You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2017/03/28 12:13:51 UTC
[3/5] cxf git commit: Adding some negative tests for trust
verification for rs-security
Adding some negative tests for trust verification for rs-security
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/af69b53d
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/af69b53d
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/af69b53d
Branch: refs/heads/3.1.x-fixes
Commit: af69b53d8460c7c80546afb8ae56dd086a807a6f
Parents: f05a415
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Mar 28 13:04:16 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Mar 28 13:13:41 2017 +0100
----------------------------------------------------------------------
.../security/xml/AbstractXmlSecInHandler.java | 6 +-
.../rs/security/xml/XmlSecInInterceptor.java | 20 ++---
.../security/saml/KeystorePasswordCallback.java | 4 +
.../jaxrs/security/xml/JAXRSXmlSecTest.java | 90 ++++++++++++++++++++
.../systest/jaxrs/security/bethal.properties | 24 ++++++
.../systest/jaxrs/security/morpit.properties | 21 +++++
.../jaxrs/security/morpittrust.properties | 23 +++++
.../cxf/systest/jaxrs/security/xml/server.xml | 32 +++++++
.../systest/jaxrs/security/xml/stax-server.xml | 34 +++++++-
9 files changed, 242 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/af69b53d/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSecInHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSecInHandler.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSecInHandler.java
index 8d79b1c..27bc803 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSecInHandler.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSecInHandler.java
@@ -96,7 +96,11 @@ public abstract class AbstractXmlSecInHandler {
}
protected void throwFault(String error, Exception ex) {
- LOG.warning(error);
+ StringBuilder log = new StringBuilder(error);
+ if (ex != null) {
+ log = log.append(" - ").append(ex.getMessage());
+ }
+ LOG.warning(log.toString());
Response response = JAXRSUtils.toResponseBuilder(400).entity(error).build();
throw ExceptionUtils.toBadRequestException(null, response);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/af69b53d/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
index 19a7457..3341793 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
@@ -106,9 +106,9 @@ public class XmlSecInInterceptor extends AbstractPhaseInterceptor<Message> imple
message.getInterceptorChain().add(
new StaxActionInInterceptor(requireSignature, requireEncryption));
}
-
+
private void prepareMessage(Message inMsg) throws Fault {
-
+
XMLStreamReader originalXmlStreamReader = inMsg.getContent(XMLStreamReader.class);
if (originalXmlStreamReader == null) {
InputStream is = inMsg.getContent(InputStream.class);
@@ -147,7 +147,7 @@ public class XmlSecInInterceptor extends AbstractPhaseInterceptor<Message> imple
return "GET".equals(method) && !MessageUtils.isRequestor(message);
}
-
+
private void configureDecryptionKeys(Message message, XMLSecurityProperties properties)
throws IOException,
UnsupportedCallbackException, WSSecurityException {
@@ -311,8 +311,8 @@ public class XmlSecInInterceptor extends AbstractPhaseInterceptor<Message> imple
new TrustValidator().validateTrust(sigCrypto, cert, publicKey,
getSubjectContraints(msg));
} catch (WSSecurityException e) {
- throw new XMLSecurityException("empty", new Object[] {"Error during Signature Trust "
- + "validation: " + e.getMessage()});
+ String error = "Signature validation failed";
+ throw new XMLSecurityException("empty", new Object[] {error});
}
if (persistSignature) {
@@ -408,19 +408,19 @@ public class XmlSecInInterceptor extends AbstractPhaseInterceptor<Message> imple
@Override
public Object aroundReadFrom(ReaderInterceptorContext ctx) throws IOException, WebApplicationException {
Message message = ((ReaderInterceptorContextImpl)ctx).getMessage();
-
+
if (isServerGet(message)) {
- return ctx.proceed();
+ return ctx.proceed();
} else {
prepareMessage(message);
Object object = ctx.proceed();
- new StaxActionInInterceptor(requireSignature,
+ new StaxActionInInterceptor(requireSignature,
requireEncryption).handleMessage(message);
return object;
}
-
+
}
-
+
/**
* This interceptor handles parsing the StaX results (events) + checks to see whether the
* required (if any) Actions (signature or encryption) were fulfilled.
http://git-wip-us.apache.org/repos/asf/cxf/blob/af69b53d/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/KeystorePasswordCallback.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/KeystorePasswordCallback.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/KeystorePasswordCallback.java
index 3103aad..099bc4e 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/KeystorePasswordCallback.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/KeystorePasswordCallback.java
@@ -46,6 +46,10 @@ public class KeystorePasswordCallback implements CallbackHandler {
pc.setPassword("password");
} else if ("bob".equals(pc.getIdentifier())) {
pc.setPassword("password");
+ } else if ("morpit".equals(pc.getIdentifier())) {
+ pc.setPassword("password");
+ } else if ("bethal".equals(pc.getIdentifier())) {
+ pc.setPassword("password");
} else {
pc.setPassword("abcd!1234");
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/af69b53d/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
index b1c42d8..94084a6 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
@@ -311,6 +311,96 @@ public class JAXRSXmlSecTest extends AbstractBusClientServerTestBase {
}
@Test
+ public void testSignatureNegativeServer() throws Exception {
+ String address = "https://localhost:" + test.port + "/xmlsignegativeserver/bookstore/books";
+
+ JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
+ bean.setAddress(address);
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = JAXRSXmlSecTest.class.getResource("client.xml");
+ Bus springBus = bf.createBus(busFile.toString());
+ bean.setBus(springBus);
+
+ Map<String, Object> properties = new HashMap<>();
+ properties.put("security.callback-handler",
+ "org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
+ properties.put("security.signature.username", "bethal");
+ properties.put("security.signature.properties",
+ "org/apache/cxf/systest/jaxrs/security/bethal.properties");
+ bean.setProperties(properties);
+ if (test.streaming) {
+ XmlSecOutInterceptor sigOutInterceptor = new XmlSecOutInterceptor();
+ sigOutInterceptor.setSignRequest(true);
+ bean.getOutInterceptors().add(sigOutInterceptor);
+
+ XmlSecInInterceptor sigInInterceptor = new XmlSecInInterceptor();
+ sigInInterceptor.setRequireSignature(true);
+ bean.getInInterceptors().add(sigInInterceptor);
+ } else {
+ XmlSigOutInterceptor sigOutInterceptor = new XmlSigOutInterceptor();
+ bean.getOutInterceptors().add(sigOutInterceptor);
+
+ XmlSigInInterceptor sigInInterceptor = new XmlSigInInterceptor();
+ bean.getInInterceptors().add(sigInInterceptor);
+ }
+
+ WebClient wc = bean.createWebClient();
+ WebClient.getConfig(wc).getHttpConduit().getClient().setReceiveTimeout(10000000L);
+ try {
+ wc.post(new Book("CXF", 126L), Book.class);
+ fail("Failure expected on signature trust failure");
+ } catch (WebApplicationException ex) {
+ assertTrue(ex.getMessage().contains("400 Bad Request"));
+ }
+ }
+
+ @Test
+ public void testSignatureNegativeClient() throws Exception {
+ String address = "https://localhost:" + test.port + "/xmlsignegativeclient/bookstore/books";
+
+ JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
+ bean.setAddress(address);
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = JAXRSXmlSecTest.class.getResource("client.xml");
+ Bus springBus = bf.createBus(busFile.toString());
+ bean.setBus(springBus);
+
+ Map<String, Object> properties = new HashMap<>();
+ properties.put("security.callback-handler",
+ "org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
+ properties.put("security.signature.username", "bethal");
+ properties.put("security.signature.properties",
+ "org/apache/cxf/systest/jaxrs/security/bethal.properties");
+ bean.setProperties(properties);
+ if (test.streaming) {
+ XmlSecOutInterceptor sigOutInterceptor = new XmlSecOutInterceptor();
+ sigOutInterceptor.setSignRequest(true);
+ bean.getOutInterceptors().add(sigOutInterceptor);
+
+ XmlSecInInterceptor sigInInterceptor = new XmlSecInInterceptor();
+ sigInInterceptor.setRequireSignature(true);
+ bean.getInInterceptors().add(sigInInterceptor);
+ } else {
+ XmlSigOutInterceptor sigOutInterceptor = new XmlSigOutInterceptor();
+ bean.getOutInterceptors().add(sigOutInterceptor);
+
+ XmlSigInInterceptor sigInInterceptor = new XmlSigInInterceptor();
+ bean.getInInterceptors().add(sigInInterceptor);
+ }
+
+ WebClient wc = bean.createWebClient();
+ WebClient.getConfig(wc).getHttpConduit().getClient().setReceiveTimeout(10000000L);
+ try {
+ wc.post(new Book("CXF", 126L), Book.class);
+ fail("Failure expected on signature trust failure");
+ } catch (ProcessingException ex) {
+ assertTrue(ex.getCause() instanceof BadRequestException);
+ }
+ }
+
+ @Test
public void testPostEncryptedBook() throws Exception {
String address = "https://localhost:" + test.port + "/xmlenc/bookstore/books";
Map<String, Object> properties = new HashMap<String, Object>();
http://git-wip-us.apache.org/repos/asf/cxf/blob/af69b53d/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bethal.properties
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bethal.properties b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bethal.properties
new file mode 100644
index 0000000..7356fc5
--- /dev/null
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bethal.properties
@@ -0,0 +1,24 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+org.apache.wss4j.crypto.provider=org.apache.wss4j.common.crypto.Merlin
+org.apache.wss4j.crypto.merlin.keystore.type=jks
+org.apache.wss4j.crypto.merlin.keystore.password=password
+org.apache.wss4j.crypto.merlin.keystore.alias=bethal
+org.apache.wss4j.crypto.merlin.keystore.file=keys/Bethal.jks
+
http://git-wip-us.apache.org/repos/asf/cxf/blob/af69b53d/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/morpit.properties
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/morpit.properties b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/morpit.properties
new file mode 100644
index 0000000..7cf81d6
--- /dev/null
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/morpit.properties
@@ -0,0 +1,21 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+org.apache.wss4j.crypto.provider=org.apache.wss4j.common.crypto.Merlin
+org.apache.wss4j.crypto.merlin.keystore.type=jks
+org.apache.wss4j.crypto.merlin.keystore.password=password
+org.apache.wss4j.crypto.merlin.keystore.alias=morpit
+org.apache.wss4j.crypto.merlin.keystore.file=keys/Morpit.jks
http://git-wip-us.apache.org/repos/asf/cxf/blob/af69b53d/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/morpittrust.properties
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/morpittrust.properties b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/morpittrust.properties
new file mode 100644
index 0000000..0056c7d
--- /dev/null
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/morpittrust.properties
@@ -0,0 +1,23 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+org.apache.wss4j.crypto.provider=org.apache.wss4j.common.crypto.Merlin
+org.apache.wss4j.crypto.merlin.keystore.type=jks
+org.apache.wss4j.crypto.merlin.keystore.password=password
+org.apache.wss4j.crypto.merlin.keystore.alias=morpit
+org.apache.wss4j.crypto.merlin.keystore.file=keys/Morpit.jks
+org.apache.wss4j.crypto.merlin.truststore.password=password
+org.apache.wss4j.crypto.merlin.truststore.file=keys/Truststore.jks
http://git-wip-us.apache.org/repos/asf/cxf/blob/af69b53d/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/server.xml
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/server.xml b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/server.xml
index d3c70c0..a1aaf40 100644
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/server.xml
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/server.xml
@@ -96,6 +96,38 @@ under the License.
</jaxrs:properties>
</jaxrs:server>
+ <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec}/xmlsignegativeserver">
+ <jaxrs:serviceBeans>
+ <ref bean="serviceBean"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:providers>
+ <ref bean="xmlSigInHandler"/>
+ </jaxrs:providers>
+ <jaxrs:outInterceptors>
+ <ref bean="xmlSigOutHandler"/>
+ </jaxrs:outInterceptors>
+ <jaxrs:properties>
+ <entry key="security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
+ <entry key="security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/morpit.properties"/>
+ </jaxrs:properties>
+ </jaxrs:server>
+
+ <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec}/xmlsignegativeclient">
+ <jaxrs:serviceBeans>
+ <ref bean="serviceBean"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:providers>
+ <ref bean="xmlSigInHandler"/>
+ </jaxrs:providers>
+ <jaxrs:outInterceptors>
+ <ref bean="xmlSigOutHandler"/>
+ </jaxrs:outInterceptors>
+ <jaxrs:properties>
+ <entry key="security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
+ <entry key="security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/morpittrust.properties"/>
+ </jaxrs:properties>
+ </jaxrs:server>
+
<jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec}/xmlsigconstraints">
<jaxrs:serviceBeans>
<ref bean="serviceBean"/>
http://git-wip-us.apache.org/repos/asf/cxf/blob/af69b53d/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml
index 9ba3bce..2281c60 100644
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml
@@ -116,7 +116,39 @@ under the License.
</jaxrs:properties>
</jaxrs:server>
- <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec-stax}/xmlsigconstraints">
+ <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec-stax}/xmlsignegativeserver">
+ <jaxrs:serviceBeans>
+ <ref bean="serviceBean"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:inInterceptors>
+ <ref bean="xmlSigInHandler"/>
+ </jaxrs:inInterceptors>
+ <jaxrs:outInterceptors>
+ <ref bean="xmlSigOutHandler"/>
+ </jaxrs:outInterceptors>
+ <jaxrs:properties>
+ <entry key="security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
+ <entry key="security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/morpit.properties"/>
+ </jaxrs:properties>
+ </jaxrs:server>
+
+ <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec-stax}/xmlsignegativeclient">
+ <jaxrs:serviceBeans>
+ <ref bean="serviceBean"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:inInterceptors>
+ <ref bean="xmlSigInHandler"/>
+ </jaxrs:inInterceptors>
+ <jaxrs:outInterceptors>
+ <ref bean="xmlSigOutHandler"/>
+ </jaxrs:outInterceptors>
+ <jaxrs:properties>
+ <entry key="security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
+ <entry key="security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/morpittrust.properties"/>
+ </jaxrs:properties>
+ </jaxrs:server>
+
+ <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec-stax}/xmlsigconstraints">
<jaxrs:serviceBeans>
<ref bean="serviceBean"/>
</jaxrs:serviceBeans>