You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2011/11/14 14:00:10 UTC
svn commit: r1201686 - in /cxf/branches/2.4.x-fixes:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/
systests/ws-security/src/test/resources/org/apache/cxf...
Author: coheigea
Date: Mon Nov 14 13:00:10 2011
New Revision: 1201686
URL: http://svn.apache.org/viewvc?rev=1201686&view=rev
Log:
Added a system test for a SAML Token as a SignedEncryptedSupportingToken
Modified:
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1201686&r1=1201685&r2=1201686&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java Mon Nov 14 13:00:10 2011
@@ -146,7 +146,7 @@ public abstract class AbstractBindingBui
protected String mainSigId;
protected List<WSEncryptionPart> sigConfList;
- protected Set<String> encryptedTokensIdList = new HashSet<String>();
+ protected Set<WSEncryptionPart> encryptedTokensList = new HashSet<WSEncryptionPart>();
protected Map<Token, Object> endEncSuppTokMap;
protected Map<Token, Object> endSuppTokMap;
@@ -482,7 +482,9 @@ public abstract class AbstractBindingBui
|| MessageUtils.getContextualBoolean(message,
SecurityConstants.ALWAYS_ENCRYPT_UT,
true)) {
- encryptedTokensIdList.add(utBuilder.getId());
+ WSEncryptionPart part = new WSEncryptionPart(utBuilder.getId(), "Element");
+ part.setElement(utBuilder.getUsernameTokenElement());
+ encryptedTokensList.add(part);
}
}
} else if (isRequestor()
@@ -504,7 +506,9 @@ public abstract class AbstractBindingBui
id = id.substring(1);
}
if (suppTokens.isEncryptedToken()) {
- this.encryptedTokensIdList.add(id);
+ WSEncryptionPart part = new WSEncryptionPart(id, "Element");
+ part.setElement(clone);
+ encryptedTokensList.add(part);
}
if (secToken.getX509Certificate() == null) {
@@ -560,20 +564,28 @@ public abstract class AbstractBindingBui
sig.prependBSTElementToHeader(secHeader);
}
if (suppTokens.isEncryptedToken()) {
- encryptedTokensIdList.add(sig.getBSTTokenId());
+ WSEncryptionPart part = new WSEncryptionPart(sig.getBSTTokenId(), "Element");
+ encryptedTokensList.add(part);
}
ret.put(token, sig);
} else if (token instanceof KeyValueToken) {
WSSecSignature sig = getSignatureBuilder(suppTokens, token, endorse);
if (suppTokens.isEncryptedToken()) {
- encryptedTokensIdList.add(sig.getBSTTokenId());
+ WSEncryptionPart part = new WSEncryptionPart(sig.getBSTTokenId(), "Element");
+ encryptedTokensList.add(part);
}
ret.put(token, sig);
} else if (token instanceof SamlToken) {
AssertionWrapper assertionWrapper = addSamlToken((SamlToken)token);
if (assertionWrapper != null) {
- addSupportingElement(assertionWrapper.toDOM(saaj.getSOAPPart()));
+ Element assertionElement = assertionWrapper.toDOM(saaj.getSOAPPart());
+ addSupportingElement(assertionElement);
ret.put(token, assertionWrapper);
+ if (suppTokens.isEncryptedToken()) {
+ WSEncryptionPart part = new WSEncryptionPart(assertionWrapper.getId(), "Element");
+ part.setElement(assertionElement);
+ encryptedTokensList.add(part);
+ }
}
}
}
@@ -1679,7 +1691,8 @@ public abstract class AbstractBindingBui
signatures.add(sig.getSignatureValue());
if (isSigProtect) {
- encryptedTokensIdList.add(sig.getId());
+ WSEncryptionPart part = new WSEncryptionPart(sig.getId(), "Element");
+ encryptedTokensList.add(part);
}
} catch (WSSecurityException e) {
policyNotAsserted(ent.getKey(), e);
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=1201686&r1=1201685&r2=1201686&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java Mon Nov 14 13:00:10 2011
@@ -173,9 +173,7 @@ public class AsymmetricBindingHandler ex
}
if (isRequestor()) {
- for (String id : encryptedTokensIdList) {
- enc.add(new WSEncryptionPart(id, "Element"));
- }
+ enc.addAll(encryptedTokensList);
}
//Do encryption
@@ -303,9 +301,7 @@ public class AsymmetricBindingHandler ex
}
if (isRequestor()) {
- for (String id : encryptedTokensIdList) {
- secondEncrParts.add(new WSEncryptionPart(id, "Element"));
- }
+ secondEncrParts.addAll(encryptedTokensList);
}
if (encryptionToken.isDerivedKeys() && !secondEncrParts.isEmpty()) {
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java?rev=1201686&r1=1201685&r2=1201686&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java Mon Nov 14 13:00:10 2011
@@ -222,7 +222,7 @@ public class SymmetricBindingHandler ext
//Check for signature protection and encryption of UsernameToken
if (sbinding.isSignatureProtection()
- || encryptedTokensIdList.size() > 0 && isRequestor()) {
+ || encryptedTokensList.size() > 0 && isRequestor()) {
List<WSEncryptionPart> secondEncrParts = new ArrayList<WSEncryptionPart>();
//Now encrypt the signature using the above token
@@ -239,9 +239,7 @@ public class SymmetricBindingHandler ext
}
if (isRequestor()) {
- for (String s : encryptedTokensIdList) {
- secondEncrParts.add(new WSEncryptionPart(s, "Element"));
- }
+ secondEncrParts.addAll(encryptedTokensList);
}
Element secondRefList = null;
@@ -375,9 +373,7 @@ public class SymmetricBindingHandler ext
}
if (isRequestor()) {
- for (String id : encryptedTokensIdList) {
- enc.add(new WSEncryptionPart(id, "Element"));
- }
+ enc.addAll(encryptedTokensList);
}
doEncryption(encrTokenWrapper,
encrTok,
Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java?rev=1201686&r1=1201685&r2=1201686&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java (original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java Mon Nov 14 13:00:10 2011
@@ -329,6 +329,32 @@ public class SamlTokenTest extends Abstr
assertTrue(result.equals(BigInteger.valueOf(50)));
}
+
+ @org.junit.Test
+ public void testSaml2OverAsymmetricSignedEncrypted() throws Exception {
+
+ if (!unrestrictedPoliciesInstalled) {
+ return;
+ }
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = SamlTokenTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ DoubleItService service = new DoubleItService();
+
+ DoubleItPortType saml2Port = service.getDoubleItSaml2AsymmetricSignedEncryptedPort();
+ updateAddressPort(saml2Port, PORT);
+
+ ((BindingProvider)saml2Port).getRequestContext().put(
+ "ws-security.saml-callback-handler", new SamlCallbackHandler()
+ );
+ BigInteger result = saml2Port.doubleIt(BigInteger.valueOf(25));
+ assertTrue(result.equals(BigInteger.valueOf(50)));
+ }
private boolean checkUnrestrictedPoliciesInstalled() {
Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml?rev=1201686&r1=1201685&r2=1201686&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml (original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml Mon Nov 14 13:00:10 2011
@@ -132,4 +132,18 @@
</jaxws:properties>
</jaxws:client>
+ <jaxws:client name="{http://WSSec/saml}DoubleItSaml2AsymmetricSignedEncryptedPort"
+ createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ <entry key="ws-security.encryption.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.encryption.username" value="bob"/>
+ <entry key="ws-security.signature.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ <entry key="ws-security.signature.username" value="alice"/>
+ </jaxws:properties>
+ </jaxws:client>
+
</beans>
Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml?rev=1201686&r1=1201685&r2=1201686&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml (original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml Mon Nov 14 13:00:10 2011
@@ -209,4 +209,28 @@
</jaxws:endpoint>
+ <jaxws:endpoint
+ id="Saml2TokenOverAsymmetricSignedEncrypted"
+ address="http://localhost:${testutil.ports.Server}/DoubleItSaml2AsymmetricSignedEncrypted"
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItSaml2AsymmetricSignedEncryptedPort"
+ xmlns:s="http://WSSec/saml"
+ implementor="org.apache.cxf.systest.ws.saml.server.DoubleItImpl"
+ wsdlLocation="wsdl_systest_wssec/saml/DoubleItSaml.wsdl">
+
+ <jaxws:properties>
+ <entry key="ws-security.username" value="bob"/>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.encryption.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ <entry key="ws-security.encryption.username" value="alice"/>
+ <entry key="ws-security.saml2.validator"
+ value="org.apache.cxf.systest.ws.saml.server.CustomSaml2Validator"/>
+ </jaxws:properties>
+
+ </jaxws:endpoint>
+
</beans>
Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl?rev=1201686&r1=1201685&r2=1201686&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl (original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl Mon Nov 14 13:00:10 2011
@@ -225,6 +225,25 @@
</wsdl:fault>
</wsdl:operation>
</wsdl:binding>
+ <wsdl:binding name="DoubleItSaml2AsymmetricSignedEncryptedBinding" type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItSaml2AsymmetricSignedEncryptedPolicy" />
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http" />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction="" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+ </wsdl:output>
+ <wsdl:fault name="DoubleItFault">
+ <soap:body use="literal" name="DoubleItFault" />
+ </wsdl:fault>
+ </wsdl:operation>
+ </wsdl:binding>
<wsdl:service name="DoubleItService">
<wsdl:port name="DoubleItSaml1TransportPort" binding="tns:DoubleItSaml1TransportBinding">
@@ -256,6 +275,10 @@
binding="tns:DoubleItSaml2SymmetricSignedElementsBinding">
<soap:address location="http://localhost:9001/DoubleItSaml2SymmetricSignedElements" />
</wsdl:port>
+ <wsdl:port name="DoubleItSaml2AsymmetricSignedEncryptedPort"
+ binding="tns:DoubleItSaml2AsymmetricSignedEncryptedBinding">
+ <soap:address location="http://localhost:9001/DoubleItSaml2AsymmetricSignedEncrypted" />
+ </wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="DoubleItSaml1TransportPolicy">
@@ -630,6 +653,67 @@
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItSaml2AsymmetricSignedEncryptedPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:AsymmetricBinding>
+ <wsp:Policy>
+ <sp:InitiatorToken>
+ <wsp:Policy>
+ <sp:X509Token
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ <sp:RequireIssuerSerialReference />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:InitiatorToken>
+ <sp:RecipientToken>
+ <wsp:Policy>
+ <sp:X509Token
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ <sp:RequireIssuerSerialReference />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:RecipientToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ <sp:OnlySignEntireHeadersAndBody/>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic256/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:AsymmetricBinding>
+ <sp:Wss11>
+ <wsp:Policy>
+ <sp:MustSupportRefIssuerSerial/>
+ <sp:MustSupportRefThumbprint/>
+ <sp:MustSupportRefEncryptedKey/>
+ </wsp:Policy>
+ </sp:Wss11>
+ <sp:SignedEncryptedSupportingTokens>
+ <wsp:Policy>
+ <sp:SamlToken
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:WssSamlV20Token11/>
+ </wsp:Policy>
+ </sp:SamlToken>
+ </wsp:Policy>
+ </sp:SignedEncryptedSupportingTokens>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
<wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
<wsp:ExactlyOne>