You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/04/23 16:25:31 UTC
cxf-fediz git commit: Adding a negative HOK system test
Repository: cxf-fediz
Updated Branches:
refs/heads/master fd614ac31 -> bd0fc123e
Adding a negative HOK system test
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/bd0fc123
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/bd0fc123
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/bd0fc123
Branch: refs/heads/master
Commit: bd0fc123eeb4104929d02c851cb271a8d7ae2988
Parents: fd614ac
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Apr 23 15:25:19 2015 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Thu Apr 23 15:25:19 2015 +0100
----------------------------------------------------------------------
.../integrationtests/ClientCertificateTest.java | 75 +++++++++++++++++++-
.../src/test/resources/fediz_config.xml | 2 +-
2 files changed, 74 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bd0fc123/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java b/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java
index 3e60d99..208153a 100644
--- a/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java
+++ b/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java
@@ -20,13 +20,20 @@
package org.apache.cxf.fediz.integrationtests;
import java.io.File;
+import java.net.URL;
+import java.util.ArrayList;
+import com.gargoylesoftware.htmlunit.CookieManager;
+import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
+import com.gargoylesoftware.htmlunit.HttpMethod;
import com.gargoylesoftware.htmlunit.WebClient;
+import com.gargoylesoftware.htmlunit.WebRequest;
import com.gargoylesoftware.htmlunit.html.DomElement;
import com.gargoylesoftware.htmlunit.html.DomNodeList;
import com.gargoylesoftware.htmlunit.html.HtmlForm;
import com.gargoylesoftware.htmlunit.html.HtmlPage;
import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
+import com.gargoylesoftware.htmlunit.util.NameValuePair;
import org.apache.catalina.Context;
import org.apache.catalina.LifecycleState;
@@ -90,7 +97,7 @@ public class ClientCertificateTest {
httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
httpsConnector.setAttribute("truststorePass", "tompass");
httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
- httpsConnector.setAttribute("clientAuth", "want");
+ httpsConnector.setAttribute("clientAuth", "true");
httpsConnector.setAttribute("sslProtocol", "TLS");
httpsConnector.setAttribute("SSLEnabled", true);
@@ -125,7 +132,7 @@ public class ClientCertificateTest {
httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
httpsConnector.setAttribute("truststorePass", "tompass");
httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
- httpsConnector.setAttribute("clientAuth", "want");
+ httpsConnector.setAttribute("clientAuth", "true");
httpsConnector.setAttribute("sslProtocol", "TLS");
httpsConnector.setAttribute("SSLEnabled", true);
@@ -239,4 +246,68 @@ public class ClientCertificateTest {
bodyTextContent.contains(claim + "=alice@realma.org"));
}
+ @org.junit.Test
+ public void testDifferentClientCertificate() throws Exception {
+ // Get the initial wresult from the IdP
+ String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet";
+
+ CookieManager cookieManager = new CookieManager();
+ final WebClient webClient = new WebClient();
+ webClient.setCookieManager(cookieManager);
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getOptions().setSSLClientCertificate(
+ this.getClass().getClassLoader().getResource("alice_client.jks"), "storepass", "jks");
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ final HtmlPage idpPage = webClient.getPage(url);
+ webClient.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+ // Test the Subject Confirmation method here
+ DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
+
+ String wresult = null;
+ String wa = "wsignin1.0";
+ String wctx = null;
+ String wtrealm = null;
+ for (DomElement result : results) {
+ if ("wresult".equals(result.getAttributeNS(null, "name"))) {
+ wresult = result.getAttributeNS(null, "value");
+ } else if ("wctx".equals(result.getAttributeNS(null, "name"))) {
+ wctx = result.getAttributeNS(null, "value");
+ } else if ("wtrealm".equals(result.getAttributeNS(null, "name"))) {
+ wtrealm = result.getAttributeNS(null, "value");
+ }
+ }
+ Assert.assertTrue(wctx != null && wtrealm != null);
+ Assert.assertTrue(wresult != null
+ && wresult.contains("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"));
+
+ // Now invoke on the RP using the saved parameters above, but a different client cert!
+ final WebClient webClient2 = new WebClient();
+ webClient2.setCookieManager(cookieManager);
+ webClient2.getOptions().setUseInsecureSSL(true);
+ webClient2.getOptions().setSSLClientCertificate(
+ this.getClass().getClassLoader().getResource("server.jks"), "tompass", "jks");
+
+ WebRequest request = new WebRequest(new URL(url), HttpMethod.POST);
+
+ request.setRequestParameters(new ArrayList<NameValuePair>());
+ request.getRequestParameters().add(new NameValuePair("wctx", wctx));
+ request.getRequestParameters().add(new NameValuePair("wa", wa));
+ request.getRequestParameters().add(new NameValuePair("wtrealm", wtrealm));
+ request.getRequestParameters().add(new NameValuePair("wresult", wresult));
+
+ try {
+ webClient2.getPage(request);
+ Assert.fail("Exception expected");
+ } catch (FailingHttpStatusCodeException ex) {
+ // expected
+ Assert.assertTrue(ex.getMessage().contains("401 Unauthorized")
+ || ex.getMessage().contains("401 Authentication Failed")
+ || ex.getMessage().contains("403 Forbidden"));
+ }
+
+ }
+
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bd0fc123/systests/clientcert/src/test/resources/fediz_config.xml
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/resources/fediz_config.xml b/systests/clientcert/src/test/resources/fediz_config.xml
index 5add553..8399dfc 100644
--- a/systests/clientcert/src/test/resources/fediz_config.xml
+++ b/systests/clientcert/src/test/resources/fediz_config.xml
@@ -36,7 +36,7 @@
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="true" />
</claimTypesRequested>
<authenticationType>http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl</authenticationType>
- <request type="Class">org.apache.cxf.fediz.integrationtests.HOKCallbackHandler</request>
+ <request type="Class">org.apache.cxf.fediz.integrationtests.HOKCallbackHandler</request>
</protocol>
<logoutURL>/secure/logout</logoutURL>
<logoutRedirectTo>/index.html</logoutRedirectTo>