref="REALMA_aliceClaims" />
- <entry key="bob" value-ref="REALMA_bobClaims" />
- <entry key="ted" value-ref="REALMA_tedClaims" />
- </util:map>
-
- <util:map id="REALMA_aliceClaims">
- <entry
- key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
- value="Alice" />
- <entry
- key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
- value="Smith" />
- <entry
- key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
- value="alice@realma.org" />
- <entry
- key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
- value="User" />
- </util:map>
-
- <util:map id="REALMA_bobClaims">
- <entry
- key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
- value="Bob" />
- <entry
- key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
- value="Windsor" />
- <entry
- key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
- value="bobwindsor@realma.org" />
- <entry
- key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
- value="User,Manager,Admin" />
- </util:map>
-
- <util:map id="REALMA_tedClaims">
- <entry
- key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
- value="Ted" />
- <entry
- key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
- value="Cooper" />
- <entry
- key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
- value="tcooper@realma.org" />
- <entry
- key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
- value="" />
- </util:map>
-
- <util:map id="userClaimsREALMB">
- <entry key="ALICE" value-ref="REALMB_aliceClaims" />
- <entry key="BOB" value-ref="REALMB_bobClaims" />
- <entry key="TED" value-ref="REALMB_tedClaims" />
- </util:map>
-
- <util:map id="REALMB_aliceClaims">
- <entry
- key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
- value="Alice" />
- <entry
- key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
- value="Smith" />
- <entry
- key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
- value="alice@realmb.org" />
- <entry
- key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
- value="USER" />
- </util:map>
-
- <util:map id="REALMB_bobClaims">
- <entry
- key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
- value="Bob" />
- <entry
- key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
- value="Windsor" />
- <entry
- key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
- value="bobwindsor@realmb.org" />
- <entry
- key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
- value="USER,MANAGER,ADMIN" />
- </util:map>
-
- <util:map id="REALMB_tedClaims">
- <entry
- key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
- value="Ted" />
- <entry
- key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
- value="Cooper" />
- <entry
- key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
- value="tcooper@realmb.org" />
- <entry
- key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
- value="" />
- </util:map>
-
- <util:list id="supportedClaims">
- <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname</value>
- <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname</value>
- <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress</value>
- <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</value>
- </util:list>
-
-</beans>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/resources/ststrust.jks
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/resources/ststrust.jks b/systests/clientcert/src/test/resources/ststrust.jks
deleted file mode 100644
index 911945c..0000000
Binary files a/systests/clientcert/src/test/resources/ststrust.jks and /dev/null differ
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractClientCertTests.java
----------------------------------------------------------------------
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractClientCertTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractClientCertTests.java
new file mode 100644
index 0000000..1a5fe6c
--- /dev/null
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractClientCertTests.java
@@ -0,0 +1,176 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.integrationtests;
+
+import java.net.URL;
+import java.util.ArrayList;
+
+import com.gargoylesoftware.htmlunit.CookieManager;
+import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
+import com.gargoylesoftware.htmlunit.HttpMethod;
+import com.gargoylesoftware.htmlunit.WebClient;
+import com.gargoylesoftware.htmlunit.WebRequest;
+import com.gargoylesoftware.htmlunit.html.DomElement;
+import com.gargoylesoftware.htmlunit.html.DomNodeList;
+import com.gargoylesoftware.htmlunit.html.HtmlForm;
+import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
+import com.gargoylesoftware.htmlunit.util.NameValuePair;
+
+import org.apache.cxf.fediz.core.ClaimTypes;
+import org.apache.wss4j.dom.WSSConfig;
+import org.junit.Assert;
+
+public abstract class AbstractClientCertTests {
+
+ static {
+ WSSConfig.init();
+ }
+
+ public AbstractClientCertTests() {
+ super();
+ }
+
+ public abstract String getServletContextName();
+
+ public abstract String getIdpHttpsPort();
+
+ public abstract String getRpHttpsPort();
+
+ @org.junit.Test
+ public void testClientAuthentication() throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet";
+
+ final WebClient webClient = new WebClient();
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getOptions().setSSLClientCertificate(
+ this.getClass().getClassLoader().getResource("alice_client.jks"), "storepass", "jks");
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ final HtmlPage idpPage = webClient.getPage(url);
+ webClient.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+ final HtmlForm form = idpPage.getFormByName("signinresponseform");
+ final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
+
+ // Test the Subject Confirmation method here
+ DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
+
+ String wresult = null;
+ for (DomElement result : results) {
+ if ("wresult".equals(result.getAttributeNS(null, "name"))) {
+ wresult = result.getAttributeNS(null, "value");
+ break;
+ }
+ }
+ Assert.assertTrue(wresult != null
+ && wresult.contains("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"));
+
+ final HtmlPage rpPage = button.click();
+ Assert.assertEquals("WS Federation Systests Examples", rpPage.getTitleText());
+
+ final String bodyTextContent = rpPage.getBody().getTextContent();
+ String user = "alice";
+ Assert.assertTrue("Principal not " + user,
+ bodyTextContent.contains("userPrincipal=" + user));
+ Assert.assertTrue("User " + user + " does not have role Admin",
+ bodyTextContent.contains("role:Admin=false"));
+ Assert.assertTrue("User " + user + " does not have role Manager",
+ bodyTextContent.contains("role:Manager=false"));
+ Assert.assertTrue("User " + user + " must have role User",
+ bodyTextContent.contains("role:User=true"));
+
+ String claim = ClaimTypes.FIRSTNAME.toString();
+ Assert.assertTrue("User " + user + " claim " + claim + " is not 'Alice'",
+ bodyTextContent.contains(claim + "=Alice"));
+ claim = ClaimTypes.LASTNAME.toString();
+ Assert.assertTrue("User " + user + " claim " + claim + " is not 'Smith'",
+ bodyTextContent.contains(claim + "=Smith"));
+ claim = ClaimTypes.EMAILADDRESS.toString();
+ Assert.assertTrue("User " + user + " claim " + claim + " is not 'alice@realma.org'",
+ bodyTextContent.contains(claim + "=alice@realma.org"));
+ }
+
+ @org.junit.Test
+ public void testDifferentClientCertificate() throws Exception {
+ // Get the initial wresult from the IdP
+ String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet";
+
+ CookieManager cookieManager = new CookieManager();
+ final WebClient webClient = new WebClient();
+ webClient.setCookieManager(cookieManager);
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getOptions().setSSLClientCertificate(
+ this.getClass().getClassLoader().getResource("alice_client.jks"), "storepass", "jks");
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ final HtmlPage idpPage = webClient.getPage(url);
+ webClient.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+ // Test the Subject Confirmation method here
+ DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
+
+ String wresult = null;
+ String wa = "wsignin1.0";
+ String wctx = null;
+ String wtrealm = null;
+ for (DomElement result : results) {
+ if ("wresult".equals(result.getAttributeNS(null, "name"))) {
+ wresult = result.getAttributeNS(null, "value");
+ } else if ("wctx".equals(result.getAttributeNS(null, "name"))) {
+ wctx = result.getAttributeNS(null, "value");
+ } else if ("wtrealm".equals(result.getAttributeNS(null, "name"))) {
+ wtrealm = result.getAttributeNS(null, "value");
+ }
+ }
+ Assert.assertTrue(wctx != null && wtrealm != null);
+ Assert.assertTrue(wresult != null
+ && wresult.contains("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"));
+
+ // Now invoke on the RP using the saved parameters above, but a different client cert!
+ final WebClient webClient2 = new WebClient();
+ webClient2.setCookieManager(cookieManager);
+ webClient2.getOptions().setUseInsecureSSL(true);
+ webClient2.getOptions().setSSLClientCertificate(
+ this.getClass().getClassLoader().getResource("server.jks"), "tompass", "jks");
+
+ WebRequest request = new WebRequest(new URL(url), HttpMethod.POST);
+
+ request.setRequestParameters(new ArrayList<NameValuePair>());
+ request.getRequestParameters().add(new NameValuePair("wctx", wctx));
+ request.getRequestParameters().add(new NameValuePair("wa", wa));
+ request.getRequestParameters().add(new NameValuePair("wtrealm", wtrealm));
+ request.getRequestParameters().add(new NameValuePair("wresult", wresult));
+
+ try {
+ webClient2.getPage(request);
+ Assert.fail("Exception expected");
+ } catch (FailingHttpStatusCodeException ex) {
+ // expected
+ Assert.assertTrue(ex.getMessage().contains("401 Unauthorized")
+ || ex.getMessage().contains("401 Authentication Failed")
+ || ex.getMessage().contains("403 Forbidden"));
+ }
+
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/tomcat7/pom.xml
----------------------------------------------------------------------
diff --git a/systests/tomcat7/pom.xml b/systests/tomcat7/pom.xml
index d214223..c2d8dea 100644
--- a/systests/tomcat7/pom.xml
+++ b/systests/tomcat7/pom.xml
@@ -195,6 +195,32 @@
</execution>
</executions>
</plugin>
+ <!-- Needed for ClientCertificateTests -->
+ <plugin>
+ <artifactId>maven-resources-plugin</artifactId>
+ <version>2.7</version>
+ <executions>
+ <execution>
+ <id>copy-entities-to-sts2</id>
+ <phase>generate-test-sources</phase>
+ <goals>
+ <goal>copy-resources</goal>
+ </goals>
+ <configuration>
+ <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp-sts/WEB-INF/classes</outputDirectory>
+ <overwrite>true</overwrite>
+ <resources>
+ <resource>
+ <directory>${basedir}/src/test/resources/sts</directory>
+ <includes>
+ <include>ststrust.jks</include>
+ </includes>
+ </resource>
+ </resources>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
<plugin>
<artifactId>maven-failsafe-plugin</artifactId>
<inherited>true</inherited>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java
----------------------------------------------------------------------
diff --git a/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java b/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java
new file mode 100644
index 0000000..078e032
--- /dev/null
+++ b/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java
@@ -0,0 +1,179 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.integrationtests;
+
+import java.io.File;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.LifecycleState;
+import org.apache.catalina.connector.Connector;
+import org.apache.catalina.startup.Tomcat;
+import org.apache.cxf.fediz.tomcat.FederationAuthenticator;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+
+/**
+ * In this test-case, the IdP is set up to require client authentication, rather than authenticating using a
+ * username + password, or via Kerberos.
+ */
+public class ClientCertificateTest extends AbstractClientCertTests {
+
+ static String idpHttpsPort;
+ static String rpHttpsPort;
+
+ private static Tomcat idpServer;
+ private static Tomcat rpServer;
+
+ @BeforeClass
+ public static void init() {
+ System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog");
+ System.setProperty("org.apache.commons.logging.simplelog.showdatetime", "true");
+ System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "info");
+ System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient", "info");
+ System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow", "info");
+ System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web", "info");
+ System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz", "info");
+ System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf", "info");
+
+ idpHttpsPort = System.getProperty("idp.https.port");
+ Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort);
+ rpHttpsPort = System.getProperty("rp.https.port");
+ Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort);
+
+ initIdp();
+ initRp();
+ }
+
+ private static void initIdp() {
+ try {
+ idpServer = new Tomcat();
+ idpServer.setPort(0);
+ String currentDir = new File(".").getCanonicalPath();
+ idpServer.setBaseDir(currentDir + File.separator + "target");
+
+ idpServer.getHost().setAppBase("tomcat/idp/webapps");
+ idpServer.getHost().setAutoDeploy(true);
+ idpServer.getHost().setDeployOnStartup(true);
+
+ Connector httpsConnector = new Connector();
+ httpsConnector.setPort(Integer.parseInt(idpHttpsPort));
+ httpsConnector.setSecure(true);
+ httpsConnector.setScheme("https");
+ //httpsConnector.setAttribute("keyAlias", keyAlias);
+ httpsConnector.setAttribute("keystorePass", "tompass");
+ httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
+ httpsConnector.setAttribute("truststorePass", "tompass");
+ httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
+ httpsConnector.setAttribute("clientAuth", "true");
+ httpsConnector.setAttribute("sslProtocol", "TLS");
+ httpsConnector.setAttribute("SSLEnabled", true);
+
+ idpServer.getService().addConnector(httpsConnector);
+
+ idpServer.addWebapp("/fediz-idp-sts", "fediz-idp-sts");
+ idpServer.addWebapp("/fediz-idp", "fediz-idp");
+
+ idpServer.start();
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+
+ private static void initRp() {
+ try {
+ rpServer = new Tomcat();
+ rpServer.setPort(0);
+ String currentDir = new File(".").getCanonicalPath();
+ rpServer.setBaseDir(currentDir + File.separator + "target");
+
+ rpServer.getHost().setAppBase("tomcat/rp/webapps");
+ rpServer.getHost().setAutoDeploy(true);
+ rpServer.getHost().setDeployOnStartup(true);
+
+ Connector httpsConnector = new Connector();
+ httpsConnector.setPort(Integer.parseInt(rpHttpsPort));
+ httpsConnector.setSecure(true);
+ httpsConnector.setScheme("https");
+ //httpsConnector.setAttribute("keyAlias", keyAlias);
+ httpsConnector.setAttribute("keystorePass", "tompass");
+ httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
+ httpsConnector.setAttribute("truststorePass", "tompass");
+ httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
+ httpsConnector.setAttribute("clientAuth", "true");
+ httpsConnector.setAttribute("sslProtocol", "TLS");
+ httpsConnector.setAttribute("SSLEnabled", true);
+
+ rpServer.getService().addConnector(httpsConnector);
+
+ //Context ctx =
+ Context cxt = rpServer.addWebapp("/fedizhelloworld", "simpleWebapp");
+ FederationAuthenticator fa = new FederationAuthenticator();
+ fa.setConfigFile(currentDir + File.separator + "target" + File.separator
+ + "test-classes" + File.separator + "fediz_config_client_cert.xml");
+ cxt.getPipeline().addValve(fa);
+
+
+ rpServer.start();
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+
+ @AfterClass
+ public static void cleanup() {
+ try {
+ if (idpServer.getServer() != null
+ && idpServer.getServer().getState() != LifecycleState.DESTROYED) {
+ if (idpServer.getServer().getState() != LifecycleState.STOPPED) {
+ idpServer.stop();
+ }
+ idpServer.destroy();
+ }
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+
+ try {
+ if (rpServer.getServer() != null
+ && rpServer.getServer().getState() != LifecycleState.DESTROYED) {
+ if (rpServer.getServer().getState() != LifecycleState.STOPPED) {
+ rpServer.stop();
+ }
+ rpServer.destroy();
+ }
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+
+ public String getIdpHttpsPort() {
+ return idpHttpsPort;
+ }
+
+ public String getRpHttpsPort() {
+ return rpHttpsPort;
+ }
+
+ public String getServletContextName() {
+ return "fedizhelloworld";
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/tomcat7/src/test/resources/alice.cer
----------------------------------------------------------------------
diff --git a/systests/tomcat7/src/test/resources/alice.cer b/systests/tomcat7/src/test/resources/alice.cer
new file mode 100644
index 0000000..82ab5db
Binary files /dev/null and b/systests/tomcat7/src/test/resources/alice.cer differ
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/tomcat7/src/test/resources/alice_client.jks
----------------------------------------------------------------------
diff --git a/systests/tomcat7/src/test/resources/alice_client.jks b/systests/tomcat7/src/test/resources/alice_client.jks
new file mode 100644
index 0000000..5e1bdd2
Binary files /dev/null and b/systests/tomcat7/src/test/resources/alice_client.jks differ
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/tomcat7/src/test/resources/fediz_config_client_cert.xml
----------------------------------------------------------------------
diff --git a/systests/tomcat7/src/test/resources/fediz_config_client_cert.xml b/systests/tomcat7/src/test/resources/fediz_config_client_cert.xml
new file mode 100644
index 0000000..8399dfc
--- /dev/null
+++ b/systests/tomcat7/src/test/resources/fediz_config_client_cert.xml
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<!-- Place in Tomcat conf folder or other location as designated in this sample's webapp/META-INF/context.xml file.
+ Keystore referenced below must have IDP STS' public cert included in it. This example re-uses the Tomcat SSL
+ keystore (tomcat-rp.jks) for this task; alternatively you may wish to use a Fediz-specific keystore instead.
+-->
+<FedizConfig>
+ <contextConfig name="/fedizhelloworld">
+ <audienceUris>
+ <audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld</audienceItem>
+ </audienceUris>
+ <certificateStores>
+ <trustManager>
+ <keyStore file="test-classes/ststrust.jks"
+ password="storepass" type="JKS" />
+ </trustManager>
+ </certificateStores>
+ <trustedIssuers>
+ <issuer certificateValidation="PeerTrust" />
+ </trustedIssuers>
+ <maximumClockSkew>1000</maximumClockSkew>
+ <signingKey keyAlias="mytomidpkey" keyPassword="tompass">
+ <keyStore file="test-classes/server.jks" password="tompass" type="JKS" />
+ </signingKey>
+ <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:type="federationProtocolType" version="1.0.0">
+ <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm>
+ <issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer>
+ <roleDelimiter>,</roleDelimiter>
+ <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+ <freshness>10</freshness>
+ <homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-A</homeRealm>
+ <claimTypesRequested>
+ <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" optional="false" />
+ <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" optional="true" />
+ <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" optional="true" />
+ <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="true" />
+ </claimTypesRequested>
+ <authenticationType>http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl</authenticationType>
+ <request type="Class">org.apache.cxf.fediz.integrationtests.HOKCallbackHandler</request>
+ </protocol>
+ <logoutURL>/secure/logout</logoutURL>
+ <logoutRedirectTo>/index.html</logoutRedirectTo>
+ </contextConfig>
+</FedizConfig>
+
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/tomcat7/src/test/resources/server.jks
----------------------------------------------------------------------
diff --git a/systests/tomcat7/src/test/resources/server.jks b/systests/tomcat7/src/test/resources/server.jks
index 2f0fdf3..a292ec9 100644
Binary files a/systests/tomcat7/src/test/resources/server.jks and b/systests/tomcat7/src/test/resources/server.jks differ
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/tomcat7/src/test/resources/sts/ststrust.jks
----------------------------------------------------------------------
diff --git a/systests/tomcat7/src/test/resources/sts/ststrust.jks b/systests/tomcat7/src/test/resources/sts/ststrust.jks
new file mode 100644
index 0000000..c4d1c1e
Binary files /dev/null and b/systests/tomcat7/src/test/resources/sts/ststrust.jks differ
[2/2] cxf-fediz git commit: Removing clientcert from systests pom
Posted by co...@apache.org.
Removing clientcert from systests pom
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/9995c7b2
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/9995c7b2
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/9995c7b2
Branch: refs/heads/master
Commit: 9995c7b26a2ef189fa9b7a648b657a2540156b02
Parents: 4ea4264
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Apr 23 16:31:06 2015 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Thu Apr 23 16:31:06 2015 +0100
----------------------------------------------------------------------
systests/pom.xml | 1 -
1 file changed, 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9995c7b2/systests/pom.xml
----------------------------------------------------------------------
diff --git a/systests/pom.xml b/systests/pom.xml
index d69f4ad..3e8e823 100644
--- a/systests/pom.xml
+++ b/systests/pom.xml
@@ -38,7 +38,6 @@
<module>cxf</module>
<module>federation</module>
<module>kerberos</module>
- <module>clientcert</module>
</modules>
</project>