You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/04/13 14:04:50 UTC
[1/4] cxf git commit: Adding a new cxf-rt-security-saml module to
remove OpenSAML dependencies from cxf-rt-security
Repository: cxf
Updated Branches:
refs/heads/master 71e9ada9b -> c04c27200
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/test/java/org/apache/cxf/rt/security/saml/SAMLClaimsTest.java
----------------------------------------------------------------------
diff --git a/rt/security/src/test/java/org/apache/cxf/rt/security/saml/SAMLClaimsTest.java b/rt/security/src/test/java/org/apache/cxf/rt/security/saml/SAMLClaimsTest.java
deleted file mode 100644
index 7238deb..0000000
--- a/rt/security/src/test/java/org/apache/cxf/rt/security/saml/SAMLClaimsTest.java
+++ /dev/null
@@ -1,212 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rt.security.saml;
-
-import java.net.URI;
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-import java.util.Set;
-
-import org.w3c.dom.Document;
-import org.apache.cxf.helpers.DOMUtils;
-import org.apache.cxf.rt.security.claims.Claim;
-import org.apache.cxf.rt.security.claims.ClaimCollection;
-import org.apache.cxf.rt.security.claims.SAMLClaim;
-import org.apache.wss4j.common.saml.SAMLCallback;
-import org.apache.wss4j.common.saml.SAMLUtil;
-import org.apache.wss4j.common.saml.SamlAssertionWrapper;
-import org.apache.wss4j.common.saml.bean.AttributeBean;
-import org.apache.wss4j.common.saml.builder.SAML2Constants;
-import org.junit.Assert;
-
-public class SAMLClaimsTest extends Assert {
-
- @org.junit.Test
- public void testSAML2Claims() throws Exception {
- AttributeBean attributeBean = new AttributeBean();
- attributeBean.setQualifiedName(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT);
- attributeBean.setNameFormat(SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
- attributeBean.addAttributeValue("employee");
-
- SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler();
- samlCallbackHandler.setAttributes(Collections.singletonList(attributeBean));
-
- // Create the SAML Assertion via the CallbackHandler
- SAMLCallback samlCallback = new SAMLCallback();
- SAMLUtil.doSAMLCallback(samlCallbackHandler, samlCallback);
- SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
-
- Document doc = DOMUtils.newDocument();
- samlAssertion.toDOM(doc);
-
- ClaimCollection claims = SAMLUtils.getClaims(samlAssertion);
- assertEquals(claims.getDialect().toString(),
- "http://schemas.xmlsoap.org/ws/2005/05/identity");
- assertEquals(1, claims.size());
-
- // Check Claim values
- Claim claim = claims.get(0);
- assertEquals(claim.getClaimType(), URI.create(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT));
- assertEquals(1, claim.getValues().size());
- assertTrue(claim.getValues().contains("employee"));
-
- // Check SAMLClaim values
- assertTrue(claim instanceof SAMLClaim);
- assertEquals(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT, ((SAMLClaim)claim).getName());
- assertEquals(SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED, ((SAMLClaim)claim).getNameFormat());
-
- // Check roles
- Set<Principal> roles =
- SAMLUtils.parseRolesFromClaims(claims,
- SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT,
- SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
- assertEquals(1, roles.size());
- Principal p = roles.iterator().next();
- assertEquals("employee", p.getName());
- }
-
- @org.junit.Test
- public void testSAML2MultipleRoles() throws Exception {
- AttributeBean attributeBean = new AttributeBean();
- attributeBean.setQualifiedName(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT);
- attributeBean.setNameFormat(SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
- attributeBean.addAttributeValue("employee");
- attributeBean.addAttributeValue("boss");
-
- SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler();
- samlCallbackHandler.setAttributes(Collections.singletonList(attributeBean));
-
- // Create the SAML Assertion via the CallbackHandler
- SAMLCallback samlCallback = new SAMLCallback();
- SAMLUtil.doSAMLCallback(samlCallbackHandler, samlCallback);
- SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
-
- Document doc = DOMUtils.newDocument();
- samlAssertion.toDOM(doc);
-
- ClaimCollection claims = SAMLUtils.getClaims(samlAssertion);
- assertEquals(claims.getDialect().toString(),
- "http://schemas.xmlsoap.org/ws/2005/05/identity");
- assertEquals(1, claims.size());
-
- // Check Claim values
- Claim claim = claims.get(0);
- assertEquals(claim.getClaimType(), URI.create(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT));
- assertEquals(2, claim.getValues().size());
- assertTrue(claim.getValues().contains("employee"));
- assertTrue(claim.getValues().contains("boss"));
-
- // Check SAMLClaim values
- assertTrue(claim instanceof SAMLClaim);
- assertEquals(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT, ((SAMLClaim)claim).getName());
- assertEquals(SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED, ((SAMLClaim)claim).getNameFormat());
-
- // Check roles
- Set<Principal> roles =
- SAMLUtils.parseRolesFromClaims(claims,
- SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT,
- SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
- assertEquals(2, roles.size());
- }
-
- @org.junit.Test
- public void testSAML2MultipleClaims() throws Exception {
- AttributeBean attributeBean = new AttributeBean();
- attributeBean.setQualifiedName(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT);
- attributeBean.setNameFormat(SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
- attributeBean.addAttributeValue("employee");
-
- AttributeBean attributeBean2 = new AttributeBean();
- attributeBean2.setQualifiedName(
- "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname");
- attributeBean2.setNameFormat(SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
- attributeBean2.addAttributeValue("smith");
-
- SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler();
- List<AttributeBean> attributes = new ArrayList<AttributeBean>();
- attributes.add(attributeBean);
- attributes.add(attributeBean2);
- samlCallbackHandler.setAttributes(attributes);
-
- // Create the SAML Assertion via the CallbackHandler
- SAMLCallback samlCallback = new SAMLCallback();
- SAMLUtil.doSAMLCallback(samlCallbackHandler, samlCallback);
- SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
-
- Document doc = DOMUtils.newDocument();
- samlAssertion.toDOM(doc);
-
- ClaimCollection claims = SAMLUtils.getClaims(samlAssertion);
- assertEquals(claims.getDialect().toString(),
- "http://schemas.xmlsoap.org/ws/2005/05/identity");
- assertEquals(2, claims.size());
-
- // Check roles
- Set<Principal> roles =
- SAMLUtils.parseRolesFromClaims(claims,
- SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT,
- SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
- assertEquals(1, roles.size());
- Principal p = roles.iterator().next();
- assertEquals("employee", p.getName());
- }
-
- @org.junit.Test
- public void testSAML1Claims() throws Exception {
- AttributeBean attributeBean = new AttributeBean();
- attributeBean.setSimpleName("role");
- attributeBean.setQualifiedName("http://schemas.xmlsoap.org/ws/2005/05/identity/claims");
- attributeBean.addAttributeValue("employee");
-
- SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler(false);
- samlCallbackHandler.setAttributes(Collections.singletonList(attributeBean));
-
- // Create the SAML Assertion via the CallbackHandler
- SAMLCallback samlCallback = new SAMLCallback();
- SAMLUtil.doSAMLCallback(samlCallbackHandler, samlCallback);
- SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
-
- Document doc = DOMUtils.newDocument();
- samlAssertion.toDOM(doc);
-
- ClaimCollection claims = SAMLUtils.getClaims(samlAssertion);
- assertEquals(claims.getDialect().toString(),
- "http://schemas.xmlsoap.org/ws/2005/05/identity");
- assertEquals(1, claims.size());
-
- // Check Claim values
- Claim claim = claims.get(0);
- assertEquals(claim.getClaimType(), URI.create(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT));
- assertEquals(1, claim.getValues().size());
- assertTrue(claim.getValues().contains("employee"));
-
- // Check SAMLClaim values
- assertTrue(claim instanceof SAMLClaim);
- assertEquals("role", ((SAMLClaim)claim).getName());
-
- // Check roles
- Set<Principal> roles = SAMLUtils.parseRolesFromClaims(claims, "role", null);
- assertEquals(1, roles.size());
- Principal p = roles.iterator().next();
- assertEquals("employee", p.getName());
-
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/test/java/org/apache/cxf/rt/security/saml/SamlCallbackHandler.java
----------------------------------------------------------------------
diff --git a/rt/security/src/test/java/org/apache/cxf/rt/security/saml/SamlCallbackHandler.java b/rt/security/src/test/java/org/apache/cxf/rt/security/saml/SamlCallbackHandler.java
deleted file mode 100644
index 6703ac5..0000000
--- a/rt/security/src/test/java/org/apache/cxf/rt/security/saml/SamlCallbackHandler.java
+++ /dev/null
@@ -1,99 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.saml;
-
-import java.io.IOException;
-import java.util.Collections;
-import java.util.List;
-
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.UnsupportedCallbackException;
-
-import org.apache.wss4j.common.saml.SAMLCallback;
-import org.apache.wss4j.common.saml.bean.AttributeBean;
-import org.apache.wss4j.common.saml.bean.AttributeStatementBean;
-import org.apache.wss4j.common.saml.bean.SubjectBean;
-import org.apache.wss4j.common.saml.bean.Version;
-import org.apache.wss4j.common.saml.builder.SAML1Constants;
-import org.apache.wss4j.common.saml.builder.SAML2Constants;
-
-/**
- * A CallbackHandler instance to mock up a SAML Attribute Assertion.
- */
-public class SamlCallbackHandler implements CallbackHandler {
- private boolean saml2 = true;
- private String confirmationMethod = SAML2Constants.CONF_BEARER;
- private List<AttributeBean> attributes;
-
- public SamlCallbackHandler() {
- //
- }
-
- public SamlCallbackHandler(boolean saml2) {
- this.saml2 = saml2;
- }
-
- public void setConfirmationMethod(String confirmationMethod) {
- this.confirmationMethod = confirmationMethod;
- }
-
- public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
- for (int i = 0; i < callbacks.length; i++) {
- if (callbacks[i] instanceof SAMLCallback) {
- SAMLCallback callback = (SAMLCallback) callbacks[i];
- if (saml2) {
- callback.setSamlVersion(Version.SAML_20);
- } else {
- callback.setSamlVersion(Version.SAML_11);
- }
-
- callback.setIssuer("sts");
- String subjectName = "uid=sts-client,o=mock-sts.com";
- String subjectQualifier = "www.mock-sts.com";
- if (!saml2 && SAML2Constants.CONF_SENDER_VOUCHES.equals(confirmationMethod)) {
- confirmationMethod = SAML1Constants.CONF_SENDER_VOUCHES;
- }
- SubjectBean subjectBean =
- new SubjectBean(
- subjectName, subjectQualifier, confirmationMethod
- );
- callback.setSubject(subjectBean);
-
- if (attributes != null) {
- AttributeStatementBean attrBean = new AttributeStatementBean();
- attrBean.setSubject(subjectBean);
- attrBean.setSamlAttributes(attributes);
- callback.setAttributeStatementData(Collections.singletonList(attrBean));
- }
-
- }
- }
- }
-
- public List<AttributeBean> getAttributes() {
- return attributes;
- }
-
- public void setAttributes(List<AttributeBean> attributes) {
- this.attributes = attributes;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/DummyPDP.java
----------------------------------------------------------------------
diff --git a/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/DummyPDP.java b/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/DummyPDP.java
deleted file mode 100644
index 45222b3..0000000
--- a/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/DummyPDP.java
+++ /dev/null
@@ -1,153 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.xacml;
-
-import java.util.List;
-
-import javax.xml.transform.Source;
-import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerFactory;
-import javax.xml.transform.dom.DOMResult;
-import javax.xml.transform.dom.DOMSource;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-import org.w3c.dom.Node;
-import org.apache.cxf.helpers.DOMUtils;
-import org.apache.cxf.rt.security.xacml.pdp.api.PolicyDecisionPoint;
-import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.saml.OpenSAMLUtil;
-import org.opensaml.core.xml.XMLObjectBuilderFactory;
-import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
-import org.opensaml.xacml.XACMLObjectBuilder;
-import org.opensaml.xacml.ctx.AttributeType;
-import org.opensaml.xacml.ctx.DecisionType;
-import org.opensaml.xacml.ctx.DecisionType.DECISION;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.ctx.ResponseType;
-import org.opensaml.xacml.ctx.ResultType;
-import org.opensaml.xacml.ctx.StatusCodeType;
-import org.opensaml.xacml.ctx.StatusType;
-import org.opensaml.xacml.ctx.SubjectType;
-
-/**
- * A test implementation of AbstractXACMLAuthorizingInterceptor. It just mocks up a Response
- * object based on the role of the Subject. If the role is "manager" then it permits the
- * request, otherwise it denies it.
- */
-public class DummyPDP implements PolicyDecisionPoint {
-
- public Source evaluate(Source requestSource) {
- RequestType request = requestSourceToRequestType(requestSource);
- String role = getSubjectRole(request);
- DECISION decision = "manager".equals(role) ? DecisionType.DECISION.Permit : DecisionType.DECISION.Deny;
- ResponseType response = createResponse(decision);
- return responseType2Source(response);
- }
-
- private RequestType requestSourceToRequestType(Source requestSource) {
- try {
- Transformer trans = TransformerFactory.newInstance().newTransformer();
- DOMResult res = new DOMResult();
- trans.transform(requestSource, res);
- Node nd = res.getNode();
- if (nd instanceof Document) {
- nd = ((Document)nd).getDocumentElement();
- }
- return (RequestType)OpenSAMLUtil.fromDom((Element)nd);
- } catch (Exception e) {
- throw new RuntimeException("Error converting pdp response to ResponseType", e);
- }
- }
-
- private Source responseType2Source(ResponseType response) {
- Document doc = DOMUtils.createDocument();
- Element responseElement;
- try {
- responseElement = OpenSAMLUtil.toDom(response, doc);
- } catch (WSSecurityException e) {
- throw new RuntimeException("Error converting PDP RequestType to Dom", e);
- }
- return new DOMSource(responseElement);
- }
-
- private ResponseType createResponse(DECISION decision) {
- XMLObjectBuilderFactory builderFactory = XMLObjectProviderRegistrySupport.getBuilderFactory();
-
- @SuppressWarnings("unchecked")
- XACMLObjectBuilder<ResponseType> responseTypeBuilder =
- (XACMLObjectBuilder<ResponseType>)
- builderFactory.getBuilder(ResponseType.DEFAULT_ELEMENT_NAME);
-
- @SuppressWarnings("unchecked")
- XACMLObjectBuilder<ResultType> resultTypeBuilder =
- (XACMLObjectBuilder<ResultType>)
- builderFactory.getBuilder(ResultType.DEFAULT_ELEMENT_NAME);
-
- @SuppressWarnings("unchecked")
- XACMLObjectBuilder<DecisionType> decisionTypeBuilder =
- (XACMLObjectBuilder<DecisionType>)
- builderFactory.getBuilder(DecisionType.DEFAULT_ELEMENT_NAME);
-
- @SuppressWarnings("unchecked")
- XACMLObjectBuilder<StatusType> statusTypeBuilder =
- (XACMLObjectBuilder<StatusType>)
- builderFactory.getBuilder(StatusType.DEFAULT_ELEMENT_NAME);
-
- @SuppressWarnings("unchecked")
- XACMLObjectBuilder<StatusCodeType> statusCodeTypeBuilder =
- (XACMLObjectBuilder<StatusCodeType>)
- builderFactory.getBuilder(StatusCodeType.DEFAULT_ELEMENT_NAME);
-
- ResultType result = resultTypeBuilder.buildObject();
-
- DecisionType decisionType = decisionTypeBuilder.buildObject();
- decisionType.setDecision(decision);
- result.setDecision(decisionType);
-
- StatusType status = statusTypeBuilder.buildObject();
- StatusCodeType statusCode = statusCodeTypeBuilder.buildObject();
- statusCode.setValue("urn:oasis:names:tc:xacml:1.0:status:ok");
- status.setStatusCode(statusCode);
- result.setStatus(status);
-
- ResponseType response = responseTypeBuilder.buildObject();
- response.getResults().add(result);
- return response;
- }
-
- private String getSubjectRole(RequestType request) {
- List<SubjectType> subjects = request.getSubjects();
- if (subjects != null) {
- for (SubjectType subject : subjects) {
- List<AttributeType> attributes = subject.getAttributes();
- if (attributes != null) {
- for (AttributeType attribute : attributes) {
- if (XACMLConstants.SUBJECT_ROLE.equals(attribute.getAttributeId())) {
- return attribute.getAttributeValues().get(0).getValue();
- }
- }
- }
- }
- }
- return null;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilderTest.java
----------------------------------------------------------------------
diff --git a/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilderTest.java b/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilderTest.java
deleted file mode 100644
index 1b4c84b..0000000
--- a/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilderTest.java
+++ /dev/null
@@ -1,222 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.xacml;
-
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-
-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-
-import org.apache.wss4j.common.saml.OpenSAMLUtil;
-import org.joda.time.DateTime;
-import org.opensaml.xacml.ctx.ActionType;
-import org.opensaml.xacml.ctx.AttributeType;
-import org.opensaml.xacml.ctx.AttributeValueType;
-import org.opensaml.xacml.ctx.EnvironmentType;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.ctx.ResourceType;
-import org.opensaml.xacml.ctx.SubjectType;
-
-
-/**
- * Some unit tests to create a XACML Request using the RequestComponentBuilder.
- */
-public class RequestComponentBuilderTest extends org.junit.Assert {
-
- private DocumentBuilder docBuilder;
- static {
- OpenSAMLUtil.initSamlEngine();
- }
-
- public RequestComponentBuilderTest() throws ParserConfigurationException {
- DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
- docBuilderFactory.setNamespaceAware(true);
- docBuilder = docBuilderFactory.newDocumentBuilder();
- }
-
- @org.junit.Test
- public void testCreateXACMLRequest() throws Exception {
- Document doc = docBuilder.newDocument();
-
- // Subject
- AttributeValueType subjectIdAttributeValue =
- RequestComponentBuilder.createAttributeValueType(
- "alice-user@apache.org"
- );
- AttributeType subjectIdAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.SUBJECT_ID,
- XACMLConstants.RFC_822_NAME,
- null,
- Collections.singletonList(subjectIdAttributeValue)
- );
-
- AttributeValueType subjectGroupAttributeValue =
- RequestComponentBuilder.createAttributeValueType(
- "manager"
- );
- AttributeType subjectGroupAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.SUBJECT_ROLE,
- XACMLConstants.XS_ANY_URI,
- "admin-user@apache.org",
- Collections.singletonList(subjectGroupAttributeValue)
- );
- List<AttributeType> attributes = new ArrayList<AttributeType>();
- attributes.add(subjectIdAttribute);
- attributes.add(subjectGroupAttribute);
- SubjectType subject = RequestComponentBuilder.createSubjectType(attributes, null);
-
- // Resource
- AttributeValueType resourceAttributeValue =
- RequestComponentBuilder.createAttributeValueType(
- "{http://www.example.org/contract/DoubleIt}DoubleIt"
- );
- AttributeType resourceAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.RESOURCE_ID,
- XACMLConstants.XS_STRING,
- null,
- Collections.singletonList(resourceAttributeValue)
- );
- attributes.clear();
- attributes.add(resourceAttribute);
- ResourceType resource = RequestComponentBuilder.createResourceType(attributes, null);
-
- // Action
- AttributeValueType actionAttributeValue =
- RequestComponentBuilder.createAttributeValueType(
- "execute"
- );
- AttributeType actionAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.ACTION_ID,
- XACMLConstants.XS_STRING,
- null,
- Collections.singletonList(actionAttributeValue)
- );
- attributes.clear();
- attributes.add(actionAttribute);
- ActionType action = RequestComponentBuilder.createActionType(attributes);
-
- // Request
- RequestType request =
- RequestComponentBuilder.createRequestType(
- Collections.singletonList(subject),
- Collections.singletonList(resource),
- action,
- null
- );
-
- Element policyElement = OpenSAMLUtil.toDom(request, doc);
- // String outputString = DOM2Writer.nodeToString(policyElement);
- assertNotNull(policyElement);
- }
-
- @org.junit.Test
- public void testEnvironment() throws Exception {
- Document doc = docBuilder.newDocument();
-
- // Subject
- AttributeValueType subjectIdAttributeValue =
- RequestComponentBuilder.createAttributeValueType(
- "alice-user@apache.org"
- );
- AttributeType subjectIdAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.SUBJECT_ID,
- XACMLConstants.RFC_822_NAME,
- null,
- Collections.singletonList(subjectIdAttributeValue)
- );
-
- List<AttributeType> attributes = new ArrayList<AttributeType>();
- attributes.add(subjectIdAttribute);
- SubjectType subject = RequestComponentBuilder.createSubjectType(attributes, null);
-
- // Resource
- AttributeValueType resourceAttributeValue =
- RequestComponentBuilder.createAttributeValueType(
- "{http://www.example.org/contract/DoubleIt}DoubleIt"
- );
- AttributeType resourceAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.RESOURCE_ID,
- XACMLConstants.XS_STRING,
- null,
- Collections.singletonList(resourceAttributeValue)
- );
- attributes.clear();
- attributes.add(resourceAttribute);
- ResourceType resource = RequestComponentBuilder.createResourceType(attributes, null);
-
- // Action
- AttributeValueType actionAttributeValue =
- RequestComponentBuilder.createAttributeValueType(
- "execute"
- );
- AttributeType actionAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.ACTION_ID,
- XACMLConstants.XS_STRING,
- null,
- Collections.singletonList(actionAttributeValue)
- );
- attributes.clear();
- attributes.add(actionAttribute);
- ActionType action = RequestComponentBuilder.createActionType(attributes);
-
- // Environment
- DateTime dateTime = new DateTime();
- AttributeValueType environmentAttributeValue =
- RequestComponentBuilder.createAttributeValueType(dateTime.toString());
- AttributeType environmentAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.CURRENT_DATETIME,
- XACMLConstants.XS_DATETIME,
- null,
- Collections.singletonList(environmentAttributeValue)
- );
- attributes.clear();
- attributes.add(environmentAttribute);
- EnvironmentType environmentType =
- RequestComponentBuilder.createEnvironmentType(attributes);
-
- // Request
- RequestType request =
- RequestComponentBuilder.createRequestType(
- Collections.singletonList(subject),
- Collections.singletonList(resource),
- action,
- environmentType
- );
-
- Element policyElement = OpenSAMLUtil.toDom(request, doc);
- // String outputString = DOM2Writer.nodeToString(policyElement);
- assertNotNull(policyElement);
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilderTest.java
----------------------------------------------------------------------
diff --git a/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilderTest.java b/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilderTest.java
deleted file mode 100644
index be485f3..0000000
--- a/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilderTest.java
+++ /dev/null
@@ -1,153 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.xacml;
-
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-
-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-
-import org.apache.wss4j.common.saml.OpenSAMLUtil;
-import org.opensaml.xacml.ctx.ActionType;
-import org.opensaml.xacml.ctx.AttributeType;
-import org.opensaml.xacml.ctx.AttributeValueType;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.ctx.ResourceType;
-import org.opensaml.xacml.ctx.SubjectType;
-import org.opensaml.xacml.profile.saml.SAMLProfileConstants;
-import org.opensaml.xacml.profile.saml.XACMLAuthzDecisionQueryType;
-
-
-/**
- * Some unit tests for creating a SAML XACML Request.
- */
-public class SamlRequestComponentBuilderTest extends org.junit.Assert {
-
- private DocumentBuilder docBuilder;
- static {
- OpenSAMLUtil.initSamlEngine();
- }
-
- public SamlRequestComponentBuilderTest() throws ParserConfigurationException {
- DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
- docBuilderFactory.setNamespaceAware(true);
- docBuilder = docBuilderFactory.newDocumentBuilder();
- }
-
- @org.junit.Test
- public void testCreateXACMLSamlAuthzQueryRequest() throws Exception {
- Document doc = docBuilder.newDocument();
-
- //
- // Create XACML request
- //
-
- // Subject
- AttributeValueType subjectIdAttributeValue =
- RequestComponentBuilder.createAttributeValueType(
- "alice-user@apache.org"
- );
- AttributeType subjectIdAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.SUBJECT_ID,
- XACMLConstants.RFC_822_NAME,
- null,
- Collections.singletonList(subjectIdAttributeValue)
- );
-
- AttributeValueType subjectGroupAttributeValue =
- RequestComponentBuilder.createAttributeValueType(
- "manager"
- );
- AttributeType subjectGroupAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.SUBJECT_ROLE,
- XACMLConstants.XS_ANY_URI,
- "admin-user@apache.org",
- Collections.singletonList(subjectGroupAttributeValue)
- );
- List<AttributeType> attributes = new ArrayList<AttributeType>();
- attributes.add(subjectIdAttribute);
- attributes.add(subjectGroupAttribute);
- SubjectType subject = RequestComponentBuilder.createSubjectType(attributes, null);
-
- // Resource
- AttributeValueType resourceAttributeValue =
- RequestComponentBuilder.createAttributeValueType(
- "{http://www.example.org/contract/DoubleIt}DoubleIt"
- );
- AttributeType resourceAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.RESOURCE_ID,
- XACMLConstants.XS_STRING,
- null,
- Collections.singletonList(resourceAttributeValue)
- );
- attributes.clear();
- attributes.add(resourceAttribute);
- ResourceType resource = RequestComponentBuilder.createResourceType(attributes, null);
-
- // Action
- AttributeValueType actionAttributeValue =
- RequestComponentBuilder.createAttributeValueType(
- "execute"
- );
- AttributeType actionAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.ACTION_ID,
- XACMLConstants.XS_STRING,
- null,
- Collections.singletonList(actionAttributeValue)
- );
- attributes.clear();
- attributes.add(actionAttribute);
- ActionType action = RequestComponentBuilder.createActionType(attributes);
-
- // Request
- RequestType request =
- RequestComponentBuilder.createRequestType(
- Collections.singletonList(subject),
- Collections.singletonList(resource),
- action,
- null
- );
-
- //
- // Create SAML wrapper
- //
-
- XACMLAuthzDecisionQueryType authzQuery =
- SamlRequestComponentBuilder.createAuthzDecisionQuery(
- "Issuer", request, SAMLProfileConstants.SAML20XACML20P_NS
- );
-
- Element policyElement = OpenSAMLUtil.toDom(authzQuery, doc);
- // String outputString = DOM2Writer.nodeToString(policyElement);
- assertNotNull(policyElement);
- }
-
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptorTest.java
----------------------------------------------------------------------
diff --git a/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptorTest.java b/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptorTest.java
deleted file mode 100644
index ce231c5..0000000
--- a/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptorTest.java
+++ /dev/null
@@ -1,127 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.xacml;
-
-import java.security.Principal;
-import java.util.HashSet;
-import java.util.Set;
-
-import javax.security.auth.Subject;
-import javax.xml.namespace.QName;
-
-import org.apache.cxf.message.Message;
-import org.apache.cxf.message.MessageImpl;
-import org.apache.cxf.rt.security.xacml.pdp.api.PolicyDecisionPoint;
-import org.apache.cxf.security.LoginSecurityContext;
-import org.apache.cxf.security.SecurityContext;
-
-
-/**
- * Some unit tests to test the AbstractXACMLAuthorizingInterceptor.
- */
-public class XACMLAuthorizingInterceptorTest extends org.junit.Assert {
-
- static {
- org.apache.wss4j.common.saml.OpenSAMLUtil.initSamlEngine();
- }
-
- @SuppressWarnings("deprecation")
- @org.junit.Test
- public void testPermit() throws Exception {
- // Mock up a Security Context
- SecurityContext sc = createSecurityContext("alice", "manager");
-
- String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
- MessageImpl msg = new MessageImpl();
- msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
- String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
- msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
- String resourceURI = "https://localhost:8080/doubleit";
- msg.put(Message.REQUEST_URI, resourceURI);
- msg.put(SecurityContext.class, sc);
-
- PolicyDecisionPoint pdp = new DummyPDP();
- XACMLAuthorizingInterceptor authorizingInterceptor = new XACMLAuthorizingInterceptor(pdp);
- authorizingInterceptor.handleMessage(msg);
- }
-
- @SuppressWarnings("deprecation")
- @org.junit.Test
- public void testDeny() throws Exception {
- // Mock up a Security Context
- SecurityContext sc = createSecurityContext("alice", "boss");
-
- String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
- MessageImpl msg = new MessageImpl();
- msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
- String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
- msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
- String resourceURI = "https://localhost:8080/doubleit";
- msg.put(Message.REQUEST_URI, resourceURI);
- msg.put(SecurityContext.class, sc);
-
- PolicyDecisionPoint pdp = new DummyPDP();
- XACMLAuthorizingInterceptor authorizingInterceptor = new XACMLAuthorizingInterceptor(pdp);
-
- try {
- authorizingInterceptor.handleMessage(msg);
- fail("Failure expected on deny");
- } catch (Exception ex) {
- // Failure expected
- }
- }
-
- private SecurityContext createSecurityContext(final String user, final String role) {
- return new LoginSecurityContext() {
-
- @Override
- public Principal getUserPrincipal() {
- return new Principal() {
- public String getName() {
- return user;
- }
- };
- }
-
- @Override
- public boolean isUserInRole(String role) {
- return false;
- }
-
- @Override
- public Subject getSubject() {
- return null;
- }
-
- @Override
- public Set<Principal> getUserRoles() {
- Set<Principal> principals = new HashSet<Principal>();
- principals.add(new Principal() {
- public String getName() {
- return role;
- }
- });
- return principals;
- }
-
- };
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java
----------------------------------------------------------------------
diff --git a/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java b/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java
deleted file mode 100644
index 29ab5d5..0000000
--- a/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java
+++ /dev/null
@@ -1,307 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.xacml;
-
-import java.security.Principal;
-import java.util.Collections;
-import java.util.List;
-
-import javax.xml.namespace.QName;
-
-import org.apache.cxf.message.Message;
-import org.apache.cxf.message.MessageImpl;
-import org.opensaml.xacml.ctx.AttributeType;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.ctx.ResourceType;
-
-
-/**
- * Some unit tests to create a XACML Request via the XACMLRequestBuilder interface.
- */
-public class XACMLRequestBuilderTest extends org.junit.Assert {
-
- static {
- org.apache.wss4j.common.saml.OpenSAMLUtil.initSamlEngine();
- }
-
- @org.junit.Test
- public void testXACMLRequestBuilder() throws Exception {
- // Mock up a request
- Principal principal = new Principal() {
- public String getName() {
- return "alice";
- }
- };
-
- String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
- MessageImpl msg = new MessageImpl();
- msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
- String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
- msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
- String resourceURL = "https://localhost:8080/doubleit";
- msg.put(Message.REQUEST_URI, resourceURL);
-
- XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
- RequestType request =
- builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
- }
-
-
- @org.junit.Test
- public void testAction() throws Exception {
- // Mock up a request
- Principal principal = new Principal() {
- public String getName() {
- return "alice";
- }
- };
-
- String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
- MessageImpl msg = new MessageImpl();
- msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
- String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
- msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
- String resourceURL = "https://localhost:8080/doubleit";
- msg.put(Message.REQUEST_URI, resourceURL);
-
- DefaultXACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
- RequestType request =
- builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
-
- String action =
- request.getAction().getAttributes().get(0).getAttributeValues().get(0).getValue();
- assertEquals("execute", action);
-
- builder.setAction("write");
- request = builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
-
- action =
- request.getAction().getAttributes().get(0).getAttributeValues().get(0).getValue();
- assertEquals("write", action);
- }
-
- @org.junit.Test
- public void testEnvironment() throws Exception {
- // Mock up a request
- Principal principal = new Principal() {
- public String getName() {
- return "alice";
- }
- };
-
- String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
- MessageImpl msg = new MessageImpl();
- msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
- String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
- msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
- String resourceURL = "https://localhost:8080/doubleit";
- msg.put(Message.REQUEST_URL, resourceURL);
-
- XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
- RequestType request =
- builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
- assertFalse(request.getEnvironment().getAttributes().isEmpty());
-
- ((DefaultXACMLRequestBuilder)builder).setSendDateTime(false);
- request = builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
- assertTrue(request.getEnvironment().getAttributes().isEmpty());
- }
-
- @org.junit.Test
- public void testSOAPResource() throws Exception {
- // Mock up a request
- Principal principal = new Principal() {
- public String getName() {
- return "alice";
- }
- };
-
- String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
- MessageImpl msg = new MessageImpl();
- msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
- String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
- msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
- String resourceURL = "https://localhost:8080/doubleit";
- msg.put(Message.REQUEST_URL, resourceURL);
-
- XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
- RequestType request =
- builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
-
- List<ResourceType> resources = request.getResources();
- assertNotNull(resources);
- assertEquals(1, resources.size());
-
- ResourceType resource = resources.get(0);
- assertEquals(4, resource.getAttributes().size());
-
- boolean resourceIdSatisfied = false;
- boolean soapServiceSatisfied = false;
- boolean soapOperationSatisfied = false;
- boolean resourceURISatisfied = false;
- for (AttributeType attribute : resource.getAttributes()) {
- String attributeValue = attribute.getAttributeValues().get(0).getValue();
- if (XACMLConstants.RESOURCE_ID.equals(attribute.getAttributeId())
- && "{http://www.example.org/contract/DoubleIt}DoubleItService#DoubleIt".equals(
- attributeValue)) {
- resourceIdSatisfied = true;
- } else if (XACMLConstants.RESOURCE_WSDL_SERVICE_ID.equals(attribute.getAttributeId())
- && service.equals(attributeValue)) {
- soapServiceSatisfied = true;
- } else if (XACMLConstants.RESOURCE_WSDL_OPERATION_ID.equals(attribute.getAttributeId())
- && operation.equals(attributeValue)) {
- soapOperationSatisfied = true;
- } else if (XACMLConstants.RESOURCE_WSDL_ENDPOINT.equals(attribute.getAttributeId())
- && resourceURL.equals(attributeValue)) {
- resourceURISatisfied = true;
- }
- }
-
- assertTrue(resourceIdSatisfied && soapServiceSatisfied && soapOperationSatisfied
- && resourceURISatisfied);
- }
-
- @org.junit.Test
- public void testSOAPResourceDifferentNamespace() throws Exception {
- // Mock up a request
- Principal principal = new Principal() {
- public String getName() {
- return "alice";
- }
- };
-
- String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
- MessageImpl msg = new MessageImpl();
- msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
- String service = "{http://www.example.org/contract/DoubleItService}DoubleItService";
- msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
- String resourceURL = "https://localhost:8080/doubleit";
- msg.put(Message.REQUEST_URL, resourceURL);
-
- XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
- RequestType request =
- builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
-
- List<ResourceType> resources = request.getResources();
- assertNotNull(resources);
- assertEquals(1, resources.size());
-
- ResourceType resource = resources.get(0);
- assertEquals(4, resource.getAttributes().size());
-
- boolean resourceIdSatisfied = false;
- boolean soapServiceSatisfied = false;
- boolean soapOperationSatisfied = false;
- boolean resourceURISatisfied = false;
- String expectedResourceId =
- service + "#" + operation;
- for (AttributeType attribute : resource.getAttributes()) {
- String attributeValue = attribute.getAttributeValues().get(0).getValue();
- if (XACMLConstants.RESOURCE_ID.equals(attribute.getAttributeId())
- && expectedResourceId.equals(attributeValue)) {
- resourceIdSatisfied = true;
- } else if (XACMLConstants.RESOURCE_WSDL_SERVICE_ID.equals(attribute.getAttributeId())
- && service.equals(attributeValue)) {
- soapServiceSatisfied = true;
- } else if (XACMLConstants.RESOURCE_WSDL_OPERATION_ID.equals(attribute.getAttributeId())
- && operation.equals(attributeValue)) {
- soapOperationSatisfied = true;
- } else if (XACMLConstants.RESOURCE_WSDL_ENDPOINT.equals(attribute.getAttributeId())
- && resourceURL.equals(attributeValue)) {
- resourceURISatisfied = true;
- }
- }
-
- assertTrue(resourceIdSatisfied && soapServiceSatisfied && soapOperationSatisfied
- && resourceURISatisfied);
- }
-
- @org.junit.Test
- public void testRESTResource() throws Exception {
- // Mock up a request
- Principal principal = new Principal() {
- public String getName() {
- return "alice";
- }
- };
-
- MessageImpl msg = new MessageImpl();
- String resourceURL = "https://localhost:8080/doubleit";
- msg.put(Message.REQUEST_URL, resourceURL);
-
- XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
- RequestType request =
- builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
-
- List<ResourceType> resources = request.getResources();
- assertNotNull(resources);
- assertEquals(1, resources.size());
-
- ResourceType resource = resources.get(0);
- assertEquals(1, resource.getAttributes().size());
-
- for (AttributeType attribute : resource.getAttributes()) {
- String attributeValue = attribute.getAttributeValues().get(0).getValue();
- assertEquals(attributeValue, resourceURL);
- }
- }
-
- @org.junit.Test
- public void testRESTResourceTruncatedURI() throws Exception {
- // Mock up a request
- Principal principal = new Principal() {
- public String getName() {
- return "alice";
- }
- };
-
- MessageImpl msg = new MessageImpl();
- String resourceURL = "https://localhost:8080/doubleit";
- msg.put(Message.REQUEST_URL, resourceURL);
- String resourceURI = "/doubleit";
- msg.put(Message.REQUEST_URI, resourceURI);
-
- XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
- ((DefaultXACMLRequestBuilder)builder).setSendFullRequestURL(false);
- RequestType request =
- builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
-
- List<ResourceType> resources = request.getResources();
- assertNotNull(resources);
- assertEquals(1, resources.size());
-
- ResourceType resource = resources.get(0);
- assertEquals(1, resource.getAttributes().size());
-
- for (AttributeType attribute : resource.getAttributes()) {
- String attributeValue = attribute.getAttributeValues().get(0).getValue();
- assertEquals(attributeValue, resourceURI);
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/ws/security/pom.xml
----------------------------------------------------------------------
diff --git a/rt/ws/security/pom.xml b/rt/ws/security/pom.xml
index ed2ab38..e1f2b9c 100644
--- a/rt/ws/security/pom.xml
+++ b/rt/ws/security/pom.xml
@@ -49,7 +49,7 @@
</dependency>
<dependency>
<groupId>org.apache.cxf</groupId>
- <artifactId>cxf-rt-security</artifactId>
+ <artifactId>cxf-rt-security-saml</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
index 5ea8ec8..061febd 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
@@ -24,7 +24,6 @@ import java.util.Set;
import java.util.logging.Logger;
import org.w3c.dom.Document;
-
import org.apache.cxf.common.i18n.BundleUtils;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.configuration.security.AuthorizationPolicy;
@@ -34,8 +33,8 @@ import org.apache.cxf.message.Message;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.rt.security.claims.ClaimCollection;
-import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
-import org.apache.cxf.rt.security.saml.SAMLUtils;
+import org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext;
+import org.apache.cxf.rt.security.saml.utils.SAMLUtils;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java
index ec4e816..0410e49 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java
@@ -40,7 +40,6 @@ import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
-
import org.w3c.dom.Document;
import org.apache.cxf.Bus;
import org.apache.cxf.BusException;
@@ -54,7 +53,7 @@ import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.PhaseInterceptorChain;
import org.apache.cxf.rt.security.claims.ClaimCollection;
-import org.apache.cxf.rt.security.saml.SAMLUtils;
+import org.apache.cxf.rt.security.saml.utils.SAMLUtils;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.tokenstore.EHCacheTokenStore;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java
index 12d8299..9f7d7b1 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java
@@ -33,8 +33,8 @@ import org.apache.cxf.interceptor.security.RolePrefixSecurityContextImpl;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.rt.security.claims.ClaimCollection;
-import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
-import org.apache.cxf.rt.security.saml.SAMLUtils;
+import org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext;
+import org.apache.cxf.rt.security.saml.utils.SAMLUtils;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.wss4j.common.ext.WSSecurityException;
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
index e7eb8e1..345e237 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
@@ -39,8 +39,8 @@ import org.apache.cxf.interceptor.security.DefaultSecurityContext;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.rt.security.claims.ClaimCollection;
-import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
-import org.apache.cxf.rt.security.saml.SAMLUtils;
+import org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext;
+import org.apache.cxf.rt.security.saml.utils.SAMLUtils;
import org.apache.cxf.rt.security.utils.SecurityUtils;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.ws.policy.AssertionInfo;
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
index af43f97..111c93f 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
@@ -45,7 +45,6 @@ import javax.xml.transform.dom.DOMSource;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
-
import org.apache.cxf.binding.soap.SoapFault;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.SoapVersion;
@@ -61,8 +60,8 @@ import org.apache.cxf.interceptor.security.RolePrefixSecurityContextImpl;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.rt.security.claims.ClaimCollection;
-import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
-import org.apache.cxf.rt.security.saml.SAMLUtils;
+import org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext;
+import org.apache.cxf.rt.security.saml.utils.SAMLUtils;
import org.apache.cxf.rt.security.utils.SecurityUtils;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.security.transport.TLSSessionInfo;
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/DefaultSAMLRoleParser.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/DefaultSAMLRoleParser.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/DefaultSAMLRoleParser.java
index b76cce9..21a94f9 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/DefaultSAMLRoleParser.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/DefaultSAMLRoleParser.java
@@ -24,8 +24,8 @@ import java.util.Set;
import javax.security.auth.Subject;
import org.apache.cxf.rt.security.claims.ClaimCollection;
-import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
-import org.apache.cxf.rt.security.saml.SAMLUtils;
+import org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext;
+import org.apache.cxf.rt.security.saml.utils.SAMLUtils;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
/**
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/SamlCallbackHandler.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/SamlCallbackHandler.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/SamlCallbackHandler.java
index 4e22422..cd5d734 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/SamlCallbackHandler.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/SamlCallbackHandler.java
@@ -31,7 +31,7 @@ import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.PhaseInterceptorChain;
-import org.apache.cxf.rt.security.claims.SAMLClaim;
+import org.apache.cxf.rt.security.saml.claims.SAMLClaim;
import org.apache.wss4j.common.saml.SAMLCallback;
import org.apache.wss4j.common.saml.bean.ActionBean;
import org.apache.wss4j.common.saml.bean.AttributeBean;
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/SamlCallbackHandler2.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/SamlCallbackHandler2.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/SamlCallbackHandler2.java
index 9e35949..2d03211 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/SamlCallbackHandler2.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/SamlCallbackHandler2.java
@@ -31,7 +31,7 @@ import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.PhaseInterceptorChain;
-import org.apache.cxf.rt.security.claims.SAMLClaim;
+import org.apache.cxf.rt.security.saml.claims.SAMLClaim;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.CryptoFactory;
import org.apache.wss4j.common.ext.WSSecurityException;
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
index 2cc75f2..d178cb7 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
@@ -34,7 +34,7 @@ import org.apache.cxf.message.Message;
import org.apache.cxf.phase.PhaseInterceptorChain;
import org.apache.cxf.rs.security.common.CryptoLoader;
import org.apache.cxf.rs.security.common.SecurityUtils;
-import org.apache.cxf.rt.security.claims.SAMLClaim;
+import org.apache.cxf.rt.security.saml.claims.SAMLClaim;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.saml.SAMLCallback;
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/PolicyDecisionPointMockImpl.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/PolicyDecisionPointMockImpl.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/PolicyDecisionPointMockImpl.java
index 4e27b22..d149db1 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/PolicyDecisionPointMockImpl.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/PolicyDecisionPointMockImpl.java
@@ -31,8 +31,8 @@ import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.apache.cxf.helpers.DOMUtils;
-import org.apache.cxf.rt.security.xacml.XACMLConstants;
-import org.apache.cxf.rt.security.xacml.pdp.api.PolicyDecisionPoint;
+import org.apache.cxf.rt.security.saml.xacml.XACMLConstants;
+import org.apache.cxf.rt.security.saml.xacml.pdp.api.PolicyDecisionPoint;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.OpenSAMLUtil;
import org.opensaml.core.xml.XMLObjectBuilderFactory;
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
index 14a803a..3b74a14 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
@@ -230,7 +230,7 @@
</jaxws:features>
</jaxws:endpoint>
<bean class="org.apache.cxf.systest.ws.saml.PolicyDecisionPointMockImpl" id="MockPDP" />
- <bean class="org.apache.cxf.rt.security.xacml.XACMLAuthorizingInterceptor" id="XACMLInterceptor">
+ <bean class="org.apache.cxf.rt.security.saml.xacml.XACMLAuthorizingInterceptor" id="XACMLInterceptor">
<constructor-arg ref="MockPDP"/>
</bean>
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetricPEP" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2PEP" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2PEPPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
index ce0eb3f..7dd9388 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
@@ -253,7 +253,7 @@
</jaxws:features>
</jaxws:endpoint>
<bean class="org.apache.cxf.systest.ws.saml.PolicyDecisionPointMockImpl" id="MockPDP" />
- <bean class="org.apache.cxf.rt.security.xacml.XACMLAuthorizingInterceptor" id="XACMLInterceptor">
+ <bean class="org.apache.cxf.rt.security.saml.xacml.XACMLAuthorizingInterceptor" id="XACMLInterceptor">
<constructor-arg ref="MockPDP"/>
</bean>
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetricPEP" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2PEP" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2PEPPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
[3/4] cxf git commit: Adding a new cxf-rt-security-saml module to
remove OpenSAML dependencies from cxf-rt-security
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLConstants.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLConstants.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLConstants.java
new file mode 100644
index 0000000..1087280
--- /dev/null
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLConstants.java
@@ -0,0 +1,206 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.saml.xacml;
+
+
+
+/**
+ * XACML 1.x and 2.0 Constants.
+ */
+public final class XACMLConstants {
+
+ //
+ // Attributes
+ //
+
+ public static final String CURRENT_TIME =
+ "urn:oasis:names:tc:xacml:1.0:environment:current-time";
+ public static final String CURRENT_DATE =
+ "urn:oasis:names:tc:xacml:1.0:environment:current-date";
+ public static final String CURRENT_DATETIME =
+ "urn:oasis:names:tc:xacml:1.0:environment:current-dateTime";
+
+ //
+ // Identifiers
+ //
+
+ public static final String SUBJECT_DNS_NAME =
+ "urn:oasis:names:tc:xacml:1.0:subject:authn-locality:dns-name";
+ public static final String SUBJECT_IP_ADDR =
+ "urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address";
+ public static final String SUBJECT_AUTHN_METHOD =
+ "urn:oasis:names:tc:xacml:1.0:subject:authentication-method";
+ public static final String SUBJECT_AUTHN_TIME =
+ "urn:oasis:names:tc:xacml:1.0:subject:authentication-time";
+ public static final String SUBJECT_KEY_INFO =
+ "urn:oasis:names:tc:xacml:1.0:subject:key-info";
+ public static final String SUBJECT_REQ_TIME =
+ "urn:oasis:names:tc:xacml:1.0:subject:request-time";
+ public static final String SUBJECT_START_TIME =
+ "urn:oasis:names:tc:xacml:1.0:subject:session-start-time";
+ public static final String SUBJECT_ID =
+ "urn:oasis:names:tc:xacml:1.0:subject:subject-id";
+ public static final String SUBJECT_ID_QUALIFIER =
+ "urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifier";
+ public static final String SUBJECT_CAT_ACCESS_SUBJECT =
+ "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject";
+ public static final String SUBJECT_CAT_CODEBASE =
+ "urn:oasis:names:tc:xacml:1.0:subject-category:codebase";
+ public static final String SUBJECT_CAT_INTERMED_SUBJECT =
+ "urn:oasis:names:tc:xacml:1.0:subject-category:intermediary-subject";
+ public static final String SUBJECT_CAT_REC_SUBJECT =
+ "urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject";
+ public static final String SUBJECT_CAT_REQ_MACHINE =
+ "urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine";
+ public static final String RESOURCE_LOC =
+ "urn:oasis:names:tc:xacml:1.0:resource:resource-location";
+ public static final String RESOURCE_ID =
+ "urn:oasis:names:tc:xacml:1.0:resource:resource-id";
+
+ // Non-standard (CXF-specific) tags for sending information about SOAP services to the PDP
+ public static final String RESOURCE_WSDL_OPERATION_ID =
+ "urn:cxf:apache:org:wsdl:operation-id";
+ public static final String RESOURCE_WSDL_SERVICE_ID =
+ "urn:cxf:apache:org:wsdl:service-id";
+ public static final String RESOURCE_WSDL_ENDPOINT =
+ "urn:cxf:apache:org:wsdl:endpoint";
+
+ public static final String RESOURCE_FILE_NAME =
+ "urn:oasis:names:tc:xacml:1.0:resource:simple-file-name";
+ public static final String ACTION_ID =
+ "urn:oasis:names:tc:xacml:1.0:action:action-id";
+ public static final String ACTION_IMPLIED =
+ "urn:oasis:names:tc:xacml:1.0:action:implied-action";
+ public static final String SUBJECT_ROLE =
+ "urn:oasis:names:tc:xacml:2.0:subject:role";
+
+
+ //
+ // Datatypes
+ //
+
+ public static final String XS_STRING =
+ "http://www.w3.org/2001/XMLSchema#string";
+ public static final String XS_BOOLEAN =
+ "http://www.w3.org/2001/XMLSchema#boolean";
+ public static final String XS_INT =
+ "http://www.w3.org/2001/XMLSchema#integer";
+ public static final String XS_DOUBLE =
+ "http://www.w3.org/2001/XMLSchema#double";
+ public static final String XS_TIME =
+ "http://www.w3.org/2001/XMLSchema#time";
+ public static final String XS_DATE =
+ "http://www.w3.org/2001/XMLSchema#date";
+ public static final String XS_DATETIME =
+ "http://www.w3.org/2001/XMLSchema#dateTime";
+ public static final String XS_ANY_URI =
+ "http://www.w3.org/2001/XMLSchema#anyURI";
+ public static final String XS_HEX =
+ "http://www.w3.org/2001/XMLSchema#hexBinary";
+ public static final String XS_BASE64 =
+ "http://www.w3.org/2001/XMLSchema#base64Binary";
+ public static final String RFC_822_NAME =
+ "urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name";
+ public static final String X500_NAME =
+ "urn:oasis:names:tc:xacml:1.0:data-type:x500Name";
+
+ //
+ // Functions
+ //
+ public static final String FUNC_STRING_EQUAL =
+ "urn:oasis:names:tc:xacml:1.0:function:string-equal";
+ public static final String FUNC_BOOL_EQUAL =
+ "urn:oasis:names:tc:xacml:1.0:function:boolean-equal";
+ public static final String FUNC_INT_EQUAL =
+ "urn:oasis:names:tc:xacml:1.0:function:integer-equal";
+ public static final String FUNC_DOUBLE_EQUAL =
+ "urn:oasis:names:tc:xacml:1.0:function:double-equal";
+ public static final String FUNC_DATE_EQUAL =
+ "urn:oasis:names:tc:xacml:1.0:function:date-equal";
+ public static final String FUNC_TIME_EQUAL =
+ "urn:oasis:names:tc:xacml:1.0:function:time-equal";
+ public static final String FUNC_DATETIME_EQUAL =
+ "urn:oasis:names:tc:xacml:1.0:function:dateTime-equal";
+ public static final String FUNC_ANY_URI_EQUAL =
+ "urn:oasis:names:tc:xacml:1.0:function:anyURI-equal";
+ public static final String FUNC_X500_NAME_EQUAL =
+ "urn:oasis:names:tc:xacml:1.0:function:x500Name-equal";
+ public static final String FUNC_RFC_822_NAME_EQUAL =
+ "urn:oasis:names:tc:xacml:1.0:function:rfc822Name-equal";
+ public static final String FUNC_HEX_EQUAL =
+ "urn:oasis:names:tc:xacml:1.0:function:hexBinary-equal";
+ public static final String FUNC_BASE64_EQUAL =
+ "urn:oasis:names:tc:xacml:1.0:function:base64Binary-equal";
+
+ public static final String FUNC_INT_GT =
+ "urn:oasis:names:tc:xacml:1.0:function:integer-greater-than";
+ public static final String FUNC_INT_GTE =
+ "urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal";
+ public static final String FUNC_INT_LT =
+ "urn:oasis:names:tc:xacml:1.0:function:integer-less-than";
+ public static final String FUNC_INT_LTE =
+ "urn:oasis:names:tc:xacml:1.0:function:integer-less-than-or-equal";
+ public static final String FUNC_DOUBLE_GT =
+ "urn:oasis:names:tc:xacml:1.0:function:double-greater-than";
+ public static final String FUNC_DOUBLE_GTE =
+ "urn:oasis:names:tc:xacml:1.0:function:double-greater-than-or-equal";
+ public static final String FUNC_DOUBLE_LT =
+ "urn:oasis:names:tc:xacml:1.0:function:double-less-than";
+ public static final String FUNC_DOUBLE_LTE =
+ "urn:oasis:names:tc:xacml:1.0:function:double-less-than-or-equal";
+
+ public static final String FUNC_STRING_GT =
+ "urn:oasis:names:tc:xacml:1.0:function:string-greater-than";
+ public static final String FUNC_STRING_GTE =
+ "urn:oasis:names:tc:xacml:1.0:function:string-greater-than-or-equal";
+ public static final String FUNC_STRING_LT =
+ "urn:oasis:names:tc:xacml:1.0:function:string-less-than";
+ public static final String FUNC_STRING_LTE =
+ "urn:oasis:names:tc:xacml:1.0:function:string-less-than-or-equal";
+ public static final String FUNC_TIME_GT =
+ "urn:oasis:names:tc:xacml:1.0:function:time-greater-than";
+ public static final String FUNC_TIME_GTE =
+ "urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal";
+ public static final String FUNC_TIME_LT =
+ "urn:oasis:names:tc:xacml:1.0:function:time-less-than";
+ public static final String FUNC_TIME_LTE =
+ "urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal";
+ public static final String FUNC_DATETIME_GT =
+ "urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than";
+ public static final String FUNC_DATETIME_GTE =
+ "urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than-or-equal";
+ public static final String FUNC_DATETIME_LT =
+ "urn:oasis:names:tc:xacml:1.0:function:dateTime-less-than";
+ public static final String FUNC_DATETIME_LTE =
+ "urn:oasis:names:tc:xacml:1.0:function:dateTime-less-than-or-equal";
+ public static final String FUNC_DATE_GT =
+ "urn:oasis:names:tc:xacml:1.0:function:date-greater-than";
+ public static final String FUNC_DATE_GTE =
+ "urn:oasis:names:tc:xacml:1.0:function:date-greater-than-or-equal";
+ public static final String FUNC_DATE_LT =
+ "urn:oasis:names:tc:xacml:1.0:function:date-less-than";
+ public static final String FUNC_DATE_LTE =
+ "urn:oasis:names:tc:xacml:1.0:function:date-less-than-or-equal";
+
+
+ private XACMLConstants() {
+ // complete
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLRequestBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLRequestBuilder.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLRequestBuilder.java
new file mode 100644
index 0000000..d3bd32c
--- /dev/null
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLRequestBuilder.java
@@ -0,0 +1,62 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.saml.xacml;
+
+import java.security.Principal;
+import java.util.List;
+
+import org.apache.cxf.message.Message;
+import org.opensaml.xacml.ctx.RequestType;
+
+
+/**
+ * This interface defines a way to create an XACML Request.
+ */
+public interface XACMLRequestBuilder {
+
+ /**
+ * Create an XACML Request given a Principal, list of roles and Message.
+ *
+ * @param principal The principal to insert into the Subject of the Request
+ * @param roles The list of roles associated with the principal
+ * @param message The Message from which to retrieve the resource
+ * @return An OpenSAML RequestType object
+ * @throws Exception
+ */
+ RequestType createRequest(Principal principal, List<String> roles, Message message) throws Exception;
+
+ /**
+ * Return the list of Resources that have been inserted into the Request.
+ *
+ * @param message The Message from which to retrieve the resource
+ * @return the list of Resources that have been inserted into the Request
+ */
+ @Deprecated
+ List<String> getResources(Message message);
+
+ /**
+ * Return the Resource that has been inserted into the Request.
+ *
+ * @param message The Message from which to retrieve the resource
+ * @return the Resource that has been inserted into the Request
+ */
+ @Deprecated
+ String getResource(Message message);
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/pdp/api/PolicyDecisionPoint.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/pdp/api/PolicyDecisionPoint.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/pdp/api/PolicyDecisionPoint.java
new file mode 100644
index 0000000..80e1623
--- /dev/null
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/pdp/api/PolicyDecisionPoint.java
@@ -0,0 +1,35 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rt.security.saml.xacml.pdp.api;
+
+import javax.xml.transform.Source;
+
+/**
+ * An interface that describes a PolicyDecisionPoint (PDP).
+ */
+public interface PolicyDecisionPoint {
+
+ /**
+ * Evaluate an XACML Request and return a Response
+ * @param request an XACML Request as a Source
+ * @return the XACML Response as a Source
+ */
+ Source evaluate(Source request);
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/claims/SAMLClaimsTest.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/claims/SAMLClaimsTest.java b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/claims/SAMLClaimsTest.java
new file mode 100644
index 0000000..3b66e12
--- /dev/null
+++ b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/claims/SAMLClaimsTest.java
@@ -0,0 +1,212 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rt.security.saml.claims;
+
+import java.net.URI;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.Set;
+
+import org.w3c.dom.Document;
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.rt.security.claims.Claim;
+import org.apache.cxf.rt.security.claims.ClaimCollection;
+import org.apache.cxf.rt.security.saml.utils.SAMLUtils;
+import org.apache.wss4j.common.saml.SAMLCallback;
+import org.apache.wss4j.common.saml.SAMLUtil;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.common.saml.bean.AttributeBean;
+import org.apache.wss4j.common.saml.builder.SAML2Constants;
+import org.junit.Assert;
+
+public class SAMLClaimsTest extends Assert {
+
+ @org.junit.Test
+ public void testSAML2Claims() throws Exception {
+ AttributeBean attributeBean = new AttributeBean();
+ attributeBean.setQualifiedName(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT);
+ attributeBean.setNameFormat(SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
+ attributeBean.addAttributeValue("employee");
+
+ SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler();
+ samlCallbackHandler.setAttributes(Collections.singletonList(attributeBean));
+
+ // Create the SAML Assertion via the CallbackHandler
+ SAMLCallback samlCallback = new SAMLCallback();
+ SAMLUtil.doSAMLCallback(samlCallbackHandler, samlCallback);
+ SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
+
+ Document doc = DOMUtils.newDocument();
+ samlAssertion.toDOM(doc);
+
+ ClaimCollection claims = SAMLUtils.getClaims(samlAssertion);
+ assertEquals(claims.getDialect().toString(),
+ "http://schemas.xmlsoap.org/ws/2005/05/identity");
+ assertEquals(1, claims.size());
+
+ // Check Claim values
+ Claim claim = claims.get(0);
+ assertEquals(claim.getClaimType(), URI.create(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT));
+ assertEquals(1, claim.getValues().size());
+ assertTrue(claim.getValues().contains("employee"));
+
+ // Check SAMLClaim values
+ assertTrue(claim instanceof SAMLClaim);
+ assertEquals(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT, ((SAMLClaim)claim).getName());
+ assertEquals(SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED, ((SAMLClaim)claim).getNameFormat());
+
+ // Check roles
+ Set<Principal> roles =
+ SAMLUtils.parseRolesFromClaims(claims,
+ SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT,
+ SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
+ assertEquals(1, roles.size());
+ Principal p = roles.iterator().next();
+ assertEquals("employee", p.getName());
+ }
+
+ @org.junit.Test
+ public void testSAML2MultipleRoles() throws Exception {
+ AttributeBean attributeBean = new AttributeBean();
+ attributeBean.setQualifiedName(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT);
+ attributeBean.setNameFormat(SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
+ attributeBean.addAttributeValue("employee");
+ attributeBean.addAttributeValue("boss");
+
+ SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler();
+ samlCallbackHandler.setAttributes(Collections.singletonList(attributeBean));
+
+ // Create the SAML Assertion via the CallbackHandler
+ SAMLCallback samlCallback = new SAMLCallback();
+ SAMLUtil.doSAMLCallback(samlCallbackHandler, samlCallback);
+ SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
+
+ Document doc = DOMUtils.newDocument();
+ samlAssertion.toDOM(doc);
+
+ ClaimCollection claims = SAMLUtils.getClaims(samlAssertion);
+ assertEquals(claims.getDialect().toString(),
+ "http://schemas.xmlsoap.org/ws/2005/05/identity");
+ assertEquals(1, claims.size());
+
+ // Check Claim values
+ Claim claim = claims.get(0);
+ assertEquals(claim.getClaimType(), URI.create(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT));
+ assertEquals(2, claim.getValues().size());
+ assertTrue(claim.getValues().contains("employee"));
+ assertTrue(claim.getValues().contains("boss"));
+
+ // Check SAMLClaim values
+ assertTrue(claim instanceof SAMLClaim);
+ assertEquals(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT, ((SAMLClaim)claim).getName());
+ assertEquals(SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED, ((SAMLClaim)claim).getNameFormat());
+
+ // Check roles
+ Set<Principal> roles =
+ SAMLUtils.parseRolesFromClaims(claims,
+ SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT,
+ SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
+ assertEquals(2, roles.size());
+ }
+
+ @org.junit.Test
+ public void testSAML2MultipleClaims() throws Exception {
+ AttributeBean attributeBean = new AttributeBean();
+ attributeBean.setQualifiedName(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT);
+ attributeBean.setNameFormat(SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
+ attributeBean.addAttributeValue("employee");
+
+ AttributeBean attributeBean2 = new AttributeBean();
+ attributeBean2.setQualifiedName(
+ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname");
+ attributeBean2.setNameFormat(SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
+ attributeBean2.addAttributeValue("smith");
+
+ SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler();
+ List<AttributeBean> attributes = new ArrayList<AttributeBean>();
+ attributes.add(attributeBean);
+ attributes.add(attributeBean2);
+ samlCallbackHandler.setAttributes(attributes);
+
+ // Create the SAML Assertion via the CallbackHandler
+ SAMLCallback samlCallback = new SAMLCallback();
+ SAMLUtil.doSAMLCallback(samlCallbackHandler, samlCallback);
+ SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
+
+ Document doc = DOMUtils.newDocument();
+ samlAssertion.toDOM(doc);
+
+ ClaimCollection claims = SAMLUtils.getClaims(samlAssertion);
+ assertEquals(claims.getDialect().toString(),
+ "http://schemas.xmlsoap.org/ws/2005/05/identity");
+ assertEquals(2, claims.size());
+
+ // Check roles
+ Set<Principal> roles =
+ SAMLUtils.parseRolesFromClaims(claims,
+ SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT,
+ SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
+ assertEquals(1, roles.size());
+ Principal p = roles.iterator().next();
+ assertEquals("employee", p.getName());
+ }
+
+ @org.junit.Test
+ public void testSAML1Claims() throws Exception {
+ AttributeBean attributeBean = new AttributeBean();
+ attributeBean.setSimpleName("role");
+ attributeBean.setQualifiedName("http://schemas.xmlsoap.org/ws/2005/05/identity/claims");
+ attributeBean.addAttributeValue("employee");
+
+ SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler(false);
+ samlCallbackHandler.setAttributes(Collections.singletonList(attributeBean));
+
+ // Create the SAML Assertion via the CallbackHandler
+ SAMLCallback samlCallback = new SAMLCallback();
+ SAMLUtil.doSAMLCallback(samlCallbackHandler, samlCallback);
+ SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
+
+ Document doc = DOMUtils.newDocument();
+ samlAssertion.toDOM(doc);
+
+ ClaimCollection claims = SAMLUtils.getClaims(samlAssertion);
+ assertEquals(claims.getDialect().toString(),
+ "http://schemas.xmlsoap.org/ws/2005/05/identity");
+ assertEquals(1, claims.size());
+
+ // Check Claim values
+ Claim claim = claims.get(0);
+ assertEquals(claim.getClaimType(), URI.create(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT));
+ assertEquals(1, claim.getValues().size());
+ assertTrue(claim.getValues().contains("employee"));
+
+ // Check SAMLClaim values
+ assertTrue(claim instanceof SAMLClaim);
+ assertEquals("role", ((SAMLClaim)claim).getName());
+
+ // Check roles
+ Set<Principal> roles = SAMLUtils.parseRolesFromClaims(claims, "role", null);
+ assertEquals(1, roles.size());
+ Principal p = roles.iterator().next();
+ assertEquals("employee", p.getName());
+
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/claims/SamlCallbackHandler.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/claims/SamlCallbackHandler.java b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/claims/SamlCallbackHandler.java
new file mode 100644
index 0000000..9b051fa
--- /dev/null
+++ b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/claims/SamlCallbackHandler.java
@@ -0,0 +1,99 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.saml.claims;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.List;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import org.apache.wss4j.common.saml.SAMLCallback;
+import org.apache.wss4j.common.saml.bean.AttributeBean;
+import org.apache.wss4j.common.saml.bean.AttributeStatementBean;
+import org.apache.wss4j.common.saml.bean.SubjectBean;
+import org.apache.wss4j.common.saml.bean.Version;
+import org.apache.wss4j.common.saml.builder.SAML1Constants;
+import org.apache.wss4j.common.saml.builder.SAML2Constants;
+
+/**
+ * A CallbackHandler instance to mock up a SAML Attribute Assertion.
+ */
+public class SamlCallbackHandler implements CallbackHandler {
+ private boolean saml2 = true;
+ private String confirmationMethod = SAML2Constants.CONF_BEARER;
+ private List<AttributeBean> attributes;
+
+ public SamlCallbackHandler() {
+ //
+ }
+
+ public SamlCallbackHandler(boolean saml2) {
+ this.saml2 = saml2;
+ }
+
+ public void setConfirmationMethod(String confirmationMethod) {
+ this.confirmationMethod = confirmationMethod;
+ }
+
+ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
+ for (int i = 0; i < callbacks.length; i++) {
+ if (callbacks[i] instanceof SAMLCallback) {
+ SAMLCallback callback = (SAMLCallback) callbacks[i];
+ if (saml2) {
+ callback.setSamlVersion(Version.SAML_20);
+ } else {
+ callback.setSamlVersion(Version.SAML_11);
+ }
+
+ callback.setIssuer("sts");
+ String subjectName = "uid=sts-client,o=mock-sts.com";
+ String subjectQualifier = "www.mock-sts.com";
+ if (!saml2 && SAML2Constants.CONF_SENDER_VOUCHES.equals(confirmationMethod)) {
+ confirmationMethod = SAML1Constants.CONF_SENDER_VOUCHES;
+ }
+ SubjectBean subjectBean =
+ new SubjectBean(
+ subjectName, subjectQualifier, confirmationMethod
+ );
+ callback.setSubject(subjectBean);
+
+ if (attributes != null) {
+ AttributeStatementBean attrBean = new AttributeStatementBean();
+ attrBean.setSubject(subjectBean);
+ attrBean.setSamlAttributes(attributes);
+ callback.setAttributeStatementData(Collections.singletonList(attrBean));
+ }
+
+ }
+ }
+ }
+
+ public List<AttributeBean> getAttributes() {
+ return attributes;
+ }
+
+ public void setAttributes(List<AttributeBean> attributes) {
+ this.attributes = attributes;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/interceptor/ClaimsAuthorizingInterceptorTest.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/interceptor/ClaimsAuthorizingInterceptorTest.java b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/interceptor/ClaimsAuthorizingInterceptorTest.java
new file mode 100644
index 0000000..775f1fc
--- /dev/null
+++ b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/interceptor/ClaimsAuthorizingInterceptorTest.java
@@ -0,0 +1,298 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rt.security.saml.interceptor;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+import java.security.Principal;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Set;
+
+import org.apache.cxf.common.security.SimplePrincipal;
+import org.apache.cxf.interceptor.security.AccessDeniedException;
+import org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor;
+import org.apache.cxf.message.ExchangeImpl;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageImpl;
+import org.apache.cxf.rt.security.claims.ClaimCollection;
+import org.apache.cxf.rt.security.saml.claims.ClaimBean;
+import org.apache.cxf.rt.security.saml.claims.SAMLClaim;
+import org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext;
+import org.apache.cxf.rt.security.saml.utils.SAMLUtils;
+import org.apache.cxf.security.SecurityContext;
+import org.apache.cxf.security.claims.authorization.Claim;
+import org.apache.cxf.security.claims.authorization.ClaimMode;
+import org.apache.cxf.security.claims.authorization.Claims;
+import org.apache.wss4j.common.saml.builder.SAML2Constants;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+
+public class ClaimsAuthorizingInterceptorTest extends Assert {
+
+ private ClaimsAuthorizingInterceptor interceptor;
+
+ @Before
+ public void setUp() {
+ interceptor = new ClaimsAuthorizingInterceptor();
+ interceptor.setNameAliases(
+ Collections.singletonMap("authentication", "http://authentication"));
+ interceptor.setFormatAliases(
+ Collections.singletonMap("claims", "http://claims"));
+ interceptor.setSecuredObject(new TestService());
+
+ }
+
+ @Test
+ public void testClaimDefaultNameAndFormat() throws Exception {
+ doTestClaims("claimWithDefaultNameAndFormat",
+ createDefaultClaim("admin", "user"),
+ createClaim("http://authentication", "http://claims", "password"));
+ try {
+ doTestClaims("claimWithDefaultNameAndFormat",
+ createDefaultClaim("user"),
+ createClaim("http://authentication", "http://claims", "password"));
+ fail("AccessDeniedException expected");
+ } catch (AccessDeniedException ex) {
+ // expected
+ }
+ }
+
+ @Test
+ public void testClaimMatchAll() throws Exception {
+ doTestClaims("claimMatchAll",
+ createDefaultClaim("admin", "manager"),
+ createClaim("http://authentication", "http://claims", "password"));
+ try {
+ doTestClaims("claimMatchAll",
+ createDefaultClaim("admin"),
+ createClaim("http://authentication", "http://claims", "password"));
+ doTestClaims("claimMatchAll",
+ createDefaultClaim("manager"),
+ createClaim("http://authentication", "http://claims", "password"));
+ fail("AccessDeniedException expected");
+ } catch (AccessDeniedException ex) {
+ // expected
+ }
+ }
+
+ @Test
+ public void testMissingExpectedClaim() throws Exception {
+ doTestClaims("claimWithDefaultNameAndFormat",
+ createDefaultClaim("admin"),
+ createClaim("http://authentication", "http://claims", "password"));
+ try {
+ doTestClaims("claimWithDefaultNameAndFormat",
+ createDefaultClaim("admin"));
+ fail("AccessDeniedException expected");
+ } catch (AccessDeniedException ex) {
+ // expected
+ }
+ }
+
+ @Test
+ public void testExtraNonExpectedClaim() throws Exception {
+ doTestClaims("claimWithDefaultNameAndFormat",
+ createDefaultClaim("admin", "user"),
+ createClaim("http://authentication", "http://claims", "password"),
+ createClaim("http://extra/claims", "http://claims", "claim"));
+ }
+
+ @Test
+ public void testClaimSpecificNameAndFormat() throws Exception {
+ doTestClaims("claimWithSpecificNameAndFormat",
+ createClaim("http://cxf/roles", "http://claims", "admin", "user"),
+ createClaim("http://authentication", "http://claims", "password"));
+ try {
+ doTestClaims("claimWithSpecificNameAndFormat",
+ createDefaultClaim("admin", "user"),
+ createClaim("http://authentication", "http://claims", "password"));
+ fail("AccessDeniedException expected");
+ } catch (AccessDeniedException ex) {
+ // expected
+ }
+ }
+
+ @Test
+ public void testClaimLaxMode() throws Exception {
+ doTestClaims("claimLaxMode",
+ createClaim("http://authentication", "http://claims", "password"));
+ doTestClaims("claimLaxMode");
+ try {
+ doTestClaims("claimLaxMode",
+ createClaim("http://authentication", "http://claims", "smartcard"));
+ fail("AccessDeniedException expected");
+ } catch (AccessDeniedException ex) {
+ // expected
+ }
+ }
+
+ @Test
+ public void testMultipleClaims() throws Exception {
+ doTestClaims("multipleClaims",
+ createDefaultClaim("admin"),
+ createClaim("http://authentication", "http://claims", "smartcard"),
+ createClaim("http://location", "http://claims", "UK"));
+ doTestClaims("multipleClaims",
+ createDefaultClaim("admin"),
+ createClaim("http://authentication", "http://claims", "password"),
+ createClaim("http://location", "http://claims", "USA"));
+ try {
+ doTestClaims("multipleClaims",
+ createDefaultClaim("admin"),
+ createClaim("http://authentication", "http://claims", "unsecuretransport"),
+ createClaim("http://location", "http://claims", "UK"));
+ fail("AccessDeniedException expected");
+ } catch (AccessDeniedException ex) {
+ // expected
+ }
+ }
+
+ @Test
+ public void testUserInRoleAndClaims() throws Exception {
+ SecureAnnotationsInterceptor in = new SecureAnnotationsInterceptor();
+ in.setAnnotationClassName(SecureRole.class.getName());
+ in.setSecuredObject(new TestService2());
+
+ Message m = prepareMessage(TestService2.class, "test",
+ createDefaultClaim("admin"),
+ createClaim("a", "b", "c"));
+
+ in.handleMessage(m);
+
+ ClaimsAuthorizingInterceptor in2 = new ClaimsAuthorizingInterceptor();
+ org.apache.cxf.rt.security.saml.claims.SAMLClaim claim =
+ new org.apache.cxf.rt.security.saml.claims.SAMLClaim();
+ claim.setNameFormat("a");
+ claim.setName("b");
+ claim.addValue("c");
+ in2.setClaims(Collections.singletonMap("test",
+ Collections.singletonList(
+ new ClaimBean(claim))));
+ in2.handleMessage(m);
+
+ try {
+ in.handleMessage(prepareMessage(TestService2.class, "test",
+ createDefaultClaim("user")));
+ fail("AccessDeniedException expected");
+ } catch (AccessDeniedException ex) {
+ // expected
+ }
+ }
+
+
+ private void doTestClaims(String methodName,
+ org.apache.cxf.rt.security.claims.Claim... claim)
+ throws Exception {
+ Message m = prepareMessage(TestService.class, methodName, claim);
+ interceptor.handleMessage(m);
+ }
+
+ private Message prepareMessage(Class<?> cls,
+ String methodName,
+ org.apache.cxf.rt.security.claims.Claim... claim)
+ throws Exception {
+ ClaimCollection claims = new ClaimCollection();
+ claims.addAll(Arrays.asList(claim));
+
+ Set<Principal> roles =
+ SAMLUtils.parseRolesFromClaims(claims, SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT,
+ SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
+
+ SecurityContext sc = new SAMLSecurityContext(new SimplePrincipal("user"), roles, claims);
+ Message m = new MessageImpl();
+ m.setExchange(new ExchangeImpl());
+ m.put(SecurityContext.class, sc);
+ m.put("org.apache.cxf.resource.method",
+ cls.getMethod(methodName, new Class[]{}));
+ return m;
+ }
+
+ private org.apache.cxf.rt.security.claims.Claim createDefaultClaim(
+ Object... values) {
+ return createClaim(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT,
+ SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED,
+ values);
+ }
+
+ private org.apache.cxf.rt.security.claims.Claim createClaim(
+ String name, String format, Object... values) {
+ SAMLClaim claim = new SAMLClaim();
+ claim.setName(name);
+ claim.setNameFormat(format);
+ claim.setValues(Arrays.asList(values));
+ return claim;
+ }
+
+ @Claim(name = "authentication", format = "claims",
+ value = "password")
+ public static class TestService {
+ // default name and format are used
+ @Claim({"admin", "manager" })
+ public void claimWithDefaultNameAndFormat() {
+
+ }
+
+ // explicit name and format
+ @Claim(name = "http://cxf/roles", format = "http://claims",
+ value = {"admin", "manager" })
+ public void claimWithSpecificNameAndFormat() {
+
+ }
+
+ @Claim(name = "http://authentication", format = "http://claims",
+ value = "password", mode = ClaimMode.LAX)
+ public void claimLaxMode() {
+
+ }
+
+ @Claims({
+ @Claim(name = "http://location", format = "http://claims",
+ value = {"UK", "USA" }),
+ @Claim(value = {"admin", "manager" }),
+ @Claim(name = "authentication", format = "claims",
+ value = {"password", "smartcard" })
+ })
+ public void multipleClaims() {
+
+ }
+
+ // user must have both admin and manager roles, default is 'or'
+ @Claim(value = {"admin", "manager" },
+ matchAll = true)
+ public void claimMatchAll() {
+
+ }
+ }
+ public static class TestService2 {
+ @SecureRole("admin")
+ public void test() {
+
+ }
+ }
+ @Target(ElementType.METHOD)
+ @Retention(RetentionPolicy.RUNTIME)
+ public @interface SecureRole {
+ String[] value();
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/DummyPDP.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/DummyPDP.java b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/DummyPDP.java
new file mode 100644
index 0000000..a096208
--- /dev/null
+++ b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/DummyPDP.java
@@ -0,0 +1,153 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.saml.xacml;
+
+import java.util.List;
+
+import javax.xml.transform.Source;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.dom.DOMResult;
+import javax.xml.transform.dom.DOMSource;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.rt.security.saml.xacml.pdp.api.PolicyDecisionPoint;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
+import org.opensaml.core.xml.XMLObjectBuilderFactory;
+import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
+import org.opensaml.xacml.XACMLObjectBuilder;
+import org.opensaml.xacml.ctx.AttributeType;
+import org.opensaml.xacml.ctx.DecisionType;
+import org.opensaml.xacml.ctx.DecisionType.DECISION;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResponseType;
+import org.opensaml.xacml.ctx.ResultType;
+import org.opensaml.xacml.ctx.StatusCodeType;
+import org.opensaml.xacml.ctx.StatusType;
+import org.opensaml.xacml.ctx.SubjectType;
+
+/**
+ * A test implementation of AbstractXACMLAuthorizingInterceptor. It just mocks up a Response
+ * object based on the role of the Subject. If the role is "manager" then it permits the
+ * request, otherwise it denies it.
+ */
+public class DummyPDP implements PolicyDecisionPoint {
+
+ public Source evaluate(Source requestSource) {
+ RequestType request = requestSourceToRequestType(requestSource);
+ String role = getSubjectRole(request);
+ DECISION decision = "manager".equals(role) ? DecisionType.DECISION.Permit : DecisionType.DECISION.Deny;
+ ResponseType response = createResponse(decision);
+ return responseType2Source(response);
+ }
+
+ private RequestType requestSourceToRequestType(Source requestSource) {
+ try {
+ Transformer trans = TransformerFactory.newInstance().newTransformer();
+ DOMResult res = new DOMResult();
+ trans.transform(requestSource, res);
+ Node nd = res.getNode();
+ if (nd instanceof Document) {
+ nd = ((Document)nd).getDocumentElement();
+ }
+ return (RequestType)OpenSAMLUtil.fromDom((Element)nd);
+ } catch (Exception e) {
+ throw new RuntimeException("Error converting pdp response to ResponseType", e);
+ }
+ }
+
+ private Source responseType2Source(ResponseType response) {
+ Document doc = DOMUtils.createDocument();
+ Element responseElement;
+ try {
+ responseElement = OpenSAMLUtil.toDom(response, doc);
+ } catch (WSSecurityException e) {
+ throw new RuntimeException("Error converting PDP RequestType to Dom", e);
+ }
+ return new DOMSource(responseElement);
+ }
+
+ private ResponseType createResponse(DECISION decision) {
+ XMLObjectBuilderFactory builderFactory = XMLObjectProviderRegistrySupport.getBuilderFactory();
+
+ @SuppressWarnings("unchecked")
+ XACMLObjectBuilder<ResponseType> responseTypeBuilder =
+ (XACMLObjectBuilder<ResponseType>)
+ builderFactory.getBuilder(ResponseType.DEFAULT_ELEMENT_NAME);
+
+ @SuppressWarnings("unchecked")
+ XACMLObjectBuilder<ResultType> resultTypeBuilder =
+ (XACMLObjectBuilder<ResultType>)
+ builderFactory.getBuilder(ResultType.DEFAULT_ELEMENT_NAME);
+
+ @SuppressWarnings("unchecked")
+ XACMLObjectBuilder<DecisionType> decisionTypeBuilder =
+ (XACMLObjectBuilder<DecisionType>)
+ builderFactory.getBuilder(DecisionType.DEFAULT_ELEMENT_NAME);
+
+ @SuppressWarnings("unchecked")
+ XACMLObjectBuilder<StatusType> statusTypeBuilder =
+ (XACMLObjectBuilder<StatusType>)
+ builderFactory.getBuilder(StatusType.DEFAULT_ELEMENT_NAME);
+
+ @SuppressWarnings("unchecked")
+ XACMLObjectBuilder<StatusCodeType> statusCodeTypeBuilder =
+ (XACMLObjectBuilder<StatusCodeType>)
+ builderFactory.getBuilder(StatusCodeType.DEFAULT_ELEMENT_NAME);
+
+ ResultType result = resultTypeBuilder.buildObject();
+
+ DecisionType decisionType = decisionTypeBuilder.buildObject();
+ decisionType.setDecision(decision);
+ result.setDecision(decisionType);
+
+ StatusType status = statusTypeBuilder.buildObject();
+ StatusCodeType statusCode = statusCodeTypeBuilder.buildObject();
+ statusCode.setValue("urn:oasis:names:tc:xacml:1.0:status:ok");
+ status.setStatusCode(statusCode);
+ result.setStatus(status);
+
+ ResponseType response = responseTypeBuilder.buildObject();
+ response.getResults().add(result);
+ return response;
+ }
+
+ private String getSubjectRole(RequestType request) {
+ List<SubjectType> subjects = request.getSubjects();
+ if (subjects != null) {
+ for (SubjectType subject : subjects) {
+ List<AttributeType> attributes = subject.getAttributes();
+ if (attributes != null) {
+ for (AttributeType attribute : attributes) {
+ if (XACMLConstants.SUBJECT_ROLE.equals(attribute.getAttributeId())) {
+ return attribute.getAttributeValues().get(0).getValue();
+ }
+ }
+ }
+ }
+ }
+ return null;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/RequestComponentBuilderTest.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/RequestComponentBuilderTest.java b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/RequestComponentBuilderTest.java
new file mode 100644
index 0000000..53cd863
--- /dev/null
+++ b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/RequestComponentBuilderTest.java
@@ -0,0 +1,222 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.saml.xacml;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
+import org.joda.time.DateTime;
+import org.opensaml.xacml.ctx.ActionType;
+import org.opensaml.xacml.ctx.AttributeType;
+import org.opensaml.xacml.ctx.AttributeValueType;
+import org.opensaml.xacml.ctx.EnvironmentType;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResourceType;
+import org.opensaml.xacml.ctx.SubjectType;
+
+
+/**
+ * Some unit tests to create a XACML Request using the RequestComponentBuilder.
+ */
+public class RequestComponentBuilderTest extends org.junit.Assert {
+
+ private DocumentBuilder docBuilder;
+ static {
+ OpenSAMLUtil.initSamlEngine();
+ }
+
+ public RequestComponentBuilderTest() throws ParserConfigurationException {
+ DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
+ docBuilderFactory.setNamespaceAware(true);
+ docBuilder = docBuilderFactory.newDocumentBuilder();
+ }
+
+ @org.junit.Test
+ public void testCreateXACMLRequest() throws Exception {
+ Document doc = docBuilder.newDocument();
+
+ // Subject
+ AttributeValueType subjectIdAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "alice-user@apache.org"
+ );
+ AttributeType subjectIdAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.SUBJECT_ID,
+ XACMLConstants.RFC_822_NAME,
+ null,
+ Collections.singletonList(subjectIdAttributeValue)
+ );
+
+ AttributeValueType subjectGroupAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "manager"
+ );
+ AttributeType subjectGroupAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.SUBJECT_ROLE,
+ XACMLConstants.XS_ANY_URI,
+ "admin-user@apache.org",
+ Collections.singletonList(subjectGroupAttributeValue)
+ );
+ List<AttributeType> attributes = new ArrayList<AttributeType>();
+ attributes.add(subjectIdAttribute);
+ attributes.add(subjectGroupAttribute);
+ SubjectType subject = RequestComponentBuilder.createSubjectType(attributes, null);
+
+ // Resource
+ AttributeValueType resourceAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "{http://www.example.org/contract/DoubleIt}DoubleIt"
+ );
+ AttributeType resourceAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.RESOURCE_ID,
+ XACMLConstants.XS_STRING,
+ null,
+ Collections.singletonList(resourceAttributeValue)
+ );
+ attributes.clear();
+ attributes.add(resourceAttribute);
+ ResourceType resource = RequestComponentBuilder.createResourceType(attributes, null);
+
+ // Action
+ AttributeValueType actionAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "execute"
+ );
+ AttributeType actionAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.ACTION_ID,
+ XACMLConstants.XS_STRING,
+ null,
+ Collections.singletonList(actionAttributeValue)
+ );
+ attributes.clear();
+ attributes.add(actionAttribute);
+ ActionType action = RequestComponentBuilder.createActionType(attributes);
+
+ // Request
+ RequestType request =
+ RequestComponentBuilder.createRequestType(
+ Collections.singletonList(subject),
+ Collections.singletonList(resource),
+ action,
+ null
+ );
+
+ Element policyElement = OpenSAMLUtil.toDom(request, doc);
+ // String outputString = DOM2Writer.nodeToString(policyElement);
+ assertNotNull(policyElement);
+ }
+
+ @org.junit.Test
+ public void testEnvironment() throws Exception {
+ Document doc = docBuilder.newDocument();
+
+ // Subject
+ AttributeValueType subjectIdAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "alice-user@apache.org"
+ );
+ AttributeType subjectIdAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.SUBJECT_ID,
+ XACMLConstants.RFC_822_NAME,
+ null,
+ Collections.singletonList(subjectIdAttributeValue)
+ );
+
+ List<AttributeType> attributes = new ArrayList<AttributeType>();
+ attributes.add(subjectIdAttribute);
+ SubjectType subject = RequestComponentBuilder.createSubjectType(attributes, null);
+
+ // Resource
+ AttributeValueType resourceAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "{http://www.example.org/contract/DoubleIt}DoubleIt"
+ );
+ AttributeType resourceAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.RESOURCE_ID,
+ XACMLConstants.XS_STRING,
+ null,
+ Collections.singletonList(resourceAttributeValue)
+ );
+ attributes.clear();
+ attributes.add(resourceAttribute);
+ ResourceType resource = RequestComponentBuilder.createResourceType(attributes, null);
+
+ // Action
+ AttributeValueType actionAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "execute"
+ );
+ AttributeType actionAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.ACTION_ID,
+ XACMLConstants.XS_STRING,
+ null,
+ Collections.singletonList(actionAttributeValue)
+ );
+ attributes.clear();
+ attributes.add(actionAttribute);
+ ActionType action = RequestComponentBuilder.createActionType(attributes);
+
+ // Environment
+ DateTime dateTime = new DateTime();
+ AttributeValueType environmentAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(dateTime.toString());
+ AttributeType environmentAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.CURRENT_DATETIME,
+ XACMLConstants.XS_DATETIME,
+ null,
+ Collections.singletonList(environmentAttributeValue)
+ );
+ attributes.clear();
+ attributes.add(environmentAttribute);
+ EnvironmentType environmentType =
+ RequestComponentBuilder.createEnvironmentType(attributes);
+
+ // Request
+ RequestType request =
+ RequestComponentBuilder.createRequestType(
+ Collections.singletonList(subject),
+ Collections.singletonList(resource),
+ action,
+ environmentType
+ );
+
+ Element policyElement = OpenSAMLUtil.toDom(request, doc);
+ // String outputString = DOM2Writer.nodeToString(policyElement);
+ assertNotNull(policyElement);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/SamlRequestComponentBuilderTest.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/SamlRequestComponentBuilderTest.java b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/SamlRequestComponentBuilderTest.java
new file mode 100644
index 0000000..526be4a
--- /dev/null
+++ b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/SamlRequestComponentBuilderTest.java
@@ -0,0 +1,153 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.saml.xacml;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
+import org.opensaml.xacml.ctx.ActionType;
+import org.opensaml.xacml.ctx.AttributeType;
+import org.opensaml.xacml.ctx.AttributeValueType;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResourceType;
+import org.opensaml.xacml.ctx.SubjectType;
+import org.opensaml.xacml.profile.saml.SAMLProfileConstants;
+import org.opensaml.xacml.profile.saml.XACMLAuthzDecisionQueryType;
+
+
+/**
+ * Some unit tests for creating a SAML XACML Request.
+ */
+public class SamlRequestComponentBuilderTest extends org.junit.Assert {
+
+ private DocumentBuilder docBuilder;
+ static {
+ OpenSAMLUtil.initSamlEngine();
+ }
+
+ public SamlRequestComponentBuilderTest() throws ParserConfigurationException {
+ DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
+ docBuilderFactory.setNamespaceAware(true);
+ docBuilder = docBuilderFactory.newDocumentBuilder();
+ }
+
+ @org.junit.Test
+ public void testCreateXACMLSamlAuthzQueryRequest() throws Exception {
+ Document doc = docBuilder.newDocument();
+
+ //
+ // Create XACML request
+ //
+
+ // Subject
+ AttributeValueType subjectIdAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "alice-user@apache.org"
+ );
+ AttributeType subjectIdAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.SUBJECT_ID,
+ XACMLConstants.RFC_822_NAME,
+ null,
+ Collections.singletonList(subjectIdAttributeValue)
+ );
+
+ AttributeValueType subjectGroupAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "manager"
+ );
+ AttributeType subjectGroupAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.SUBJECT_ROLE,
+ XACMLConstants.XS_ANY_URI,
+ "admin-user@apache.org",
+ Collections.singletonList(subjectGroupAttributeValue)
+ );
+ List<AttributeType> attributes = new ArrayList<AttributeType>();
+ attributes.add(subjectIdAttribute);
+ attributes.add(subjectGroupAttribute);
+ SubjectType subject = RequestComponentBuilder.createSubjectType(attributes, null);
+
+ // Resource
+ AttributeValueType resourceAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "{http://www.example.org/contract/DoubleIt}DoubleIt"
+ );
+ AttributeType resourceAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.RESOURCE_ID,
+ XACMLConstants.XS_STRING,
+ null,
+ Collections.singletonList(resourceAttributeValue)
+ );
+ attributes.clear();
+ attributes.add(resourceAttribute);
+ ResourceType resource = RequestComponentBuilder.createResourceType(attributes, null);
+
+ // Action
+ AttributeValueType actionAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "execute"
+ );
+ AttributeType actionAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.ACTION_ID,
+ XACMLConstants.XS_STRING,
+ null,
+ Collections.singletonList(actionAttributeValue)
+ );
+ attributes.clear();
+ attributes.add(actionAttribute);
+ ActionType action = RequestComponentBuilder.createActionType(attributes);
+
+ // Request
+ RequestType request =
+ RequestComponentBuilder.createRequestType(
+ Collections.singletonList(subject),
+ Collections.singletonList(resource),
+ action,
+ null
+ );
+
+ //
+ // Create SAML wrapper
+ //
+
+ XACMLAuthzDecisionQueryType authzQuery =
+ SamlRequestComponentBuilder.createAuthzDecisionQuery(
+ "Issuer", request, SAMLProfileConstants.SAML20XACML20P_NS
+ );
+
+ Element policyElement = OpenSAMLUtil.toDom(authzQuery, doc);
+ // String outputString = DOM2Writer.nodeToString(policyElement);
+ assertNotNull(policyElement);
+ }
+
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/XACMLAuthorizingInterceptorTest.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/XACMLAuthorizingInterceptorTest.java b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/XACMLAuthorizingInterceptorTest.java
new file mode 100644
index 0000000..30fb821
--- /dev/null
+++ b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/XACMLAuthorizingInterceptorTest.java
@@ -0,0 +1,127 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.saml.xacml;
+
+import java.security.Principal;
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+import javax.xml.namespace.QName;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageImpl;
+import org.apache.cxf.rt.security.saml.xacml.pdp.api.PolicyDecisionPoint;
+import org.apache.cxf.security.LoginSecurityContext;
+import org.apache.cxf.security.SecurityContext;
+
+
+/**
+ * Some unit tests to test the AbstractXACMLAuthorizingInterceptor.
+ */
+public class XACMLAuthorizingInterceptorTest extends org.junit.Assert {
+
+ static {
+ org.apache.wss4j.common.saml.OpenSAMLUtil.initSamlEngine();
+ }
+
+ @SuppressWarnings("deprecation")
+ @org.junit.Test
+ public void testPermit() throws Exception {
+ // Mock up a Security Context
+ SecurityContext sc = createSecurityContext("alice", "manager");
+
+ String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+ MessageImpl msg = new MessageImpl();
+ msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
+ String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
+ msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
+ String resourceURI = "https://localhost:8080/doubleit";
+ msg.put(Message.REQUEST_URI, resourceURI);
+ msg.put(SecurityContext.class, sc);
+
+ PolicyDecisionPoint pdp = new DummyPDP();
+ XACMLAuthorizingInterceptor authorizingInterceptor = new XACMLAuthorizingInterceptor(pdp);
+ authorizingInterceptor.handleMessage(msg);
+ }
+
+ @SuppressWarnings("deprecation")
+ @org.junit.Test
+ public void testDeny() throws Exception {
+ // Mock up a Security Context
+ SecurityContext sc = createSecurityContext("alice", "boss");
+
+ String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+ MessageImpl msg = new MessageImpl();
+ msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
+ String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
+ msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
+ String resourceURI = "https://localhost:8080/doubleit";
+ msg.put(Message.REQUEST_URI, resourceURI);
+ msg.put(SecurityContext.class, sc);
+
+ PolicyDecisionPoint pdp = new DummyPDP();
+ XACMLAuthorizingInterceptor authorizingInterceptor = new XACMLAuthorizingInterceptor(pdp);
+
+ try {
+ authorizingInterceptor.handleMessage(msg);
+ fail("Failure expected on deny");
+ } catch (Exception ex) {
+ // Failure expected
+ }
+ }
+
+ private SecurityContext createSecurityContext(final String user, final String role) {
+ return new LoginSecurityContext() {
+
+ @Override
+ public Principal getUserPrincipal() {
+ return new Principal() {
+ public String getName() {
+ return user;
+ }
+ };
+ }
+
+ @Override
+ public boolean isUserInRole(String role) {
+ return false;
+ }
+
+ @Override
+ public Subject getSubject() {
+ return null;
+ }
+
+ @Override
+ public Set<Principal> getUserRoles() {
+ Set<Principal> principals = new HashSet<Principal>();
+ principals.add(new Principal() {
+ public String getName() {
+ return role;
+ }
+ });
+ return principals;
+ }
+
+ };
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/XACMLRequestBuilderTest.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/XACMLRequestBuilderTest.java b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/XACMLRequestBuilderTest.java
new file mode 100644
index 0000000..ed34e7a
--- /dev/null
+++ b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/XACMLRequestBuilderTest.java
@@ -0,0 +1,307 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.saml.xacml;
+
+import java.security.Principal;
+import java.util.Collections;
+import java.util.List;
+
+import javax.xml.namespace.QName;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageImpl;
+import org.opensaml.xacml.ctx.AttributeType;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResourceType;
+
+
+/**
+ * Some unit tests to create a XACML Request via the XACMLRequestBuilder interface.
+ */
+public class XACMLRequestBuilderTest extends org.junit.Assert {
+
+ static {
+ org.apache.wss4j.common.saml.OpenSAMLUtil.initSamlEngine();
+ }
+
+ @org.junit.Test
+ public void testXACMLRequestBuilder() throws Exception {
+ // Mock up a request
+ Principal principal = new Principal() {
+ public String getName() {
+ return "alice";
+ }
+ };
+
+ String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+ MessageImpl msg = new MessageImpl();
+ msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
+ String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
+ msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
+ String resourceURL = "https://localhost:8080/doubleit";
+ msg.put(Message.REQUEST_URI, resourceURL);
+
+ XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
+ RequestType request =
+ builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ assertNotNull(request);
+ }
+
+
+ @org.junit.Test
+ public void testAction() throws Exception {
+ // Mock up a request
+ Principal principal = new Principal() {
+ public String getName() {
+ return "alice";
+ }
+ };
+
+ String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+ MessageImpl msg = new MessageImpl();
+ msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
+ String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
+ msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
+ String resourceURL = "https://localhost:8080/doubleit";
+ msg.put(Message.REQUEST_URI, resourceURL);
+
+ DefaultXACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
+ RequestType request =
+ builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ assertNotNull(request);
+
+ String action =
+ request.getAction().getAttributes().get(0).getAttributeValues().get(0).getValue();
+ assertEquals("execute", action);
+
+ builder.setAction("write");
+ request = builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ assertNotNull(request);
+
+ action =
+ request.getAction().getAttributes().get(0).getAttributeValues().get(0).getValue();
+ assertEquals("write", action);
+ }
+
+ @org.junit.Test
+ public void testEnvironment() throws Exception {
+ // Mock up a request
+ Principal principal = new Principal() {
+ public String getName() {
+ return "alice";
+ }
+ };
+
+ String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+ MessageImpl msg = new MessageImpl();
+ msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
+ String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
+ msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
+ String resourceURL = "https://localhost:8080/doubleit";
+ msg.put(Message.REQUEST_URL, resourceURL);
+
+ XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
+ RequestType request =
+ builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ assertNotNull(request);
+ assertFalse(request.getEnvironment().getAttributes().isEmpty());
+
+ ((DefaultXACMLRequestBuilder)builder).setSendDateTime(false);
+ request = builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ assertNotNull(request);
+ assertTrue(request.getEnvironment().getAttributes().isEmpty());
+ }
+
+ @org.junit.Test
+ public void testSOAPResource() throws Exception {
+ // Mock up a request
+ Principal principal = new Principal() {
+ public String getName() {
+ return "alice";
+ }
+ };
+
+ String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+ MessageImpl msg = new MessageImpl();
+ msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
+ String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
+ msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
+ String resourceURL = "https://localhost:8080/doubleit";
+ msg.put(Message.REQUEST_URL, resourceURL);
+
+ XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
+ RequestType request =
+ builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ assertNotNull(request);
+
+ List<ResourceType> resources = request.getResources();
+ assertNotNull(resources);
+ assertEquals(1, resources.size());
+
+ ResourceType resource = resources.get(0);
+ assertEquals(4, resource.getAttributes().size());
+
+ boolean resourceIdSatisfied = false;
+ boolean soapServiceSatisfied = false;
+ boolean soapOperationSatisfied = false;
+ boolean resourceURISatisfied = false;
+ for (AttributeType attribute : resource.getAttributes()) {
+ String attributeValue = attribute.getAttributeValues().get(0).getValue();
+ if (XACMLConstants.RESOURCE_ID.equals(attribute.getAttributeId())
+ && "{http://www.example.org/contract/DoubleIt}DoubleItService#DoubleIt".equals(
+ attributeValue)) {
+ resourceIdSatisfied = true;
+ } else if (XACMLConstants.RESOURCE_WSDL_SERVICE_ID.equals(attribute.getAttributeId())
+ && service.equals(attributeValue)) {
+ soapServiceSatisfied = true;
+ } else if (XACMLConstants.RESOURCE_WSDL_OPERATION_ID.equals(attribute.getAttributeId())
+ && operation.equals(attributeValue)) {
+ soapOperationSatisfied = true;
+ } else if (XACMLConstants.RESOURCE_WSDL_ENDPOINT.equals(attribute.getAttributeId())
+ && resourceURL.equals(attributeValue)) {
+ resourceURISatisfied = true;
+ }
+ }
+
+ assertTrue(resourceIdSatisfied && soapServiceSatisfied && soapOperationSatisfied
+ && resourceURISatisfied);
+ }
+
+ @org.junit.Test
+ public void testSOAPResourceDifferentNamespace() throws Exception {
+ // Mock up a request
+ Principal principal = new Principal() {
+ public String getName() {
+ return "alice";
+ }
+ };
+
+ String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+ MessageImpl msg = new MessageImpl();
+ msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
+ String service = "{http://www.example.org/contract/DoubleItService}DoubleItService";
+ msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
+ String resourceURL = "https://localhost:8080/doubleit";
+ msg.put(Message.REQUEST_URL, resourceURL);
+
+ XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
+ RequestType request =
+ builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ assertNotNull(request);
+
+ List<ResourceType> resources = request.getResources();
+ assertNotNull(resources);
+ assertEquals(1, resources.size());
+
+ ResourceType resource = resources.get(0);
+ assertEquals(4, resource.getAttributes().size());
+
+ boolean resourceIdSatisfied = false;
+ boolean soapServiceSatisfied = false;
+ boolean soapOperationSatisfied = false;
+ boolean resourceURISatisfied = false;
+ String expectedResourceId =
+ service + "#" + operation;
+ for (AttributeType attribute : resource.getAttributes()) {
+ String attributeValue = attribute.getAttributeValues().get(0).getValue();
+ if (XACMLConstants.RESOURCE_ID.equals(attribute.getAttributeId())
+ && expectedResourceId.equals(attributeValue)) {
+ resourceIdSatisfied = true;
+ } else if (XACMLConstants.RESOURCE_WSDL_SERVICE_ID.equals(attribute.getAttributeId())
+ && service.equals(attributeValue)) {
+ soapServiceSatisfied = true;
+ } else if (XACMLConstants.RESOURCE_WSDL_OPERATION_ID.equals(attribute.getAttributeId())
+ && operation.equals(attributeValue)) {
+ soapOperationSatisfied = true;
+ } else if (XACMLConstants.RESOURCE_WSDL_ENDPOINT.equals(attribute.getAttributeId())
+ && resourceURL.equals(attributeValue)) {
+ resourceURISatisfied = true;
+ }
+ }
+
+ assertTrue(resourceIdSatisfied && soapServiceSatisfied && soapOperationSatisfied
+ && resourceURISatisfied);
+ }
+
+ @org.junit.Test
+ public void testRESTResource() throws Exception {
+ // Mock up a request
+ Principal principal = new Principal() {
+ public String getName() {
+ return "alice";
+ }
+ };
+
+ MessageImpl msg = new MessageImpl();
+ String resourceURL = "https://localhost:8080/doubleit";
+ msg.put(Message.REQUEST_URL, resourceURL);
+
+ XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
+ RequestType request =
+ builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ assertNotNull(request);
+
+ List<ResourceType> resources = request.getResources();
+ assertNotNull(resources);
+ assertEquals(1, resources.size());
+
+ ResourceType resource = resources.get(0);
+ assertEquals(1, resource.getAttributes().size());
+
+ for (AttributeType attribute : resource.getAttributes()) {
+ String attributeValue = attribute.getAttributeValues().get(0).getValue();
+ assertEquals(attributeValue, resourceURL);
+ }
+ }
+
+ @org.junit.Test
+ public void testRESTResourceTruncatedURI() throws Exception {
+ // Mock up a request
+ Principal principal = new Principal() {
+ public String getName() {
+ return "alice";
+ }
+ };
+
+ MessageImpl msg = new MessageImpl();
+ String resourceURL = "https://localhost:8080/doubleit";
+ msg.put(Message.REQUEST_URL, resourceURL);
+ String resourceURI = "/doubleit";
+ msg.put(Message.REQUEST_URI, resourceURI);
+
+ XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
+ ((DefaultXACMLRequestBuilder)builder).setSendFullRequestURL(false);
+ RequestType request =
+ builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ assertNotNull(request);
+
+ List<ResourceType> resources = request.getResources();
+ assertNotNull(resources);
+ assertEquals(1, resources.size());
+
+ ResourceType resource = resources.get(0);
+ assertEquals(1, resource.getAttributes().size());
+
+ for (AttributeType attribute : resource.getAttributes()) {
+ String attributeValue = attribute.getAttributeValues().get(0).getValue();
+ assertEquals(attributeValue, resourceURI);
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/pom.xml
----------------------------------------------------------------------
diff --git a/rt/security/pom.xml b/rt/security/pom.xml
index 1a1ca60..5ae8972 100644
--- a/rt/security/pom.xml
+++ b/rt/security/pom.xml
@@ -30,11 +30,6 @@
<version>3.1.0-SNAPSHOT</version>
<relativePath>../../parent/pom.xml</relativePath>
</parent>
- <properties>
- <cxf.osgi.import>
- org.opensaml*,
- </cxf.osgi.import>
- </properties>
<dependencies>
<dependency>
<groupId>org.apache.cxf</groupId>
@@ -42,11 +37,6 @@
<version>${project.version}</version>
</dependency>
<dependency>
- <groupId>org.apache.wss4j</groupId>
- <artifactId>wss4j-ws-security-common</artifactId>
- <version>${cxf.wss4j.version}</version>
- </dependency>
- <dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-jdk14</artifactId>
<scope>test</scope>
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/claims/ClaimBean.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/claims/ClaimBean.java b/rt/security/src/main/java/org/apache/cxf/rt/security/claims/ClaimBean.java
deleted file mode 100644
index 6c3908d..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/claims/ClaimBean.java
+++ /dev/null
@@ -1,51 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rt.security.claims;
-
-import org.apache.cxf.security.claims.authorization.ClaimMode;
-
-public class ClaimBean {
- private SAMLClaim claim;
- private ClaimMode claimMode;
- private boolean matchAll;
-
- public ClaimBean(SAMLClaim claim) {
- this.claim = claim;
- }
-
- public ClaimBean(SAMLClaim claim,
- ClaimMode claimMode,
- boolean matchAll) {
- this.claim = claim;
- this.claimMode = claimMode;
- this.matchAll = matchAll;
- }
-
- public SAMLClaim getClaim() {
- return claim;
- }
-
- public boolean isMatchAll() {
- return matchAll;
- }
-
- public ClaimMode getClaimMode() {
- return claimMode;
- }
-}
[4/4] cxf git commit: Adding a new cxf-rt-security-saml module to
remove OpenSAML dependencies from cxf-rt-security
Posted by co...@apache.org.
Adding a new cxf-rt-security-saml module to remove OpenSAML dependencies from cxf-rt-security
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/c04c2720
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/c04c2720
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/c04c2720
Branch: refs/heads/master
Commit: c04c27200226b564108b4fe58b8ac70ca5ec7638
Parents: 71e9ada
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Apr 13 13:04:26 2015 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Apr 13 13:04:26 2015 +0100
----------------------------------------------------------------------
.../features/src/main/resources/features.xml | 10 +-
rt/pom.xml | 1 +
.../grants/saml/Saml2BearerGrantHandler.java | 2 +-
.../saml/sso/AbstractServiceProviderFilter.java | 10 +-
.../authorization/ClaimsAuthorizingFilter.java | 4 +-
.../SecurityContextProviderImpl.java | 6 +-
rt/security-saml/pom.xml | 60 ++++
.../cxf/rt/security/saml/claims/ClaimBean.java | 51 +++
.../cxf/rt/security/saml/claims/SAMLClaim.java | 68 ++++
.../saml/claims/SAMLSecurityContext.java | 104 +++++++
.../ClaimsAuthorizingInterceptor.java | 244 +++++++++++++++
.../cxf/rt/security/saml/utils/SAMLUtils.java | 141 +++++++++
.../AbstractXACMLAuthorizingInterceptor.java | 170 ++++++++++
.../security/saml/xacml/CXFMessageParser.java | 97 ++++++
.../saml/xacml/DefaultXACMLRequestBuilder.java | 217 +++++++++++++
.../saml/xacml/RequestComponentBuilder.java | 183 +++++++++++
.../saml/xacml/SamlRequestComponentBuilder.java | 118 +++++++
.../saml/xacml/XACMLAuthorizingInterceptor.java | 86 ++++++
.../rt/security/saml/xacml/XACMLConstants.java | 206 +++++++++++++
.../saml/xacml/XACMLRequestBuilder.java | 62 ++++
.../saml/xacml/pdp/api/PolicyDecisionPoint.java | 35 +++
.../rt/security/saml/claims/SAMLClaimsTest.java | 212 +++++++++++++
.../saml/claims/SamlCallbackHandler.java | 99 ++++++
.../ClaimsAuthorizingInterceptorTest.java | 298 ++++++++++++++++++
.../cxf/rt/security/saml/xacml/DummyPDP.java | 153 +++++++++
.../saml/xacml/RequestComponentBuilderTest.java | 222 ++++++++++++++
.../xacml/SamlRequestComponentBuilderTest.java | 153 +++++++++
.../xacml/XACMLAuthorizingInterceptorTest.java | 127 ++++++++
.../saml/xacml/XACMLRequestBuilderTest.java | 307 +++++++++++++++++++
rt/security/pom.xml | 10 -
.../cxf/rt/security/claims/ClaimBean.java | 51 ---
.../claims/ClaimsAuthorizingInterceptor.java | 242 ---------------
.../cxf/rt/security/claims/SAMLClaim.java | 66 ----
.../rt/security/saml/SAMLSecurityContext.java | 104 -------
.../apache/cxf/rt/security/saml/SAMLUtils.java | 141 ---------
.../AbstractXACMLAuthorizingInterceptor.java | 170 ----------
.../cxf/rt/security/xacml/CXFMessageParser.java | 97 ------
.../xacml/DefaultXACMLRequestBuilder.java | 217 -------------
.../security/xacml/RequestComponentBuilder.java | 183 -----------
.../xacml/SamlRequestComponentBuilder.java | 118 -------
.../xacml/XACMLAuthorizingInterceptor.java | 87 ------
.../cxf/rt/security/xacml/XACMLConstants.java | 206 -------------
.../rt/security/xacml/XACMLRequestBuilder.java | 62 ----
.../xacml/pdp/api/PolicyDecisionPoint.java | 35 ---
.../ClaimsAuthorizingInterceptorTest.java | 295 ------------------
.../cxf/rt/security/saml/SAMLClaimsTest.java | 212 -------------
.../rt/security/saml/SamlCallbackHandler.java | 99 ------
.../apache/cxf/rt/security/xacml/DummyPDP.java | 153 ---------
.../xacml/RequestComponentBuilderTest.java | 222 --------------
.../xacml/SamlRequestComponentBuilderTest.java | 153 ---------
.../xacml/XACMLAuthorizingInterceptorTest.java | 127 --------
.../security/xacml/XACMLRequestBuilderTest.java | 307 -------------------
rt/ws/security/pom.xml | 2 +-
.../trust/AuthPolicyValidatingInterceptor.java | 5 +-
.../cxf/ws/security/trust/STSLoginModule.java | 3 +-
.../wss4j/StaxSecurityContextInInterceptor.java | 4 +-
.../wss4j/UsernameTokenInterceptor.java | 4 +-
.../ws/security/wss4j/WSS4JInInterceptor.java | 5 +-
.../token/validator/DefaultSAMLRoleParser.java | 4 +-
.../security/oauth2/SamlCallbackHandler.java | 2 +-
.../security/oauth2/SamlCallbackHandler2.java | 2 +-
.../security/saml/SamlCallbackHandler.java | 2 +-
.../ws/saml/PolicyDecisionPointMockImpl.java | 4 +-
.../org/apache/cxf/systest/ws/saml/server.xml | 2 +-
.../apache/cxf/systest/ws/saml/stax-server.xml | 2 +-
65 files changed, 3451 insertions(+), 3393 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/osgi/karaf/features/src/main/resources/features.xml
----------------------------------------------------------------------
diff --git a/osgi/karaf/features/src/main/resources/features.xml b/osgi/karaf/features/src/main/resources/features.xml
index 33b418d..0705424 100644
--- a/osgi/karaf/features/src/main/resources/features.xml
+++ b/osgi/karaf/features/src/main/resources/features.xml
@@ -119,14 +119,18 @@
<feature version="${project.version}">cxf-ws-addr</feature>
<bundle start-level="40" dependency="true">mvn:net.sf.ehcache/ehcache/${cxf.ehcache.version}</bundle>
<bundle start-level="40">mvn:org.apache.cxf/cxf-rt-ws-security/${project.version}</bundle>
- <bundle start-level="40">mvn:org.apache.cxf/cxf-rt-security/${project.version}</bundle>
+ <bundle start-level="40">mvn:org.apache.cxf/cxf-rt-security-saml/${project.version}</bundle>
</feature>
<feature name="cxf-rt-security" version="${project.version}" resolver="(obr)">
<feature version="${project.version}">cxf-core</feature>
<feature version="${project.version}">cxf-wsdl</feature>
- <feature version="${cxf.wss4j.version}">wss4j</feature>
<bundle start-level="40">mvn:org.apache.cxf/cxf-rt-security/${project.version}</bundle>
</feature>
+ <feature name="cxf-rt-security-saml" version="${project.version}" resolver="(obr)">
+ <feature version="${project.version}">cxf-rt-security</feature>
+ <feature version="${cxf.wss4j.version}">wss4j</feature>
+ <bundle start-level="40">mvn:org.apache.cxf/cxf-rt-security-saml/${project.version}</bundle>
+ </feature>
<feature name="cxf-http" version="${project.version}" resolver="(obr)">
<feature version="${project.version}">cxf-core</feature>
<bundle start-level="40">mvn:${cxf.servlet-api.group}/${cxf.servlet-api.artifact}/${cxf.servlet-api.version}</bundle>
@@ -189,7 +193,7 @@
</feature>
<feature name="cxf-rs-security-xml" version="${project.version}" resolver="(obr)">
<feature version="${project.version}">cxf-jaxrs</feature>
- <feature version="${project.version}">cxf-rt-security</feature>
+ <feature version="${project.version}">cxf-rt-security-saml</feature>
<bundle start-level="40">mvn:org.apache.cxf/cxf-rt-rs-security-xml/${project.version}</bundle>
</feature>
<feature name="cxf-rs-security-sso-saml" version="${project.version}" resolver="(obr)">
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/pom.xml
----------------------------------------------------------------------
diff --git a/rt/pom.xml b/rt/pom.xml
index fd9da64..2458834 100644
--- a/rt/pom.xml
+++ b/rt/pom.xml
@@ -75,5 +75,6 @@
<module>management-web</module>
<module>javascript</module>
<module>security</module>
+ <module>security-saml</module>
</modules>
</project>
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java
index 9dbc021..6a29910 100644
--- a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java
@@ -52,7 +52,7 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
import org.apache.cxf.rs.security.saml.authorization.SecurityContextProvider;
import org.apache.cxf.rs.security.saml.authorization.SecurityContextProviderImpl;
-import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
+import org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.staxutils.StaxUtils;
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java
index d3ccfac..b4afac4 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java
@@ -55,7 +55,7 @@ import org.apache.cxf.rs.security.saml.assertion.Subject;
import org.apache.cxf.rs.security.saml.sso.state.RequestState;
import org.apache.cxf.rs.security.saml.sso.state.ResponseState;
import org.apache.cxf.rt.security.claims.ClaimCollection;
-import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
+import org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.staxutils.StaxUtils;
import org.apache.cxf.ws.security.SecurityConstants;
@@ -193,16 +193,16 @@ public abstract class AbstractServiceProviderFilter extends AbstractSSOSpHandler
roleAttributeName = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
}
ClaimCollection claims =
- org.apache.cxf.rt.security.saml.SAMLUtils.getClaims(assertionWrapper);
+ org.apache.cxf.rt.security.saml.utils.SAMLUtils.getClaims(assertionWrapper);
Set<Principal> roles =
- org.apache.cxf.rt.security.saml.SAMLUtils.parseRolesFromClaims(
+ org.apache.cxf.rt.security.saml.utils.SAMLUtils.parseRolesFromClaims(
claims, roleAttributeName, null);
SAMLSecurityContext context =
new SAMLSecurityContext(new SimplePrincipal(name), roles, claims);
- context.setIssuer(org.apache.cxf.rt.security.saml.SAMLUtils.getIssuer(assertionWrapper));
+ context.setIssuer(org.apache.cxf.rt.security.saml.utils.SAMLUtils.getIssuer(assertionWrapper));
context.setAssertionElement(
- org.apache.cxf.rt.security.saml.SAMLUtils.getAssertionElement(assertionWrapper));
+ org.apache.cxf.rt.security.saml.utils.SAMLUtils.getAssertionElement(assertionWrapper));
m.put(SecurityContext.class, context);
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingFilter.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingFilter.java
index f373d91..09c3d26 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingFilter.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingFilter.java
@@ -28,8 +28,8 @@ import javax.ws.rs.core.Response;
import org.apache.cxf.interceptor.security.AccessDeniedException;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
-import org.apache.cxf.rt.security.claims.ClaimBean;
-import org.apache.cxf.rt.security.claims.ClaimsAuthorizingInterceptor;
+import org.apache.cxf.rt.security.saml.claims.ClaimBean;
+import org.apache.cxf.rt.security.saml.interceptor.ClaimsAuthorizingInterceptor;
public class ClaimsAuthorizingFilter implements ContainerRequestFilter {
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java
index 604efb5..9899085 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java
@@ -25,9 +25,9 @@ import org.w3c.dom.Element;
import org.apache.cxf.message.Message;
import org.apache.cxf.rs.security.saml.assertion.Subject;
import org.apache.cxf.rt.security.claims.ClaimCollection;
-import org.apache.cxf.rt.security.claims.SAMLClaim;
-import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
-import org.apache.cxf.rt.security.saml.SAMLUtils;
+import org.apache.cxf.rt.security.saml.claims.SAMLClaim;
+import org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext;
+import org.apache.cxf.rt.security.saml.utils.SAMLUtils;
import org.apache.cxf.security.SecurityContext;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.saml.builder.SAML2Constants;
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security-saml/pom.xml
----------------------------------------------------------------------
diff --git a/rt/security-saml/pom.xml b/rt/security-saml/pom.xml
new file mode 100644
index 0000000..d740e27
--- /dev/null
+++ b/rt/security-saml/pom.xml
@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <artifactId>cxf-rt-security-saml</artifactId>
+ <packaging>bundle</packaging>
+ <name>Apache CXF Runtime SAML Security functionality</name>
+ <description>Apache CXF Runtime SAML Security functionality</description>
+ <url>http://cxf.apache.org</url>
+ <parent>
+ <groupId>org.apache.cxf</groupId>
+ <artifactId>cxf-parent</artifactId>
+ <version>3.1.0-SNAPSHOT</version>
+ <relativePath>../../parent/pom.xml</relativePath>
+ </parent>
+ <properties>
+ <cxf.osgi.import>
+ org.opensaml*,
+ </cxf.osgi.import>
+ </properties>
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.cxf</groupId>
+ <artifactId>cxf-rt-security</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.wss4j</groupId>
+ <artifactId>wss4j-ws-security-common</artifactId>
+ <version>${cxf.wss4j.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-jdk14</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
+</project>
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/claims/ClaimBean.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/claims/ClaimBean.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/claims/ClaimBean.java
new file mode 100644
index 0000000..4d9606f
--- /dev/null
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/claims/ClaimBean.java
@@ -0,0 +1,51 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rt.security.saml.claims;
+
+import org.apache.cxf.security.claims.authorization.ClaimMode;
+
+public class ClaimBean {
+ private SAMLClaim claim;
+ private ClaimMode claimMode;
+ private boolean matchAll;
+
+ public ClaimBean(SAMLClaim claim) {
+ this.claim = claim;
+ }
+
+ public ClaimBean(SAMLClaim claim,
+ ClaimMode claimMode,
+ boolean matchAll) {
+ this.claim = claim;
+ this.claimMode = claimMode;
+ this.matchAll = matchAll;
+ }
+
+ public SAMLClaim getClaim() {
+ return claim;
+ }
+
+ public boolean isMatchAll() {
+ return matchAll;
+ }
+
+ public ClaimMode getClaimMode() {
+ return claimMode;
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/claims/SAMLClaim.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/claims/SAMLClaim.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/claims/SAMLClaim.java
new file mode 100644
index 0000000..5fb080d
--- /dev/null
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/claims/SAMLClaim.java
@@ -0,0 +1,68 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.saml.claims;
+
+import org.apache.cxf.rt.security.claims.Claim;
+
+
+/**
+ * This represents a Claim that is coupled to a SAML Assertion
+ */
+public class SAMLClaim extends Claim {
+
+ /**
+ * This configuration tag specifies the default attribute name where the roles are present
+ * The default is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role".
+ */
+ public static final String SAML_ROLE_ATTRIBUTENAME_DEFAULT =
+ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
+
+ private static final long serialVersionUID = 5530712294179589442L;
+
+ private String nameFormat;
+ private String name;
+ private String friendlyName;
+
+ public String getNameFormat() {
+ return nameFormat;
+ }
+
+ public void setNameFormat(String nameFormat) {
+ this.nameFormat = nameFormat;
+ }
+
+ public String getName() {
+ return name;
+ }
+
+ public void setName(String name) {
+ this.name = name;
+ }
+
+ public String getFriendlyName() {
+ return friendlyName;
+ }
+
+ public void setFriendlyName(String friendlyName) {
+ this.friendlyName = friendlyName;
+ }
+
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/claims/SAMLSecurityContext.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/claims/SAMLSecurityContext.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/claims/SAMLSecurityContext.java
new file mode 100644
index 0000000..b9b012a
--- /dev/null
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/claims/SAMLSecurityContext.java
@@ -0,0 +1,104 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rt.security.saml.claims;
+
+import java.security.Principal;
+import java.util.Set;
+
+import org.w3c.dom.Element;
+import org.apache.cxf.rt.security.claims.ClaimCollection;
+import org.apache.cxf.rt.security.claims.ClaimsSecurityContext;
+
+public class SAMLSecurityContext implements ClaimsSecurityContext {
+
+ private final Principal principal;
+ private Set<Principal> roles;
+ private Element assertionElement;
+ private String issuer;
+ private ClaimCollection claims;
+
+ public SAMLSecurityContext(Principal principal) {
+ this(principal, null);
+ }
+
+ public SAMLSecurityContext(
+ Principal principal,
+ Set<Principal> roles
+ ) {
+ this(principal, roles, null);
+ }
+
+ public SAMLSecurityContext(
+ Principal principal,
+ Set<Principal> roles,
+ ClaimCollection claims
+ ) {
+ this.principal = principal;
+ this.roles = roles;
+ this.claims = claims;
+ }
+
+ public ClaimCollection getClaims() {
+ return claims;
+ }
+
+ public Principal getUserPrincipal() {
+ return principal;
+ }
+
+ public boolean isUserInRole(String role) {
+ if (roles == null) {
+ return false;
+ }
+ for (Principal principalRole : roles) {
+ if (principalRole.getName().equals(role)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ public javax.security.auth.Subject getSubject() {
+ return null;
+ }
+
+ public void setUserRoles(Set<Principal> userRoles) {
+ this.roles = userRoles;
+ }
+
+ public Set<Principal> getUserRoles() {
+ return roles;
+ }
+
+ public void setAssertionElement(Element assertionElement) {
+ this.assertionElement = assertionElement;
+ }
+
+ public Element getAssertionElement() {
+ return assertionElement;
+ }
+
+ public void setIssuer(String issuer) {
+ this.issuer = issuer;
+ }
+
+ public String getIssuer() {
+ return issuer;
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/interceptor/ClaimsAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/interceptor/ClaimsAuthorizingInterceptor.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/interceptor/ClaimsAuthorizingInterceptor.java
new file mode 100644
index 0000000..c0244ea
--- /dev/null
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/interceptor/ClaimsAuthorizingInterceptor.java
@@ -0,0 +1,244 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rt.security.saml.interceptor;
+
+import java.lang.reflect.Method;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.logging.Logger;
+
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.common.util.ClassHelper;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.interceptor.security.AccessDeniedException;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.phase.AbstractPhaseInterceptor;
+import org.apache.cxf.phase.Phase;
+import org.apache.cxf.rt.security.saml.claims.ClaimBean;
+import org.apache.cxf.rt.security.saml.claims.SAMLClaim;
+import org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext;
+import org.apache.cxf.security.SecurityContext;
+import org.apache.cxf.security.claims.authorization.Claim;
+import org.apache.cxf.security.claims.authorization.ClaimMode;
+import org.apache.cxf.security.claims.authorization.Claims;
+import org.apache.cxf.service.Service;
+import org.apache.cxf.service.invoker.MethodDispatcher;
+import org.apache.cxf.service.model.BindingOperationInfo;
+
+
+public class ClaimsAuthorizingInterceptor extends AbstractPhaseInterceptor<Message> {
+
+ private static final Logger LOG = LogUtils.getL7dLogger(ClaimsAuthorizingInterceptor.class);
+
+ private static final Set<String> SKIP_METHODS;
+ static {
+ SKIP_METHODS = new HashSet<>();
+ SKIP_METHODS.addAll(Arrays.asList(
+ new String[] {"wait", "notify", "notifyAll",
+ "equals", "toString", "hashCode"}));
+ }
+
+ private Map<String, List<ClaimBean>> claims = new HashMap<>();
+ private Map<String, String> nameAliases = Collections.emptyMap();
+ private Map<String, String> formatAliases = Collections.emptyMap();
+
+ public ClaimsAuthorizingInterceptor() {
+ super(Phase.PRE_INVOKE);
+ }
+
+ public void handleMessage(Message message) throws Fault {
+ SecurityContext sc = message.get(SecurityContext.class);
+ if (!(sc instanceof SAMLSecurityContext)) {
+ throw new AccessDeniedException("Security Context is unavailable or unrecognized");
+ }
+
+ Method method = getTargetMethod(message);
+
+ if (authorize((SAMLSecurityContext)sc, method)) {
+ return;
+ }
+
+ throw new AccessDeniedException("Unauthorized");
+ }
+
+ public void setClaims(Map<String, List<ClaimBean>> claimsMap) {
+ claims.putAll(claimsMap);
+ }
+
+ protected Method getTargetMethod(Message m) {
+ BindingOperationInfo bop = m.getExchange().get(BindingOperationInfo.class);
+ if (bop != null) {
+ MethodDispatcher md = (MethodDispatcher)
+ m.getExchange().get(Service.class).get(MethodDispatcher.class.getName());
+ return md.getMethod(bop);
+ }
+ Method method = (Method)m.get("org.apache.cxf.resource.method");
+ if (method != null) {
+ return method;
+ }
+ throw new AccessDeniedException("Method is not available : Unauthorized");
+ }
+
+ protected boolean authorize(SAMLSecurityContext sc, Method method) {
+ List<ClaimBean> list = claims.get(method.getName());
+ org.apache.cxf.rt.security.claims.ClaimCollection actualClaims = sc.getClaims();
+
+ for (ClaimBean claimBean : list) {
+ org.apache.cxf.rt.security.claims.Claim claim = claimBean.getClaim();
+ org.apache.cxf.rt.security.claims.Claim matchingClaim = null;
+ for (org.apache.cxf.rt.security.claims.Claim cl : actualClaims) {
+ if (cl instanceof SAMLClaim
+ && ((SAMLClaim)cl).getName().equals(((SAMLClaim)claim).getName())
+ && ((SAMLClaim)cl).getNameFormat().equals(((SAMLClaim)claim).getNameFormat())) {
+ matchingClaim = cl;
+ break;
+ }
+ }
+ if (matchingClaim == null) {
+ if (claimBean.getClaimMode() == ClaimMode.STRICT) {
+ return false;
+ } else {
+ continue;
+ }
+ }
+ List<Object> claimValues = claim.getValues();
+ List<Object> matchingClaimValues = matchingClaim.getValues();
+ if (claimBean.isMatchAll()
+ && !matchingClaimValues.containsAll(claimValues)) {
+ return false;
+ } else {
+ boolean matched = false;
+ for (Object value : matchingClaimValues) {
+ if (claimValues.contains(value)) {
+ matched = true;
+ break;
+ }
+ }
+ if (!matched) {
+ return false;
+ }
+ }
+ }
+ return true;
+ }
+
+ public void setSecuredObject(Object object) {
+ Class<?> cls = ClassHelper.getRealClass(object);
+ findClaims(cls);
+ if (claims.isEmpty()) {
+ LOG.warning("The claims list is empty, the service object is not protected");
+ }
+ }
+
+ protected void findClaims(Class<?> cls) {
+ if (cls == null || cls == Object.class) {
+ return;
+ }
+ List<ClaimBean> clsClaims =
+ getClaims(cls.getAnnotation(Claims.class), cls.getAnnotation(Claim.class));
+ for (Method m : cls.getMethods()) {
+ if (SKIP_METHODS.contains(m.getName())) {
+ continue;
+ }
+ List<ClaimBean> methodClaims =
+ getClaims(m.getAnnotation(Claims.class), m.getAnnotation(Claim.class));
+
+ List<ClaimBean> allClaims = new ArrayList<>(methodClaims);
+ for (ClaimBean bean : clsClaims) {
+ if (isClaimOverridden(bean, methodClaims)) {
+ continue;
+ }
+ allClaims.add(bean);
+ }
+
+ claims.put(m.getName(), allClaims);
+ }
+ if (!claims.isEmpty()) {
+ return;
+ }
+
+ findClaims(cls.getSuperclass());
+
+ if (!claims.isEmpty()) {
+ return;
+ }
+
+ for (Class<?> interfaceCls : cls.getInterfaces()) {
+ findClaims(interfaceCls);
+ }
+ }
+
+ private static boolean isClaimOverridden(ClaimBean bean, List<ClaimBean> mClaims) {
+ for (ClaimBean methodBean : mClaims) {
+ if (bean.getClaim().getName().equals(methodBean.getClaim().getName())
+ && bean.getClaim().getNameFormat().equals(methodBean.getClaim().getNameFormat())) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ private List<ClaimBean> getClaims(
+ Claims claimsAnn, Claim claimAnn) {
+ List<ClaimBean> claimsList = new ArrayList<>();
+
+ List<Claim> annClaims = new ArrayList<>();
+ if (claimsAnn != null) {
+ annClaims.addAll(Arrays.asList(claimsAnn.value()));
+ } else if (claimAnn != null) {
+ annClaims.add(claimAnn);
+ }
+ for (Claim ann : annClaims) {
+ SAMLClaim claim = new SAMLClaim();
+
+ String claimName = ann.name();
+ if (nameAliases.containsKey(claimName)) {
+ claimName = nameAliases.get(claimName);
+ }
+ String claimFormat = ann.format();
+ if (formatAliases.containsKey(claimFormat)) {
+ claimFormat = formatAliases.get(claimFormat);
+ }
+
+ claim.setName(claimName);
+ claim.setNameFormat(claimFormat);
+ for (String value : ann.value()) {
+ claim.addValue(value);
+ }
+
+ claimsList.add(new ClaimBean(claim, ann.mode(), ann.matchAll()));
+ }
+ return claimsList;
+ }
+
+ public void setNameAliases(Map<String, String> nameAliases) {
+ this.nameAliases = nameAliases;
+ }
+
+ public void setFormatAliases(Map<String, String> formatAliases) {
+ this.formatAliases = formatAliases;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/utils/SAMLUtils.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/utils/SAMLUtils.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/utils/SAMLUtils.java
new file mode 100644
index 0000000..5cb5bd6
--- /dev/null
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/utils/SAMLUtils.java
@@ -0,0 +1,141 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rt.security.saml.utils;
+
+import java.net.URI;
+import java.security.Principal;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.w3c.dom.Element;
+import org.apache.cxf.common.security.SimpleGroup;
+import org.apache.cxf.rt.security.claims.Claim;
+import org.apache.cxf.rt.security.claims.ClaimCollection;
+import org.apache.cxf.rt.security.saml.claims.SAMLClaim;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.opensaml.core.xml.XMLObject;
+import org.opensaml.saml.common.SAMLVersion;
+import org.opensaml.saml.saml2.core.Attribute;
+import org.opensaml.saml.saml2.core.AttributeStatement;
+
+public final class SAMLUtils {
+
+ private SAMLUtils() {
+
+ }
+
+ /**
+ * Extract Claims from a SAML Assertion
+ */
+ public static ClaimCollection getClaims(SamlAssertionWrapper assertion) {
+ ClaimCollection claims = new ClaimCollection();
+
+ if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
+ List<AttributeStatement> statements = assertion.getSaml2().getAttributeStatements();
+ for (AttributeStatement as : statements) {
+ for (Attribute atr : as.getAttributes()) {
+ SAMLClaim claim = new SAMLClaim();
+ claim.setClaimType(URI.create(atr.getName()));
+
+ claim.setName(atr.getName());
+ claim.setNameFormat(atr.getNameFormat());
+ claim.setFriendlyName(atr.getFriendlyName());
+
+ for (XMLObject o : atr.getAttributeValues()) {
+ String attrValue = o.getDOM().getTextContent();
+ claim.getValues().add(attrValue);
+ }
+
+ claims.add(claim);
+ }
+ }
+ } else {
+ List<org.opensaml.saml.saml1.core.AttributeStatement> attributeStatements =
+ assertion.getSaml1().getAttributeStatements();
+
+ for (org.opensaml.saml.saml1.core.AttributeStatement statement : attributeStatements) {
+ for (org.opensaml.saml.saml1.core.Attribute atr : statement.getAttributes()) {
+ SAMLClaim claim = new SAMLClaim();
+
+ String claimType = atr.getAttributeName();
+ if (atr.getAttributeNamespace() != null) {
+ claimType = atr.getAttributeNamespace() + "/" + claimType;
+ }
+ claim.setClaimType(URI.create(claimType));
+
+ claim.setName(atr.getAttributeName());
+ claim.setNameFormat(atr.getAttributeNamespace());
+
+ for (XMLObject o : atr.getAttributeValues()) {
+ String attrValue = o.getDOM().getTextContent();
+ claim.getValues().add(attrValue);
+ }
+
+ claims.add(claim);
+ }
+ }
+ }
+
+ return claims;
+ }
+
+ /**
+ * Extract roles from the given Claims
+ */
+ public static Set<Principal> parseRolesFromClaims(
+ ClaimCollection claims,
+ String name,
+ String nameFormat
+ ) {
+ String roleAttributeName = name;
+ if (roleAttributeName == null) {
+ roleAttributeName = SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT;
+ }
+
+ Set<Principal> roles = new HashSet<>();
+
+ for (Claim claim : claims) {
+ if (claim instanceof SAMLClaim && ((SAMLClaim)claim).getName().equals(name)
+ && (nameFormat == null
+ || claim instanceof SAMLClaim && nameFormat.equals(((SAMLClaim)claim).getNameFormat()))) {
+ for (Object claimValue : claim.getValues()) {
+ if (claimValue instanceof String) {
+ roles.add(new SimpleGroup((String)claimValue));
+ }
+ }
+ if (claim.getValues().size() > 1) {
+ // Don't search for other attributes with the same name if > 1 claim value
+ break;
+ }
+ }
+ }
+
+ return roles;
+ }
+
+ public static String getIssuer(Object assertion) {
+ return ((SamlAssertionWrapper)assertion).getIssuerString();
+ }
+
+ public static Element getAssertionElement(Object assertion) {
+ return ((SamlAssertionWrapper)assertion).getElement();
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/AbstractXACMLAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/AbstractXACMLAuthorizingInterceptor.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/AbstractXACMLAuthorizingInterceptor.java
new file mode 100644
index 0000000..590b324
--- /dev/null
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/AbstractXACMLAuthorizingInterceptor.java
@@ -0,0 +1,170 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.saml.xacml;
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.interceptor.security.AccessDeniedException;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.phase.AbstractPhaseInterceptor;
+import org.apache.cxf.phase.Phase;
+import org.apache.cxf.security.LoginSecurityContext;
+import org.apache.cxf.security.SecurityContext;
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
+import org.apache.wss4j.common.util.DOM2Writer;
+import org.opensaml.xacml.ctx.DecisionType.DECISION;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResponseType;
+import org.opensaml.xacml.ctx.ResultType;
+import org.opensaml.xacml.ctx.StatusType;
+
+
+/**
+ * An abstract interceptor to perform an XACML authorization request to a remote PDP,
+ * and make an authorization decision based on the response. It takes the principal and roles
+ * from the SecurityContext, and uses the XACMLRequestBuilder to construct an XACML Request
+ * statement.
+ *
+ * This class must be subclassed to actually perform the request to the PDP.
+ *
+ * @deprecated: Use XACMLAuthorizingInterceptor instead
+ */
+@Deprecated
+public abstract class AbstractXACMLAuthorizingInterceptor extends AbstractPhaseInterceptor<Message> {
+
+ private static final Logger LOG = LogUtils.getL7dLogger(AbstractXACMLAuthorizingInterceptor.class);
+
+ private XACMLRequestBuilder requestBuilder = new DefaultXACMLRequestBuilder();
+
+ public AbstractXACMLAuthorizingInterceptor() {
+ super(Phase.PRE_INVOKE);
+ org.apache.wss4j.common.saml.OpenSAMLUtil.initSamlEngine();
+ }
+
+ public void handleMessage(Message message) throws Fault {
+ SecurityContext sc = message.get(SecurityContext.class);
+
+ if (sc instanceof LoginSecurityContext) {
+ Principal principal = sc.getUserPrincipal();
+
+ LoginSecurityContext loginSecurityContext = (LoginSecurityContext)sc;
+ Set<Principal> principalRoles = loginSecurityContext.getUserRoles();
+ List<String> roles = new ArrayList<>();
+ if (principalRoles != null) {
+ for (Principal p : principalRoles) {
+ if (p != principal) {
+ roles.add(p.getName());
+ }
+ }
+ }
+
+ try {
+ if (authorize(principal, roles, message)) {
+ return;
+ }
+ } catch (Exception e) {
+ LOG.log(Level.FINE, "Unauthorized: " + e.getMessage(), e);
+ throw new AccessDeniedException("Unauthorized");
+ }
+ } else {
+ LOG.log(
+ Level.FINE,
+ "The SecurityContext was not an instance of LoginSecurityContext. No authorization "
+ + "is possible as a result"
+ );
+ }
+
+ throw new AccessDeniedException("Unauthorized");
+ }
+
+ public XACMLRequestBuilder getRequestBuilder() {
+ return requestBuilder;
+ }
+
+ public void setRequestBuilder(XACMLRequestBuilder requestBuilder) {
+ this.requestBuilder = requestBuilder;
+ }
+
+ /**
+ * Perform a (remote) authorization decision and return a boolean depending on the result
+ */
+ protected boolean authorize(
+ Principal principal, List<String> roles, Message message
+ ) throws Exception {
+ RequestType request = requestBuilder.createRequest(principal, roles, message);
+ if (LOG.isLoggable(Level.FINE)) {
+ Document doc = DOMUtils.createDocument();
+ Element requestElement = OpenSAMLUtil.toDom(request, doc);
+ LOG.log(Level.FINE, DOM2Writer.nodeToString(requestElement));
+ }
+
+ ResponseType response = performRequest(request, message);
+
+ List<ResultType> results = response.getResults();
+
+ if (results == null) {
+ return false;
+ }
+
+ for (ResultType result : results) {
+ // Handle any Obligations returned by the PDP
+ handleObligations(request, principal, message, result);
+
+ DECISION decision = result.getDecision() != null ? result.getDecision().getDecision() : DECISION.Deny;
+ String code = "";
+ String statusMessage = "";
+ if (result.getStatus() != null) {
+ StatusType status = result.getStatus();
+ code = status.getStatusCode() != null ? status.getStatusCode().getValue() : "";
+ statusMessage = status.getStatusMessage() != null ? status.getStatusMessage().getValue() : "";
+ }
+ LOG.fine("XACML authorization result: " + decision + ", code: " + code + ", message: " + statusMessage);
+ return decision == DECISION.Permit;
+ }
+
+ return false;
+ }
+
+ public abstract ResponseType performRequest(RequestType request, Message message) throws Exception;
+
+ /**
+ * Handle any Obligations returned by the PDP
+ */
+ protected void handleObligations(
+ RequestType request,
+ Principal principal,
+ Message message,
+ ResultType result
+ ) throws Exception {
+ // Do nothing by default
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/CXFMessageParser.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/CXFMessageParser.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/CXFMessageParser.java
new file mode 100644
index 0000000..1af0f5e
--- /dev/null
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/CXFMessageParser.java
@@ -0,0 +1,97 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rt.security.saml.xacml;
+
+import javax.xml.namespace.QName;
+
+import org.w3c.dom.Element;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext;
+import org.apache.cxf.security.SecurityContext;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+
+public class CXFMessageParser {
+ private Message message;
+
+ /**
+ * @param message
+ */
+ public CXFMessageParser(Message message) {
+ this.message = message;
+ }
+
+ public boolean isSOAPService() {
+ return getWSDLOperation() != null;
+ }
+
+ public QName getWSDLOperation() {
+ if (message != null && message.get(Message.WSDL_OPERATION) != null) {
+ return (QName)message.get(Message.WSDL_OPERATION);
+ }
+ return null;
+ }
+
+ public QName getWSDLService() {
+ if (message != null && message.get(Message.WSDL_SERVICE) != null) {
+ return (QName)message.get(Message.WSDL_SERVICE);
+ }
+ return null;
+ }
+
+ /**
+ * @param fullRequestURL Whether to send the full Request URL as the resource or not. If set to true, the
+ * full Request URL will be sent for both a JAX-WS and JAX-RS service. If set to false (the
+ * default), a JAX-WS service will send the "{namespace}operation" QName, and a JAX-RS service
+ * will send the RequestURI (i.e. minus the initial https:<ip> prefix)
+ */
+ public String getResourceURI(boolean fullRequestURL) {
+ String property = fullRequestURL ? Message.REQUEST_URL : Message.REQUEST_URI;
+ if (message != null && message.get(property) != null) {
+ return (String)message.get(property);
+ }
+ return null;
+ }
+
+ public String getAction(String defaultSOAPAction) {
+ String actionToUse = defaultSOAPAction;
+ // For REST use the HTTP Verb
+ if (message.get(Message.WSDL_OPERATION) == null && message.get(Message.HTTP_REQUEST_METHOD) != null) {
+ actionToUse = (String)message.get(Message.HTTP_REQUEST_METHOD);
+ }
+ return actionToUse;
+ }
+
+ /**
+ * Get the Issuer of the SAML Assertion
+ */
+ public String getIssuer() throws WSSecurityException {
+ SecurityContext sc = message.get(SecurityContext.class);
+
+ if (sc instanceof SAMLSecurityContext) {
+ Element assertionElement = ((SAMLSecurityContext)sc).getAssertionElement();
+ if (assertionElement != null) {
+ SamlAssertionWrapper wrapper = new SamlAssertionWrapper(assertionElement);
+ return wrapper.getIssuerString();
+ }
+ }
+
+ return null;
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/DefaultXACMLRequestBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/DefaultXACMLRequestBuilder.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/DefaultXACMLRequestBuilder.java
new file mode 100644
index 0000000..02d115f
--- /dev/null
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/DefaultXACMLRequestBuilder.java
@@ -0,0 +1,217 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.saml.xacml;
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import javax.xml.namespace.QName;
+
+import org.apache.cxf.message.Message;
+import org.joda.time.DateTime;
+import org.opensaml.xacml.ctx.ActionType;
+import org.opensaml.xacml.ctx.AttributeType;
+import org.opensaml.xacml.ctx.AttributeValueType;
+import org.opensaml.xacml.ctx.EnvironmentType;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResourceType;
+import org.opensaml.xacml.ctx.SubjectType;
+
+/**
+ * This class constructs an XACML Request given a Principal, list of roles and MessageContext,
+ * following the SAML 2.0 profile of XACML 2.0. The principal name is inserted as the Subject ID,
+ * and the list of roles associated with that principal are inserted as Subject roles. The action
+ * to send defaults to "execute".
+ *
+ * For a SOAP Service, the resource-id Attribute refers to the
+ * "{serviceNamespace}serviceName#{operationNamespace}operationName" String (shortened to
+ * "{serviceNamespace}serviceName#operationName" if the namespaces are identical). The
+ * "{serviceNamespace}serviceName", "{operationNamespace}operationName" and resource URI are also
+ * sent to simplify processing at the PDP side.
+ *
+ * For a REST service the request URL is the resource. You can also configure the ability to
+ * send the truncated request URI instead for a SOAP or REST service. The current DateTime is
+ * also sent in an Environment, however this can be disabled via configuration.
+ */
+public class DefaultXACMLRequestBuilder implements XACMLRequestBuilder {
+
+ private boolean sendDateTime = true;
+ private String action = "execute";
+ private boolean sendFullRequestURL = true;
+
+ /**
+ * Create an XACML Request given a Principal, list of roles and Message.
+ */
+ public RequestType createRequest(Principal principal, List<String> roles, Message message)
+ throws Exception {
+ CXFMessageParser messageParser = new CXFMessageParser(message);
+ String issuer = messageParser.getIssuer();
+
+ String actionToUse = messageParser.getAction(action);
+
+ SubjectType subjectType = createSubjectType(principal, roles, issuer);
+ ResourceType resourceType = createResourceType(messageParser);
+ AttributeType actionAttribute = createAttribute(XACMLConstants.ACTION_ID, XACMLConstants.XS_STRING,
+ null, actionToUse);
+ ActionType actionType = RequestComponentBuilder.createActionType(Collections.singletonList(actionAttribute));
+
+ return RequestComponentBuilder.createRequestType(Collections.singletonList(subjectType),
+ Collections.singletonList(resourceType),
+ actionType,
+ createEnvironmentType());
+ }
+
+ private ResourceType createResourceType(CXFMessageParser messageParser) {
+ List<AttributeType> attributes = new ArrayList<>();
+
+ // Resource-id
+ String resourceId = null;
+ boolean isSoapService = messageParser.isSOAPService();
+ if (isSoapService) {
+ QName serviceName = messageParser.getWSDLService();
+ QName operationName = messageParser.getWSDLOperation();
+
+ if (serviceName != null) {
+ resourceId = serviceName.toString() + "#";
+ if (serviceName.getNamespaceURI() != null
+ && serviceName.getNamespaceURI().equals(operationName.getNamespaceURI())) {
+ resourceId += operationName.getLocalPart();
+ } else {
+ resourceId += operationName.toString();
+ }
+ } else {
+ resourceId = operationName.toString();
+ }
+ } else {
+ resourceId = messageParser.getResourceURI(sendFullRequestURL);
+ }
+
+ attributes.add(createAttribute(XACMLConstants.RESOURCE_ID, XACMLConstants.XS_STRING, null,
+ resourceId));
+
+ if (isSoapService) {
+ // WSDL Service
+ QName wsdlService = messageParser.getWSDLService();
+ if (wsdlService != null) {
+ attributes.add(createAttribute(XACMLConstants.RESOURCE_WSDL_SERVICE_ID, XACMLConstants.XS_STRING, null,
+ wsdlService.toString()));
+ }
+
+ // WSDL Operation
+ QName wsdlOperation = messageParser.getWSDLOperation();
+ attributes.add(createAttribute(XACMLConstants.RESOURCE_WSDL_OPERATION_ID, XACMLConstants.XS_STRING, null,
+ wsdlOperation.toString()));
+
+ // WSDL Endpoint
+ String endpointURI = messageParser.getResourceURI(sendFullRequestURL);
+ attributes.add(createAttribute(XACMLConstants.RESOURCE_WSDL_ENDPOINT, XACMLConstants.XS_STRING, null,
+ endpointURI));
+ }
+
+ return RequestComponentBuilder.createResourceType(attributes, null);
+ }
+
+ private EnvironmentType createEnvironmentType() {
+ if (sendDateTime) {
+ List<AttributeType> attributes = new ArrayList<>();
+ AttributeType environmentAttribute = createAttribute(XACMLConstants.CURRENT_DATETIME,
+ XACMLConstants.XS_DATETIME, null,
+ new DateTime().toString());
+ attributes.add(environmentAttribute);
+ return RequestComponentBuilder.createEnvironmentType(attributes);
+ }
+
+ List<AttributeType> attributes = Collections.emptyList();
+ return RequestComponentBuilder.createEnvironmentType(attributes);
+ }
+
+ private SubjectType createSubjectType(Principal principal, List<String> roles, String issuer) {
+ List<AttributeType> attributes = new ArrayList<>();
+ attributes.add(createAttribute(XACMLConstants.SUBJECT_ID, XACMLConstants.XS_STRING, issuer,
+ principal.getName()));
+
+ if (roles != null) {
+ List<AttributeValueType> roleAttributes = new ArrayList<>();
+ for (String role : roles) {
+ if (role != null) {
+ AttributeValueType subjectRoleAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(role);
+ roleAttributes.add(subjectRoleAttributeValue);
+ }
+ }
+
+ if (!roleAttributes.isEmpty()) {
+ AttributeType subjectRoleAttribute =
+ createAttribute(
+ XACMLConstants.SUBJECT_ROLE,
+ XACMLConstants.XS_ANY_URI,
+ issuer,
+ roleAttributes
+ );
+ attributes.add(subjectRoleAttribute);
+ }
+ }
+
+ return RequestComponentBuilder.createSubjectType(attributes, null);
+ }
+
+ private AttributeType createAttribute(String id, String type, String issuer, List<AttributeValueType> values) {
+ return RequestComponentBuilder.createAttributeType(id, type, issuer, values);
+ }
+
+ private AttributeType createAttribute(String id, String type, String issuer, String value) {
+ return createAttribute(id, type, issuer,
+ Collections.singletonList(RequestComponentBuilder.createAttributeValueType(value)));
+ }
+
+ /**
+ * Set a new Action String to use
+ */
+ public void setAction(String action) {
+ this.action = action;
+ }
+
+ public void setSendDateTime(boolean sendDateTime) {
+ this.sendDateTime = sendDateTime;
+ }
+
+ /**
+ * Whether to send the full Request URL as the resource or not. If set to true,
+ * the full Request URL will be sent for both a JAX-WS and JAX-RS service. If set
+ * to false (the default), a JAX-WS service will send the "{namespace}operation" QName,
+ * and a JAX-RS service will send the RequestURI (i.e. minus the initial https:<ip> prefix).
+ */
+ public void setSendFullRequestURL(boolean sendFullRequestURL) {
+ this.sendFullRequestURL = sendFullRequestURL;
+ }
+
+ @Override
+ public List<String> getResources(Message message) {
+ throw new IllegalAccessError("Deprecated");
+ }
+
+ @Override
+ public String getResource(Message message) {
+ throw new IllegalAccessError("Deprecated");
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/RequestComponentBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/RequestComponentBuilder.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/RequestComponentBuilder.java
new file mode 100644
index 0000000..08f8da8
--- /dev/null
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/RequestComponentBuilder.java
@@ -0,0 +1,183 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.saml.xacml;
+
+import java.util.List;
+
+import org.opensaml.core.xml.XMLObjectBuilderFactory;
+import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
+import org.opensaml.xacml.XACMLObjectBuilder;
+import org.opensaml.xacml.ctx.ActionType;
+import org.opensaml.xacml.ctx.AttributeType;
+import org.opensaml.xacml.ctx.AttributeValueType;
+import org.opensaml.xacml.ctx.EnvironmentType;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResourceContentType;
+import org.opensaml.xacml.ctx.ResourceType;
+import org.opensaml.xacml.ctx.SubjectType;
+
+/**
+ * A set of utility methods to construct XACML 2.0 Request statements
+ */
+public final class RequestComponentBuilder {
+ private static volatile XACMLObjectBuilder<AttributeValueType> attributeValueTypeBuilder;
+
+ private static volatile XACMLObjectBuilder<AttributeType> attributeTypeBuilder;
+
+ private static volatile XACMLObjectBuilder<SubjectType> subjectTypeBuilder;
+
+ private static volatile XACMLObjectBuilder<ResourceType> resourceTypeBuilder;
+
+ private static volatile XACMLObjectBuilder<ActionType> actionTypeBuilder;
+
+ private static volatile XACMLObjectBuilder<EnvironmentType> environmentTypeBuilder;
+
+ private static volatile XACMLObjectBuilder<RequestType> requestTypeBuilder;
+
+ private static volatile XMLObjectBuilderFactory builderFactory =
+ XMLObjectProviderRegistrySupport.getBuilderFactory();
+
+ private RequestComponentBuilder() {
+ // complete
+ }
+
+ @SuppressWarnings("unchecked")
+ public static AttributeValueType createAttributeValueType(
+ String value
+ ) {
+ if (attributeValueTypeBuilder == null) {
+ attributeValueTypeBuilder = (XACMLObjectBuilder<AttributeValueType>)
+ builderFactory.getBuilder(AttributeValueType.DEFAULT_ELEMENT_NAME);
+ }
+ AttributeValueType attributeValue = attributeValueTypeBuilder.buildObject();
+ attributeValue.setValue(value);
+
+ return attributeValue;
+ }
+
+ @SuppressWarnings("unchecked")
+ public static AttributeType createAttributeType(
+ String attributeId,
+ String dataType,
+ String issuer,
+ List<AttributeValueType> attributeValues
+ ) {
+ if (attributeTypeBuilder == null) {
+ attributeTypeBuilder = (XACMLObjectBuilder<AttributeType>)
+ builderFactory.getBuilder(AttributeType.DEFAULT_ELEMENT_NAME);
+ }
+ AttributeType attributeType = attributeTypeBuilder.buildObject();
+ attributeType.setAttributeID(attributeId);
+ attributeType.setDataType(dataType);
+ attributeType.setIssuer(issuer);
+ attributeType.getAttributeValues().addAll(attributeValues);
+
+ return attributeType;
+ }
+
+ @SuppressWarnings("unchecked")
+ public static SubjectType createSubjectType(
+ List<AttributeType> attributes,
+ String subjectCategory
+ ) {
+ if (subjectTypeBuilder == null) {
+ subjectTypeBuilder = (XACMLObjectBuilder<SubjectType>)
+ builderFactory.getBuilder(SubjectType.DEFAULT_ELEMENT_NAME);
+ }
+ SubjectType subject = subjectTypeBuilder.buildObject();
+ if (attributes != null) {
+ subject.getAttributes().addAll(attributes);
+ }
+ subject.setSubjectCategory(subjectCategory);
+
+ return subject;
+ }
+
+ @SuppressWarnings("unchecked")
+ public static ResourceType createResourceType(
+ List<AttributeType> attributes,
+ ResourceContentType resourceContent
+ ) {
+ if (resourceTypeBuilder == null) {
+ resourceTypeBuilder = (XACMLObjectBuilder<ResourceType>)
+ builderFactory.getBuilder(ResourceType.DEFAULT_ELEMENT_NAME);
+ }
+ ResourceType resource = resourceTypeBuilder.buildObject();
+ if (attributes != null) {
+ resource.getAttributes().addAll(attributes);
+ }
+ resource.setResourceContent(resourceContent);
+
+ return resource;
+ }
+
+ @SuppressWarnings("unchecked")
+ public static ActionType createActionType(
+ List<AttributeType> attributes
+ ) {
+ if (actionTypeBuilder == null) {
+ actionTypeBuilder = (XACMLObjectBuilder<ActionType>)
+ builderFactory.getBuilder(ActionType.DEFAULT_ELEMENT_NAME);
+ }
+ ActionType action = actionTypeBuilder.buildObject();
+ if (attributes != null) {
+ action.getAttributes().addAll(attributes);
+ }
+
+ return action;
+ }
+
+ @SuppressWarnings("unchecked")
+ public static EnvironmentType createEnvironmentType(
+ List<AttributeType> attributes
+ ) {
+ if (environmentTypeBuilder == null) {
+ environmentTypeBuilder = (XACMLObjectBuilder<EnvironmentType>)
+ builderFactory.getBuilder(EnvironmentType.DEFAULT_ELEMENT_NAME);
+ }
+ EnvironmentType enviroment = environmentTypeBuilder.buildObject();
+ if (attributes != null) {
+ enviroment.getAttributes().addAll(attributes);
+ }
+
+ return enviroment;
+ }
+
+ @SuppressWarnings("unchecked")
+ public static RequestType createRequestType(
+ List<SubjectType> subjects,
+ List<ResourceType> resources,
+ ActionType action,
+ EnvironmentType environment
+ ) {
+ if (requestTypeBuilder == null) {
+ requestTypeBuilder = (XACMLObjectBuilder<RequestType>)
+ builderFactory.getBuilder(RequestType.DEFAULT_ELEMENT_NAME);
+ }
+ RequestType request = requestTypeBuilder.buildObject();
+ request.getSubjects().addAll(subjects);
+ request.getResources().addAll(resources);
+ request.setAction(action);
+ request.setEnvironment(environment);
+
+ return request;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/SamlRequestComponentBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/SamlRequestComponentBuilder.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/SamlRequestComponentBuilder.java
new file mode 100644
index 0000000..c0d8255
--- /dev/null
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/SamlRequestComponentBuilder.java
@@ -0,0 +1,118 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.saml.xacml;
+
+import java.util.UUID;
+
+import org.joda.time.DateTime;
+import org.opensaml.core.xml.XMLObjectBuilderFactory;
+import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
+import org.opensaml.saml.common.SAMLObjectBuilder;
+import org.opensaml.saml.common.SAMLVersion;
+import org.opensaml.saml.saml2.core.Issuer;
+import org.opensaml.xacml.XACMLObjectBuilder;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.profile.saml.SAMLProfileConstants;
+import org.opensaml.xacml.profile.saml.XACMLAuthzDecisionQueryType;
+
+/**
+ * A set of utility methods to construct XACML SAML Request statements, based on the
+ * SAML 2.0 profile of XACML v2.0 specification.
+ */
+public final class SamlRequestComponentBuilder {
+ private static volatile XACMLObjectBuilder<XACMLAuthzDecisionQueryType> xacmlAuthzDecisionQueryTypeBuilder;
+
+ private static volatile SAMLObjectBuilder<Issuer> issuerBuilder;
+
+ private static volatile XMLObjectBuilderFactory builderFactory =
+ XMLObjectProviderRegistrySupport.getBuilderFactory();
+
+ private SamlRequestComponentBuilder() {
+ // complete
+ }
+
+ /**
+ * Create an AuthzDecisionQuery using the defaults
+ */
+ public static XACMLAuthzDecisionQueryType createAuthzDecisionQuery(
+ String issuerValue,
+ RequestType request,
+ String namespace
+ ) {
+ return createAuthzDecisionQuery(false, false, issuerValue, request, namespace);
+ }
+
+ @SuppressWarnings("unchecked")
+ public static XACMLAuthzDecisionQueryType createAuthzDecisionQuery(
+ boolean inputContextOnly,
+ boolean returnContext,
+ String issuerValue,
+ RequestType request,
+ String namespace
+ ) {
+ if (xacmlAuthzDecisionQueryTypeBuilder == null) {
+ xacmlAuthzDecisionQueryTypeBuilder = (XACMLObjectBuilder<XACMLAuthzDecisionQueryType>)
+ builderFactory.getBuilder(XACMLAuthzDecisionQueryType.DEFAULT_ELEMENT_NAME_XACML20);
+ }
+ XACMLAuthzDecisionQueryType authzQuery =
+ xacmlAuthzDecisionQueryTypeBuilder.buildObject(
+ namespace,
+ XACMLAuthzDecisionQueryType.DEFAULT_ELEMENT_LOCAL_NAME,
+ SAMLProfileConstants.SAML20XACMLPROTOCOL_PREFIX
+ );
+ authzQuery.setID("_" + UUID.randomUUID().toString());
+ authzQuery.setVersion(SAMLVersion.VERSION_20);
+ authzQuery.setIssueInstant(new DateTime());
+ authzQuery.setInputContextOnly(Boolean.valueOf(inputContextOnly));
+ authzQuery.setReturnContext(Boolean.valueOf(returnContext));
+
+ if (issuerValue != null) {
+ Issuer issuer = createIssuer(issuerValue);
+ authzQuery.setIssuer(issuer);
+ }
+
+ authzQuery.setRequest(request);
+
+ return authzQuery;
+ }
+
+
+ /**
+ * Create an Issuer object
+ *
+ * @param issuerValue of type String
+ * @return an Issuer object
+ */
+ @SuppressWarnings("unchecked")
+ public static Issuer createIssuer(String issuerValue) {
+ if (issuerBuilder == null) {
+ issuerBuilder = (SAMLObjectBuilder<Issuer>)
+ builderFactory.getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
+
+ }
+ Issuer issuer = issuerBuilder.buildObject();
+ //
+ // The SAML authority that is making the claim(s) in the assertion. The issuer SHOULD
+ // be unambiguous to the intended relying parties.
+ issuer.setValue(issuerValue);
+ return issuer;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLAuthorizingInterceptor.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLAuthorizingInterceptor.java
new file mode 100644
index 0000000..065c5a9
--- /dev/null
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLAuthorizingInterceptor.java
@@ -0,0 +1,86 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.saml.xacml;
+
+import javax.xml.transform.Source;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.dom.DOMResult;
+import javax.xml.transform.dom.DOMSource;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.rt.security.saml.xacml.pdp.api.PolicyDecisionPoint;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResponseType;
+
+/**
+ * An interceptor to perform an XACML authorization request to a remote PDP,
+ * and make an authorization decision based on the response. It takes the principal and roles
+ * from the SecurityContext, and uses the XACMLRequestBuilder to construct an XACML Request
+ * statement.
+ */
+@SuppressWarnings("deprecation")
+public class XACMLAuthorizingInterceptor extends AbstractXACMLAuthorizingInterceptor {
+ private PolicyDecisionPoint pdp;
+
+ public XACMLAuthorizingInterceptor(PolicyDecisionPoint pdp) {
+ super();
+ this.pdp = pdp;
+ }
+
+ @Override
+ public ResponseType performRequest(RequestType request, Message message) throws Exception {
+ Source requestSource = requestType2Source(request);
+ Source responseSource = this.pdp.evaluate(requestSource);
+ return responseSourceToResponseType(responseSource);
+ }
+
+ private Source requestType2Source(RequestType request) {
+ Document doc = DOMUtils.createDocument();
+ Element requestElement;
+ try {
+ requestElement = OpenSAMLUtil.toDom(request, doc);
+ } catch (WSSecurityException e) {
+ throw new RuntimeException("Error converting PDP RequestType to Dom", e);
+ }
+ return new DOMSource(requestElement);
+ }
+
+ private ResponseType responseSourceToResponseType(Source responseSource) {
+ try {
+ Transformer trans = TransformerFactory.newInstance().newTransformer();
+ DOMResult res = new DOMResult();
+ trans.transform(responseSource, res);
+ Node nd = res.getNode();
+ if (nd instanceof Document) {
+ nd = ((Document)nd).getDocumentElement();
+ }
+ return (ResponseType)OpenSAMLUtil.fromDom((Element)nd);
+ } catch (Exception e) {
+ throw new RuntimeException("Error converting pdp response to ResponseType", e);
+ }
+ }
+}
[2/4] cxf git commit: Adding a new cxf-rt-security-saml module to
remove OpenSAML dependencies from cxf-rt-security
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptor.java b/rt/security/src/main/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptor.java
deleted file mode 100644
index 22d61cf..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptor.java
+++ /dev/null
@@ -1,242 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rt.security.claims;
-
-import java.lang.reflect.Method;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.logging.Logger;
-
-import org.apache.cxf.common.logging.LogUtils;
-import org.apache.cxf.common.util.ClassHelper;
-import org.apache.cxf.interceptor.Fault;
-import org.apache.cxf.interceptor.security.AccessDeniedException;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.phase.AbstractPhaseInterceptor;
-import org.apache.cxf.phase.Phase;
-import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
-import org.apache.cxf.security.SecurityContext;
-import org.apache.cxf.security.claims.authorization.Claim;
-import org.apache.cxf.security.claims.authorization.ClaimMode;
-import org.apache.cxf.security.claims.authorization.Claims;
-import org.apache.cxf.service.Service;
-import org.apache.cxf.service.invoker.MethodDispatcher;
-import org.apache.cxf.service.model.BindingOperationInfo;
-
-
-public class ClaimsAuthorizingInterceptor extends AbstractPhaseInterceptor<Message> {
-
- private static final Logger LOG = LogUtils.getL7dLogger(ClaimsAuthorizingInterceptor.class);
-
- private static final Set<String> SKIP_METHODS;
- static {
- SKIP_METHODS = new HashSet<>();
- SKIP_METHODS.addAll(Arrays.asList(
- new String[] {"wait", "notify", "notifyAll",
- "equals", "toString", "hashCode"}));
- }
-
- private Map<String, List<ClaimBean>> claims = new HashMap<>();
- private Map<String, String> nameAliases = Collections.emptyMap();
- private Map<String, String> formatAliases = Collections.emptyMap();
-
- public ClaimsAuthorizingInterceptor() {
- super(Phase.PRE_INVOKE);
- }
-
- public void handleMessage(Message message) throws Fault {
- SecurityContext sc = message.get(SecurityContext.class);
- if (!(sc instanceof SAMLSecurityContext)) {
- throw new AccessDeniedException("Security Context is unavailable or unrecognized");
- }
-
- Method method = getTargetMethod(message);
-
- if (authorize((SAMLSecurityContext)sc, method)) {
- return;
- }
-
- throw new AccessDeniedException("Unauthorized");
- }
-
- public void setClaims(Map<String, List<ClaimBean>> claimsMap) {
- claims.putAll(claimsMap);
- }
-
- protected Method getTargetMethod(Message m) {
- BindingOperationInfo bop = m.getExchange().get(BindingOperationInfo.class);
- if (bop != null) {
- MethodDispatcher md = (MethodDispatcher)
- m.getExchange().get(Service.class).get(MethodDispatcher.class.getName());
- return md.getMethod(bop);
- }
- Method method = (Method)m.get("org.apache.cxf.resource.method");
- if (method != null) {
- return method;
- }
- throw new AccessDeniedException("Method is not available : Unauthorized");
- }
-
- protected boolean authorize(SAMLSecurityContext sc, Method method) {
- List<ClaimBean> list = claims.get(method.getName());
- org.apache.cxf.rt.security.claims.ClaimCollection actualClaims = sc.getClaims();
-
- for (ClaimBean claimBean : list) {
- org.apache.cxf.rt.security.claims.Claim claim = claimBean.getClaim();
- org.apache.cxf.rt.security.claims.Claim matchingClaim = null;
- for (org.apache.cxf.rt.security.claims.Claim cl : actualClaims) {
- if (cl instanceof SAMLClaim
- && ((SAMLClaim)cl).getName().equals(((SAMLClaim)claim).getName())
- && ((SAMLClaim)cl).getNameFormat().equals(((SAMLClaim)claim).getNameFormat())) {
- matchingClaim = cl;
- break;
- }
- }
- if (matchingClaim == null) {
- if (claimBean.getClaimMode() == ClaimMode.STRICT) {
- return false;
- } else {
- continue;
- }
- }
- List<Object> claimValues = claim.getValues();
- List<Object> matchingClaimValues = matchingClaim.getValues();
- if (claimBean.isMatchAll()
- && !matchingClaimValues.containsAll(claimValues)) {
- return false;
- } else {
- boolean matched = false;
- for (Object value : matchingClaimValues) {
- if (claimValues.contains(value)) {
- matched = true;
- break;
- }
- }
- if (!matched) {
- return false;
- }
- }
- }
- return true;
- }
-
- public void setSecuredObject(Object object) {
- Class<?> cls = ClassHelper.getRealClass(object);
- findClaims(cls);
- if (claims.isEmpty()) {
- LOG.warning("The claims list is empty, the service object is not protected");
- }
- }
-
- protected void findClaims(Class<?> cls) {
- if (cls == null || cls == Object.class) {
- return;
- }
- List<ClaimBean> clsClaims =
- getClaims(cls.getAnnotation(Claims.class), cls.getAnnotation(Claim.class));
- for (Method m : cls.getMethods()) {
- if (SKIP_METHODS.contains(m.getName())) {
- continue;
- }
- List<ClaimBean> methodClaims =
- getClaims(m.getAnnotation(Claims.class), m.getAnnotation(Claim.class));
-
- List<ClaimBean> allClaims = new ArrayList<>(methodClaims);
- for (ClaimBean bean : clsClaims) {
- if (isClaimOverridden(bean, methodClaims)) {
- continue;
- }
- allClaims.add(bean);
- }
-
- claims.put(m.getName(), allClaims);
- }
- if (!claims.isEmpty()) {
- return;
- }
-
- findClaims(cls.getSuperclass());
-
- if (!claims.isEmpty()) {
- return;
- }
-
- for (Class<?> interfaceCls : cls.getInterfaces()) {
- findClaims(interfaceCls);
- }
- }
-
- private static boolean isClaimOverridden(ClaimBean bean, List<ClaimBean> mClaims) {
- for (ClaimBean methodBean : mClaims) {
- if (bean.getClaim().getName().equals(methodBean.getClaim().getName())
- && bean.getClaim().getNameFormat().equals(methodBean.getClaim().getNameFormat())) {
- return true;
- }
- }
- return false;
- }
-
- private List<ClaimBean> getClaims(
- Claims claimsAnn, Claim claimAnn) {
- List<ClaimBean> claimsList = new ArrayList<>();
-
- List<Claim> annClaims = new ArrayList<>();
- if (claimsAnn != null) {
- annClaims.addAll(Arrays.asList(claimsAnn.value()));
- } else if (claimAnn != null) {
- annClaims.add(claimAnn);
- }
- for (Claim ann : annClaims) {
- SAMLClaim claim = new SAMLClaim();
-
- String claimName = ann.name();
- if (nameAliases.containsKey(claimName)) {
- claimName = nameAliases.get(claimName);
- }
- String claimFormat = ann.format();
- if (formatAliases.containsKey(claimFormat)) {
- claimFormat = formatAliases.get(claimFormat);
- }
-
- claim.setName(claimName);
- claim.setNameFormat(claimFormat);
- for (String value : ann.value()) {
- claim.addValue(value);
- }
-
- claimsList.add(new ClaimBean(claim, ann.mode(), ann.matchAll()));
- }
- return claimsList;
- }
-
- public void setNameAliases(Map<String, String> nameAliases) {
- this.nameAliases = nameAliases;
- }
-
- public void setFormatAliases(Map<String, String> formatAliases) {
- this.formatAliases = formatAliases;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/claims/SAMLClaim.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/claims/SAMLClaim.java b/rt/security/src/main/java/org/apache/cxf/rt/security/claims/SAMLClaim.java
deleted file mode 100644
index a76747c..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/claims/SAMLClaim.java
+++ /dev/null
@@ -1,66 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.claims;
-
-
-/**
- * This represents a Claim that is coupled to a SAML Assertion
- */
-public class SAMLClaim extends Claim {
-
- /**
- * This configuration tag specifies the default attribute name where the roles are present
- * The default is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role".
- */
- public static final String SAML_ROLE_ATTRIBUTENAME_DEFAULT =
- "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
-
- private static final long serialVersionUID = 5530712294179589442L;
-
- private String nameFormat;
- private String name;
- private String friendlyName;
-
- public String getNameFormat() {
- return nameFormat;
- }
-
- public void setNameFormat(String nameFormat) {
- this.nameFormat = nameFormat;
- }
-
- public String getName() {
- return name;
- }
-
- public void setName(String name) {
- this.name = name;
- }
-
- public String getFriendlyName() {
- return friendlyName;
- }
-
- public void setFriendlyName(String friendlyName) {
- this.friendlyName = friendlyName;
- }
-
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLSecurityContext.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLSecurityContext.java b/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLSecurityContext.java
deleted file mode 100644
index 4287eb2..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLSecurityContext.java
+++ /dev/null
@@ -1,104 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rt.security.saml;
-
-import java.security.Principal;
-import java.util.Set;
-
-import org.w3c.dom.Element;
-import org.apache.cxf.rt.security.claims.ClaimCollection;
-import org.apache.cxf.rt.security.claims.ClaimsSecurityContext;
-
-public class SAMLSecurityContext implements ClaimsSecurityContext {
-
- private final Principal principal;
- private Set<Principal> roles;
- private Element assertionElement;
- private String issuer;
- private ClaimCollection claims;
-
- public SAMLSecurityContext(Principal principal) {
- this(principal, null);
- }
-
- public SAMLSecurityContext(
- Principal principal,
- Set<Principal> roles
- ) {
- this(principal, roles, null);
- }
-
- public SAMLSecurityContext(
- Principal principal,
- Set<Principal> roles,
- ClaimCollection claims
- ) {
- this.principal = principal;
- this.roles = roles;
- this.claims = claims;
- }
-
- public ClaimCollection getClaims() {
- return claims;
- }
-
- public Principal getUserPrincipal() {
- return principal;
- }
-
- public boolean isUserInRole(String role) {
- if (roles == null) {
- return false;
- }
- for (Principal principalRole : roles) {
- if (principalRole.getName().equals(role)) {
- return true;
- }
- }
- return false;
- }
-
- public javax.security.auth.Subject getSubject() {
- return null;
- }
-
- public void setUserRoles(Set<Principal> userRoles) {
- this.roles = userRoles;
- }
-
- public Set<Principal> getUserRoles() {
- return roles;
- }
-
- public void setAssertionElement(Element assertionElement) {
- this.assertionElement = assertionElement;
- }
-
- public Element getAssertionElement() {
- return assertionElement;
- }
-
- public void setIssuer(String issuer) {
- this.issuer = issuer;
- }
-
- public String getIssuer() {
- return issuer;
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java b/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java
deleted file mode 100644
index 8229a07..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java
+++ /dev/null
@@ -1,141 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rt.security.saml;
-
-import java.net.URI;
-import java.security.Principal;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-
-import org.w3c.dom.Element;
-import org.apache.cxf.common.security.SimpleGroup;
-import org.apache.cxf.rt.security.claims.Claim;
-import org.apache.cxf.rt.security.claims.ClaimCollection;
-import org.apache.cxf.rt.security.claims.SAMLClaim;
-import org.apache.wss4j.common.saml.SamlAssertionWrapper;
-import org.opensaml.core.xml.XMLObject;
-import org.opensaml.saml.common.SAMLVersion;
-import org.opensaml.saml.saml2.core.Attribute;
-import org.opensaml.saml.saml2.core.AttributeStatement;
-
-public final class SAMLUtils {
-
- private SAMLUtils() {
-
- }
-
- /**
- * Extract Claims from a SAML Assertion
- */
- public static ClaimCollection getClaims(SamlAssertionWrapper assertion) {
- ClaimCollection claims = new ClaimCollection();
-
- if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
- List<AttributeStatement> statements = assertion.getSaml2().getAttributeStatements();
- for (AttributeStatement as : statements) {
- for (Attribute atr : as.getAttributes()) {
- SAMLClaim claim = new SAMLClaim();
- claim.setClaimType(URI.create(atr.getName()));
-
- claim.setName(atr.getName());
- claim.setNameFormat(atr.getNameFormat());
- claim.setFriendlyName(atr.getFriendlyName());
-
- for (XMLObject o : atr.getAttributeValues()) {
- String attrValue = o.getDOM().getTextContent();
- claim.getValues().add(attrValue);
- }
-
- claims.add(claim);
- }
- }
- } else {
- List<org.opensaml.saml.saml1.core.AttributeStatement> attributeStatements =
- assertion.getSaml1().getAttributeStatements();
-
- for (org.opensaml.saml.saml1.core.AttributeStatement statement : attributeStatements) {
- for (org.opensaml.saml.saml1.core.Attribute atr : statement.getAttributes()) {
- SAMLClaim claim = new SAMLClaim();
-
- String claimType = atr.getAttributeName();
- if (atr.getAttributeNamespace() != null) {
- claimType = atr.getAttributeNamespace() + "/" + claimType;
- }
- claim.setClaimType(URI.create(claimType));
-
- claim.setName(atr.getAttributeName());
- claim.setNameFormat(atr.getAttributeNamespace());
-
- for (XMLObject o : atr.getAttributeValues()) {
- String attrValue = o.getDOM().getTextContent();
- claim.getValues().add(attrValue);
- }
-
- claims.add(claim);
- }
- }
- }
-
- return claims;
- }
-
- /**
- * Extract roles from the given Claims
- */
- public static Set<Principal> parseRolesFromClaims(
- ClaimCollection claims,
- String name,
- String nameFormat
- ) {
- String roleAttributeName = name;
- if (roleAttributeName == null) {
- roleAttributeName = SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT;
- }
-
- Set<Principal> roles = new HashSet<>();
-
- for (Claim claim : claims) {
- if (claim instanceof SAMLClaim && ((SAMLClaim)claim).getName().equals(name)
- && (nameFormat == null
- || claim instanceof SAMLClaim && nameFormat.equals(((SAMLClaim)claim).getNameFormat()))) {
- for (Object claimValue : claim.getValues()) {
- if (claimValue instanceof String) {
- roles.add(new SimpleGroup((String)claimValue));
- }
- }
- if (claim.getValues().size() > 1) {
- // Don't search for other attributes with the same name if > 1 claim value
- break;
- }
- }
- }
-
- return roles;
- }
-
- public static String getIssuer(Object assertion) {
- return ((SamlAssertionWrapper)assertion).getIssuerString();
- }
-
- public static Element getAssertionElement(Object assertion) {
- return ((SamlAssertionWrapper)assertion).getElement();
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java
deleted file mode 100644
index fe109e5..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java
+++ /dev/null
@@ -1,170 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.xacml;
-
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Set;
-import java.util.logging.Level;
-import java.util.logging.Logger;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-
-import org.apache.cxf.common.logging.LogUtils;
-import org.apache.cxf.helpers.DOMUtils;
-import org.apache.cxf.interceptor.Fault;
-import org.apache.cxf.interceptor.security.AccessDeniedException;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.phase.AbstractPhaseInterceptor;
-import org.apache.cxf.phase.Phase;
-import org.apache.cxf.security.LoginSecurityContext;
-import org.apache.cxf.security.SecurityContext;
-import org.apache.wss4j.common.saml.OpenSAMLUtil;
-import org.apache.wss4j.common.util.DOM2Writer;
-import org.opensaml.xacml.ctx.DecisionType.DECISION;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.ctx.ResponseType;
-import org.opensaml.xacml.ctx.ResultType;
-import org.opensaml.xacml.ctx.StatusType;
-
-
-/**
- * An abstract interceptor to perform an XACML authorization request to a remote PDP,
- * and make an authorization decision based on the response. It takes the principal and roles
- * from the SecurityContext, and uses the XACMLRequestBuilder to construct an XACML Request
- * statement.
- *
- * This class must be subclassed to actually perform the request to the PDP.
- *
- * @deprecated: Use XACMLAuthorizingInterceptor instead
- */
-@Deprecated
-public abstract class AbstractXACMLAuthorizingInterceptor extends AbstractPhaseInterceptor<Message> {
-
- private static final Logger LOG = LogUtils.getL7dLogger(AbstractXACMLAuthorizingInterceptor.class);
-
- private XACMLRequestBuilder requestBuilder = new DefaultXACMLRequestBuilder();
-
- public AbstractXACMLAuthorizingInterceptor() {
- super(Phase.PRE_INVOKE);
- org.apache.wss4j.common.saml.OpenSAMLUtil.initSamlEngine();
- }
-
- public void handleMessage(Message message) throws Fault {
- SecurityContext sc = message.get(SecurityContext.class);
-
- if (sc instanceof LoginSecurityContext) {
- Principal principal = sc.getUserPrincipal();
-
- LoginSecurityContext loginSecurityContext = (LoginSecurityContext)sc;
- Set<Principal> principalRoles = loginSecurityContext.getUserRoles();
- List<String> roles = new ArrayList<>();
- if (principalRoles != null) {
- for (Principal p : principalRoles) {
- if (p != principal) {
- roles.add(p.getName());
- }
- }
- }
-
- try {
- if (authorize(principal, roles, message)) {
- return;
- }
- } catch (Exception e) {
- LOG.log(Level.FINE, "Unauthorized: " + e.getMessage(), e);
- throw new AccessDeniedException("Unauthorized");
- }
- } else {
- LOG.log(
- Level.FINE,
- "The SecurityContext was not an instance of LoginSecurityContext. No authorization "
- + "is possible as a result"
- );
- }
-
- throw new AccessDeniedException("Unauthorized");
- }
-
- public XACMLRequestBuilder getRequestBuilder() {
- return requestBuilder;
- }
-
- public void setRequestBuilder(XACMLRequestBuilder requestBuilder) {
- this.requestBuilder = requestBuilder;
- }
-
- /**
- * Perform a (remote) authorization decision and return a boolean depending on the result
- */
- protected boolean authorize(
- Principal principal, List<String> roles, Message message
- ) throws Exception {
- RequestType request = requestBuilder.createRequest(principal, roles, message);
- if (LOG.isLoggable(Level.FINE)) {
- Document doc = DOMUtils.createDocument();
- Element requestElement = OpenSAMLUtil.toDom(request, doc);
- LOG.log(Level.FINE, DOM2Writer.nodeToString(requestElement));
- }
-
- ResponseType response = performRequest(request, message);
-
- List<ResultType> results = response.getResults();
-
- if (results == null) {
- return false;
- }
-
- for (ResultType result : results) {
- // Handle any Obligations returned by the PDP
- handleObligations(request, principal, message, result);
-
- DECISION decision = result.getDecision() != null ? result.getDecision().getDecision() : DECISION.Deny;
- String code = "";
- String statusMessage = "";
- if (result.getStatus() != null) {
- StatusType status = result.getStatus();
- code = status.getStatusCode() != null ? status.getStatusCode().getValue() : "";
- statusMessage = status.getStatusMessage() != null ? status.getStatusMessage().getValue() : "";
- }
- LOG.fine("XACML authorization result: " + decision + ", code: " + code + ", message: " + statusMessage);
- return decision == DECISION.Permit;
- }
-
- return false;
- }
-
- public abstract ResponseType performRequest(RequestType request, Message message) throws Exception;
-
- /**
- * Handle any Obligations returned by the PDP
- */
- protected void handleObligations(
- RequestType request,
- Principal principal,
- Message message,
- ResultType result
- ) throws Exception {
- // Do nothing by default
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/CXFMessageParser.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/CXFMessageParser.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/CXFMessageParser.java
deleted file mode 100644
index 5da3359..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/CXFMessageParser.java
+++ /dev/null
@@ -1,97 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rt.security.xacml;
-
-import javax.xml.namespace.QName;
-
-import org.w3c.dom.Element;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
-import org.apache.cxf.security.SecurityContext;
-import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.saml.SamlAssertionWrapper;
-
-public class CXFMessageParser {
- private Message message;
-
- /**
- * @param message
- */
- public CXFMessageParser(Message message) {
- this.message = message;
- }
-
- public boolean isSOAPService() {
- return getWSDLOperation() != null;
- }
-
- public QName getWSDLOperation() {
- if (message != null && message.get(Message.WSDL_OPERATION) != null) {
- return (QName)message.get(Message.WSDL_OPERATION);
- }
- return null;
- }
-
- public QName getWSDLService() {
- if (message != null && message.get(Message.WSDL_SERVICE) != null) {
- return (QName)message.get(Message.WSDL_SERVICE);
- }
- return null;
- }
-
- /**
- * @param fullRequestURL Whether to send the full Request URL as the resource or not. If set to true, the
- * full Request URL will be sent for both a JAX-WS and JAX-RS service. If set to false (the
- * default), a JAX-WS service will send the "{namespace}operation" QName, and a JAX-RS service
- * will send the RequestURI (i.e. minus the initial https:<ip> prefix)
- */
- public String getResourceURI(boolean fullRequestURL) {
- String property = fullRequestURL ? Message.REQUEST_URL : Message.REQUEST_URI;
- if (message != null && message.get(property) != null) {
- return (String)message.get(property);
- }
- return null;
- }
-
- public String getAction(String defaultSOAPAction) {
- String actionToUse = defaultSOAPAction;
- // For REST use the HTTP Verb
- if (message.get(Message.WSDL_OPERATION) == null && message.get(Message.HTTP_REQUEST_METHOD) != null) {
- actionToUse = (String)message.get(Message.HTTP_REQUEST_METHOD);
- }
- return actionToUse;
- }
-
- /**
- * Get the Issuer of the SAML Assertion
- */
- public String getIssuer() throws WSSecurityException {
- SecurityContext sc = message.get(SecurityContext.class);
-
- if (sc instanceof SAMLSecurityContext) {
- Element assertionElement = ((SAMLSecurityContext)sc).getAssertionElement();
- if (assertionElement != null) {
- SamlAssertionWrapper wrapper = new SamlAssertionWrapper(assertionElement);
- return wrapper.getIssuerString();
- }
- }
-
- return null;
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java
deleted file mode 100644
index c2bb40b..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java
+++ /dev/null
@@ -1,217 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.xacml;
-
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-
-import javax.xml.namespace.QName;
-
-import org.apache.cxf.message.Message;
-import org.joda.time.DateTime;
-import org.opensaml.xacml.ctx.ActionType;
-import org.opensaml.xacml.ctx.AttributeType;
-import org.opensaml.xacml.ctx.AttributeValueType;
-import org.opensaml.xacml.ctx.EnvironmentType;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.ctx.ResourceType;
-import org.opensaml.xacml.ctx.SubjectType;
-
-/**
- * This class constructs an XACML Request given a Principal, list of roles and MessageContext,
- * following the SAML 2.0 profile of XACML 2.0. The principal name is inserted as the Subject ID,
- * and the list of roles associated with that principal are inserted as Subject roles. The action
- * to send defaults to "execute".
- *
- * For a SOAP Service, the resource-id Attribute refers to the
- * "{serviceNamespace}serviceName#{operationNamespace}operationName" String (shortened to
- * "{serviceNamespace}serviceName#operationName" if the namespaces are identical). The
- * "{serviceNamespace}serviceName", "{operationNamespace}operationName" and resource URI are also
- * sent to simplify processing at the PDP side.
- *
- * For a REST service the request URL is the resource. You can also configure the ability to
- * send the truncated request URI instead for a SOAP or REST service. The current DateTime is
- * also sent in an Environment, however this can be disabled via configuration.
- */
-public class DefaultXACMLRequestBuilder implements XACMLRequestBuilder {
-
- private boolean sendDateTime = true;
- private String action = "execute";
- private boolean sendFullRequestURL = true;
-
- /**
- * Create an XACML Request given a Principal, list of roles and Message.
- */
- public RequestType createRequest(Principal principal, List<String> roles, Message message)
- throws Exception {
- CXFMessageParser messageParser = new CXFMessageParser(message);
- String issuer = messageParser.getIssuer();
-
- String actionToUse = messageParser.getAction(action);
-
- SubjectType subjectType = createSubjectType(principal, roles, issuer);
- ResourceType resourceType = createResourceType(messageParser);
- AttributeType actionAttribute = createAttribute(XACMLConstants.ACTION_ID, XACMLConstants.XS_STRING,
- null, actionToUse);
- ActionType actionType = RequestComponentBuilder.createActionType(Collections.singletonList(actionAttribute));
-
- return RequestComponentBuilder.createRequestType(Collections.singletonList(subjectType),
- Collections.singletonList(resourceType),
- actionType,
- createEnvironmentType());
- }
-
- private ResourceType createResourceType(CXFMessageParser messageParser) {
- List<AttributeType> attributes = new ArrayList<>();
-
- // Resource-id
- String resourceId = null;
- boolean isSoapService = messageParser.isSOAPService();
- if (isSoapService) {
- QName serviceName = messageParser.getWSDLService();
- QName operationName = messageParser.getWSDLOperation();
-
- if (serviceName != null) {
- resourceId = serviceName.toString() + "#";
- if (serviceName.getNamespaceURI() != null
- && serviceName.getNamespaceURI().equals(operationName.getNamespaceURI())) {
- resourceId += operationName.getLocalPart();
- } else {
- resourceId += operationName.toString();
- }
- } else {
- resourceId = operationName.toString();
- }
- } else {
- resourceId = messageParser.getResourceURI(sendFullRequestURL);
- }
-
- attributes.add(createAttribute(XACMLConstants.RESOURCE_ID, XACMLConstants.XS_STRING, null,
- resourceId));
-
- if (isSoapService) {
- // WSDL Service
- QName wsdlService = messageParser.getWSDLService();
- if (wsdlService != null) {
- attributes.add(createAttribute(XACMLConstants.RESOURCE_WSDL_SERVICE_ID, XACMLConstants.XS_STRING, null,
- wsdlService.toString()));
- }
-
- // WSDL Operation
- QName wsdlOperation = messageParser.getWSDLOperation();
- attributes.add(createAttribute(XACMLConstants.RESOURCE_WSDL_OPERATION_ID, XACMLConstants.XS_STRING, null,
- wsdlOperation.toString()));
-
- // WSDL Endpoint
- String endpointURI = messageParser.getResourceURI(sendFullRequestURL);
- attributes.add(createAttribute(XACMLConstants.RESOURCE_WSDL_ENDPOINT, XACMLConstants.XS_STRING, null,
- endpointURI));
- }
-
- return RequestComponentBuilder.createResourceType(attributes, null);
- }
-
- private EnvironmentType createEnvironmentType() {
- if (sendDateTime) {
- List<AttributeType> attributes = new ArrayList<>();
- AttributeType environmentAttribute = createAttribute(XACMLConstants.CURRENT_DATETIME,
- XACMLConstants.XS_DATETIME, null,
- new DateTime().toString());
- attributes.add(environmentAttribute);
- return RequestComponentBuilder.createEnvironmentType(attributes);
- }
-
- List<AttributeType> attributes = Collections.emptyList();
- return RequestComponentBuilder.createEnvironmentType(attributes);
- }
-
- private SubjectType createSubjectType(Principal principal, List<String> roles, String issuer) {
- List<AttributeType> attributes = new ArrayList<>();
- attributes.add(createAttribute(XACMLConstants.SUBJECT_ID, XACMLConstants.XS_STRING, issuer,
- principal.getName()));
-
- if (roles != null) {
- List<AttributeValueType> roleAttributes = new ArrayList<>();
- for (String role : roles) {
- if (role != null) {
- AttributeValueType subjectRoleAttributeValue =
- RequestComponentBuilder.createAttributeValueType(role);
- roleAttributes.add(subjectRoleAttributeValue);
- }
- }
-
- if (!roleAttributes.isEmpty()) {
- AttributeType subjectRoleAttribute =
- createAttribute(
- XACMLConstants.SUBJECT_ROLE,
- XACMLConstants.XS_ANY_URI,
- issuer,
- roleAttributes
- );
- attributes.add(subjectRoleAttribute);
- }
- }
-
- return RequestComponentBuilder.createSubjectType(attributes, null);
- }
-
- private AttributeType createAttribute(String id, String type, String issuer, List<AttributeValueType> values) {
- return RequestComponentBuilder.createAttributeType(id, type, issuer, values);
- }
-
- private AttributeType createAttribute(String id, String type, String issuer, String value) {
- return createAttribute(id, type, issuer,
- Collections.singletonList(RequestComponentBuilder.createAttributeValueType(value)));
- }
-
- /**
- * Set a new Action String to use
- */
- public void setAction(String action) {
- this.action = action;
- }
-
- public void setSendDateTime(boolean sendDateTime) {
- this.sendDateTime = sendDateTime;
- }
-
- /**
- * Whether to send the full Request URL as the resource or not. If set to true,
- * the full Request URL will be sent for both a JAX-WS and JAX-RS service. If set
- * to false (the default), a JAX-WS service will send the "{namespace}operation" QName,
- * and a JAX-RS service will send the RequestURI (i.e. minus the initial https:<ip> prefix).
- */
- public void setSendFullRequestURL(boolean sendFullRequestURL) {
- this.sendFullRequestURL = sendFullRequestURL;
- }
-
- @Override
- public List<String> getResources(Message message) {
- throw new IllegalAccessError("Deprecated");
- }
-
- @Override
- public String getResource(Message message) {
- throw new IllegalAccessError("Deprecated");
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java
deleted file mode 100644
index 1086364..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java
+++ /dev/null
@@ -1,183 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.xacml;
-
-import java.util.List;
-
-import org.opensaml.core.xml.XMLObjectBuilderFactory;
-import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
-import org.opensaml.xacml.XACMLObjectBuilder;
-import org.opensaml.xacml.ctx.ActionType;
-import org.opensaml.xacml.ctx.AttributeType;
-import org.opensaml.xacml.ctx.AttributeValueType;
-import org.opensaml.xacml.ctx.EnvironmentType;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.ctx.ResourceContentType;
-import org.opensaml.xacml.ctx.ResourceType;
-import org.opensaml.xacml.ctx.SubjectType;
-
-/**
- * A set of utility methods to construct XACML 2.0 Request statements
- */
-public final class RequestComponentBuilder {
- private static volatile XACMLObjectBuilder<AttributeValueType> attributeValueTypeBuilder;
-
- private static volatile XACMLObjectBuilder<AttributeType> attributeTypeBuilder;
-
- private static volatile XACMLObjectBuilder<SubjectType> subjectTypeBuilder;
-
- private static volatile XACMLObjectBuilder<ResourceType> resourceTypeBuilder;
-
- private static volatile XACMLObjectBuilder<ActionType> actionTypeBuilder;
-
- private static volatile XACMLObjectBuilder<EnvironmentType> environmentTypeBuilder;
-
- private static volatile XACMLObjectBuilder<RequestType> requestTypeBuilder;
-
- private static volatile XMLObjectBuilderFactory builderFactory =
- XMLObjectProviderRegistrySupport.getBuilderFactory();
-
- private RequestComponentBuilder() {
- // complete
- }
-
- @SuppressWarnings("unchecked")
- public static AttributeValueType createAttributeValueType(
- String value
- ) {
- if (attributeValueTypeBuilder == null) {
- attributeValueTypeBuilder = (XACMLObjectBuilder<AttributeValueType>)
- builderFactory.getBuilder(AttributeValueType.DEFAULT_ELEMENT_NAME);
- }
- AttributeValueType attributeValue = attributeValueTypeBuilder.buildObject();
- attributeValue.setValue(value);
-
- return attributeValue;
- }
-
- @SuppressWarnings("unchecked")
- public static AttributeType createAttributeType(
- String attributeId,
- String dataType,
- String issuer,
- List<AttributeValueType> attributeValues
- ) {
- if (attributeTypeBuilder == null) {
- attributeTypeBuilder = (XACMLObjectBuilder<AttributeType>)
- builderFactory.getBuilder(AttributeType.DEFAULT_ELEMENT_NAME);
- }
- AttributeType attributeType = attributeTypeBuilder.buildObject();
- attributeType.setAttributeID(attributeId);
- attributeType.setDataType(dataType);
- attributeType.setIssuer(issuer);
- attributeType.getAttributeValues().addAll(attributeValues);
-
- return attributeType;
- }
-
- @SuppressWarnings("unchecked")
- public static SubjectType createSubjectType(
- List<AttributeType> attributes,
- String subjectCategory
- ) {
- if (subjectTypeBuilder == null) {
- subjectTypeBuilder = (XACMLObjectBuilder<SubjectType>)
- builderFactory.getBuilder(SubjectType.DEFAULT_ELEMENT_NAME);
- }
- SubjectType subject = subjectTypeBuilder.buildObject();
- if (attributes != null) {
- subject.getAttributes().addAll(attributes);
- }
- subject.setSubjectCategory(subjectCategory);
-
- return subject;
- }
-
- @SuppressWarnings("unchecked")
- public static ResourceType createResourceType(
- List<AttributeType> attributes,
- ResourceContentType resourceContent
- ) {
- if (resourceTypeBuilder == null) {
- resourceTypeBuilder = (XACMLObjectBuilder<ResourceType>)
- builderFactory.getBuilder(ResourceType.DEFAULT_ELEMENT_NAME);
- }
- ResourceType resource = resourceTypeBuilder.buildObject();
- if (attributes != null) {
- resource.getAttributes().addAll(attributes);
- }
- resource.setResourceContent(resourceContent);
-
- return resource;
- }
-
- @SuppressWarnings("unchecked")
- public static ActionType createActionType(
- List<AttributeType> attributes
- ) {
- if (actionTypeBuilder == null) {
- actionTypeBuilder = (XACMLObjectBuilder<ActionType>)
- builderFactory.getBuilder(ActionType.DEFAULT_ELEMENT_NAME);
- }
- ActionType action = actionTypeBuilder.buildObject();
- if (attributes != null) {
- action.getAttributes().addAll(attributes);
- }
-
- return action;
- }
-
- @SuppressWarnings("unchecked")
- public static EnvironmentType createEnvironmentType(
- List<AttributeType> attributes
- ) {
- if (environmentTypeBuilder == null) {
- environmentTypeBuilder = (XACMLObjectBuilder<EnvironmentType>)
- builderFactory.getBuilder(EnvironmentType.DEFAULT_ELEMENT_NAME);
- }
- EnvironmentType enviroment = environmentTypeBuilder.buildObject();
- if (attributes != null) {
- enviroment.getAttributes().addAll(attributes);
- }
-
- return enviroment;
- }
-
- @SuppressWarnings("unchecked")
- public static RequestType createRequestType(
- List<SubjectType> subjects,
- List<ResourceType> resources,
- ActionType action,
- EnvironmentType environment
- ) {
- if (requestTypeBuilder == null) {
- requestTypeBuilder = (XACMLObjectBuilder<RequestType>)
- builderFactory.getBuilder(RequestType.DEFAULT_ELEMENT_NAME);
- }
- RequestType request = requestTypeBuilder.buildObject();
- request.getSubjects().addAll(subjects);
- request.getResources().addAll(resources);
- request.setAction(action);
- request.setEnvironment(environment);
-
- return request;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java
deleted file mode 100644
index 353815c..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java
+++ /dev/null
@@ -1,118 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.xacml;
-
-import java.util.UUID;
-
-import org.joda.time.DateTime;
-import org.opensaml.core.xml.XMLObjectBuilderFactory;
-import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
-import org.opensaml.saml.common.SAMLObjectBuilder;
-import org.opensaml.saml.common.SAMLVersion;
-import org.opensaml.saml.saml2.core.Issuer;
-import org.opensaml.xacml.XACMLObjectBuilder;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.profile.saml.SAMLProfileConstants;
-import org.opensaml.xacml.profile.saml.XACMLAuthzDecisionQueryType;
-
-/**
- * A set of utility methods to construct XACML SAML Request statements, based on the
- * SAML 2.0 profile of XACML v2.0 specification.
- */
-public final class SamlRequestComponentBuilder {
- private static volatile XACMLObjectBuilder<XACMLAuthzDecisionQueryType> xacmlAuthzDecisionQueryTypeBuilder;
-
- private static volatile SAMLObjectBuilder<Issuer> issuerBuilder;
-
- private static volatile XMLObjectBuilderFactory builderFactory =
- XMLObjectProviderRegistrySupport.getBuilderFactory();
-
- private SamlRequestComponentBuilder() {
- // complete
- }
-
- /**
- * Create an AuthzDecisionQuery using the defaults
- */
- public static XACMLAuthzDecisionQueryType createAuthzDecisionQuery(
- String issuerValue,
- RequestType request,
- String namespace
- ) {
- return createAuthzDecisionQuery(false, false, issuerValue, request, namespace);
- }
-
- @SuppressWarnings("unchecked")
- public static XACMLAuthzDecisionQueryType createAuthzDecisionQuery(
- boolean inputContextOnly,
- boolean returnContext,
- String issuerValue,
- RequestType request,
- String namespace
- ) {
- if (xacmlAuthzDecisionQueryTypeBuilder == null) {
- xacmlAuthzDecisionQueryTypeBuilder = (XACMLObjectBuilder<XACMLAuthzDecisionQueryType>)
- builderFactory.getBuilder(XACMLAuthzDecisionQueryType.DEFAULT_ELEMENT_NAME_XACML20);
- }
- XACMLAuthzDecisionQueryType authzQuery =
- xacmlAuthzDecisionQueryTypeBuilder.buildObject(
- namespace,
- XACMLAuthzDecisionQueryType.DEFAULT_ELEMENT_LOCAL_NAME,
- SAMLProfileConstants.SAML20XACMLPROTOCOL_PREFIX
- );
- authzQuery.setID("_" + UUID.randomUUID().toString());
- authzQuery.setVersion(SAMLVersion.VERSION_20);
- authzQuery.setIssueInstant(new DateTime());
- authzQuery.setInputContextOnly(Boolean.valueOf(inputContextOnly));
- authzQuery.setReturnContext(Boolean.valueOf(returnContext));
-
- if (issuerValue != null) {
- Issuer issuer = createIssuer(issuerValue);
- authzQuery.setIssuer(issuer);
- }
-
- authzQuery.setRequest(request);
-
- return authzQuery;
- }
-
-
- /**
- * Create an Issuer object
- *
- * @param issuerValue of type String
- * @return an Issuer object
- */
- @SuppressWarnings("unchecked")
- public static Issuer createIssuer(String issuerValue) {
- if (issuerBuilder == null) {
- issuerBuilder = (SAMLObjectBuilder<Issuer>)
- builderFactory.getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
-
- }
- Issuer issuer = issuerBuilder.buildObject();
- //
- // The SAML authority that is making the claim(s) in the assertion. The issuer SHOULD
- // be unambiguous to the intended relying parties.
- issuer.setValue(issuerValue);
- return issuer;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java
deleted file mode 100644
index 2194908..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java
+++ /dev/null
@@ -1,87 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.xacml;
-
-import javax.xml.transform.Source;
-import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerFactory;
-import javax.xml.transform.dom.DOMResult;
-import javax.xml.transform.dom.DOMSource;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-import org.w3c.dom.Node;
-
-import org.apache.cxf.helpers.DOMUtils;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.rt.security.xacml.pdp.api.PolicyDecisionPoint;
-import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.saml.OpenSAMLUtil;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.ctx.ResponseType;
-
-/**
- * An interceptor to perform an XACML authorization request to a remote PDP,
- * and make an authorization decision based on the response. It takes the principal and roles
- * from the SecurityContext, and uses the XACMLRequestBuilder to construct an XACML Request
- * statement.
- */
-@SuppressWarnings("deprecation")
-public class XACMLAuthorizingInterceptor extends AbstractXACMLAuthorizingInterceptor {
- private PolicyDecisionPoint pdp;
-
- public XACMLAuthorizingInterceptor(PolicyDecisionPoint pdp) {
- super();
- this.pdp = pdp;
- }
-
- @Override
- public ResponseType performRequest(RequestType request, Message message) throws Exception {
- Source requestSource = requestType2Source(request);
- Source responseSource = this.pdp.evaluate(requestSource);
- return responseSourceToResponseType(responseSource);
- }
-
- private Source requestType2Source(RequestType request) {
- Document doc = DOMUtils.createDocument();
- Element requestElement;
- try {
- requestElement = OpenSAMLUtil.toDom(request, doc);
- } catch (WSSecurityException e) {
- throw new RuntimeException("Error converting PDP RequestType to Dom", e);
- }
- return new DOMSource(requestElement);
- }
-
- private ResponseType responseSourceToResponseType(Source responseSource) {
- try {
- Transformer trans = TransformerFactory.newInstance().newTransformer();
- DOMResult res = new DOMResult();
- trans.transform(responseSource, res);
- Node nd = res.getNode();
- if (nd instanceof Document) {
- nd = ((Document)nd).getDocumentElement();
- }
- return (ResponseType)OpenSAMLUtil.fromDom((Element)nd);
- } catch (Exception e) {
- throw new RuntimeException("Error converting pdp response to ResponseType", e);
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLConstants.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLConstants.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLConstants.java
deleted file mode 100644
index 3480d8b..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLConstants.java
+++ /dev/null
@@ -1,206 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.xacml;
-
-
-
-/**
- * XACML 1.x and 2.0 Constants.
- */
-public final class XACMLConstants {
-
- //
- // Attributes
- //
-
- public static final String CURRENT_TIME =
- "urn:oasis:names:tc:xacml:1.0:environment:current-time";
- public static final String CURRENT_DATE =
- "urn:oasis:names:tc:xacml:1.0:environment:current-date";
- public static final String CURRENT_DATETIME =
- "urn:oasis:names:tc:xacml:1.0:environment:current-dateTime";
-
- //
- // Identifiers
- //
-
- public static final String SUBJECT_DNS_NAME =
- "urn:oasis:names:tc:xacml:1.0:subject:authn-locality:dns-name";
- public static final String SUBJECT_IP_ADDR =
- "urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address";
- public static final String SUBJECT_AUTHN_METHOD =
- "urn:oasis:names:tc:xacml:1.0:subject:authentication-method";
- public static final String SUBJECT_AUTHN_TIME =
- "urn:oasis:names:tc:xacml:1.0:subject:authentication-time";
- public static final String SUBJECT_KEY_INFO =
- "urn:oasis:names:tc:xacml:1.0:subject:key-info";
- public static final String SUBJECT_REQ_TIME =
- "urn:oasis:names:tc:xacml:1.0:subject:request-time";
- public static final String SUBJECT_START_TIME =
- "urn:oasis:names:tc:xacml:1.0:subject:session-start-time";
- public static final String SUBJECT_ID =
- "urn:oasis:names:tc:xacml:1.0:subject:subject-id";
- public static final String SUBJECT_ID_QUALIFIER =
- "urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifier";
- public static final String SUBJECT_CAT_ACCESS_SUBJECT =
- "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject";
- public static final String SUBJECT_CAT_CODEBASE =
- "urn:oasis:names:tc:xacml:1.0:subject-category:codebase";
- public static final String SUBJECT_CAT_INTERMED_SUBJECT =
- "urn:oasis:names:tc:xacml:1.0:subject-category:intermediary-subject";
- public static final String SUBJECT_CAT_REC_SUBJECT =
- "urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject";
- public static final String SUBJECT_CAT_REQ_MACHINE =
- "urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine";
- public static final String RESOURCE_LOC =
- "urn:oasis:names:tc:xacml:1.0:resource:resource-location";
- public static final String RESOURCE_ID =
- "urn:oasis:names:tc:xacml:1.0:resource:resource-id";
-
- // Non-standard (CXF-specific) tags for sending information about SOAP services to the PDP
- public static final String RESOURCE_WSDL_OPERATION_ID =
- "urn:cxf:apache:org:wsdl:operation-id";
- public static final String RESOURCE_WSDL_SERVICE_ID =
- "urn:cxf:apache:org:wsdl:service-id";
- public static final String RESOURCE_WSDL_ENDPOINT =
- "urn:cxf:apache:org:wsdl:endpoint";
-
- public static final String RESOURCE_FILE_NAME =
- "urn:oasis:names:tc:xacml:1.0:resource:simple-file-name";
- public static final String ACTION_ID =
- "urn:oasis:names:tc:xacml:1.0:action:action-id";
- public static final String ACTION_IMPLIED =
- "urn:oasis:names:tc:xacml:1.0:action:implied-action";
- public static final String SUBJECT_ROLE =
- "urn:oasis:names:tc:xacml:2.0:subject:role";
-
-
- //
- // Datatypes
- //
-
- public static final String XS_STRING =
- "http://www.w3.org/2001/XMLSchema#string";
- public static final String XS_BOOLEAN =
- "http://www.w3.org/2001/XMLSchema#boolean";
- public static final String XS_INT =
- "http://www.w3.org/2001/XMLSchema#integer";
- public static final String XS_DOUBLE =
- "http://www.w3.org/2001/XMLSchema#double";
- public static final String XS_TIME =
- "http://www.w3.org/2001/XMLSchema#time";
- public static final String XS_DATE =
- "http://www.w3.org/2001/XMLSchema#date";
- public static final String XS_DATETIME =
- "http://www.w3.org/2001/XMLSchema#dateTime";
- public static final String XS_ANY_URI =
- "http://www.w3.org/2001/XMLSchema#anyURI";
- public static final String XS_HEX =
- "http://www.w3.org/2001/XMLSchema#hexBinary";
- public static final String XS_BASE64 =
- "http://www.w3.org/2001/XMLSchema#base64Binary";
- public static final String RFC_822_NAME =
- "urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name";
- public static final String X500_NAME =
- "urn:oasis:names:tc:xacml:1.0:data-type:x500Name";
-
- //
- // Functions
- //
- public static final String FUNC_STRING_EQUAL =
- "urn:oasis:names:tc:xacml:1.0:function:string-equal";
- public static final String FUNC_BOOL_EQUAL =
- "urn:oasis:names:tc:xacml:1.0:function:boolean-equal";
- public static final String FUNC_INT_EQUAL =
- "urn:oasis:names:tc:xacml:1.0:function:integer-equal";
- public static final String FUNC_DOUBLE_EQUAL =
- "urn:oasis:names:tc:xacml:1.0:function:double-equal";
- public static final String FUNC_DATE_EQUAL =
- "urn:oasis:names:tc:xacml:1.0:function:date-equal";
- public static final String FUNC_TIME_EQUAL =
- "urn:oasis:names:tc:xacml:1.0:function:time-equal";
- public static final String FUNC_DATETIME_EQUAL =
- "urn:oasis:names:tc:xacml:1.0:function:dateTime-equal";
- public static final String FUNC_ANY_URI_EQUAL =
- "urn:oasis:names:tc:xacml:1.0:function:anyURI-equal";
- public static final String FUNC_X500_NAME_EQUAL =
- "urn:oasis:names:tc:xacml:1.0:function:x500Name-equal";
- public static final String FUNC_RFC_822_NAME_EQUAL =
- "urn:oasis:names:tc:xacml:1.0:function:rfc822Name-equal";
- public static final String FUNC_HEX_EQUAL =
- "urn:oasis:names:tc:xacml:1.0:function:hexBinary-equal";
- public static final String FUNC_BASE64_EQUAL =
- "urn:oasis:names:tc:xacml:1.0:function:base64Binary-equal";
-
- public static final String FUNC_INT_GT =
- "urn:oasis:names:tc:xacml:1.0:function:integer-greater-than";
- public static final String FUNC_INT_GTE =
- "urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal";
- public static final String FUNC_INT_LT =
- "urn:oasis:names:tc:xacml:1.0:function:integer-less-than";
- public static final String FUNC_INT_LTE =
- "urn:oasis:names:tc:xacml:1.0:function:integer-less-than-or-equal";
- public static final String FUNC_DOUBLE_GT =
- "urn:oasis:names:tc:xacml:1.0:function:double-greater-than";
- public static final String FUNC_DOUBLE_GTE =
- "urn:oasis:names:tc:xacml:1.0:function:double-greater-than-or-equal";
- public static final String FUNC_DOUBLE_LT =
- "urn:oasis:names:tc:xacml:1.0:function:double-less-than";
- public static final String FUNC_DOUBLE_LTE =
- "urn:oasis:names:tc:xacml:1.0:function:double-less-than-or-equal";
-
- public static final String FUNC_STRING_GT =
- "urn:oasis:names:tc:xacml:1.0:function:string-greater-than";
- public static final String FUNC_STRING_GTE =
- "urn:oasis:names:tc:xacml:1.0:function:string-greater-than-or-equal";
- public static final String FUNC_STRING_LT =
- "urn:oasis:names:tc:xacml:1.0:function:string-less-than";
- public static final String FUNC_STRING_LTE =
- "urn:oasis:names:tc:xacml:1.0:function:string-less-than-or-equal";
- public static final String FUNC_TIME_GT =
- "urn:oasis:names:tc:xacml:1.0:function:time-greater-than";
- public static final String FUNC_TIME_GTE =
- "urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal";
- public static final String FUNC_TIME_LT =
- "urn:oasis:names:tc:xacml:1.0:function:time-less-than";
- public static final String FUNC_TIME_LTE =
- "urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal";
- public static final String FUNC_DATETIME_GT =
- "urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than";
- public static final String FUNC_DATETIME_GTE =
- "urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than-or-equal";
- public static final String FUNC_DATETIME_LT =
- "urn:oasis:names:tc:xacml:1.0:function:dateTime-less-than";
- public static final String FUNC_DATETIME_LTE =
- "urn:oasis:names:tc:xacml:1.0:function:dateTime-less-than-or-equal";
- public static final String FUNC_DATE_GT =
- "urn:oasis:names:tc:xacml:1.0:function:date-greater-than";
- public static final String FUNC_DATE_GTE =
- "urn:oasis:names:tc:xacml:1.0:function:date-greater-than-or-equal";
- public static final String FUNC_DATE_LT =
- "urn:oasis:names:tc:xacml:1.0:function:date-less-than";
- public static final String FUNC_DATE_LTE =
- "urn:oasis:names:tc:xacml:1.0:function:date-less-than-or-equal";
-
-
- private XACMLConstants() {
- // complete
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java
deleted file mode 100644
index f3a1e6e..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java
+++ /dev/null
@@ -1,62 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.xacml;
-
-import java.security.Principal;
-import java.util.List;
-
-import org.apache.cxf.message.Message;
-import org.opensaml.xacml.ctx.RequestType;
-
-
-/**
- * This interface defines a way to create an XACML Request.
- */
-public interface XACMLRequestBuilder {
-
- /**
- * Create an XACML Request given a Principal, list of roles and Message.
- *
- * @param principal The principal to insert into the Subject of the Request
- * @param roles The list of roles associated with the principal
- * @param message The Message from which to retrieve the resource
- * @return An OpenSAML RequestType object
- * @throws Exception
- */
- RequestType createRequest(Principal principal, List<String> roles, Message message) throws Exception;
-
- /**
- * Return the list of Resources that have been inserted into the Request.
- *
- * @param message The Message from which to retrieve the resource
- * @return the list of Resources that have been inserted into the Request
- */
- @Deprecated
- List<String> getResources(Message message);
-
- /**
- * Return the Resource that has been inserted into the Request.
- *
- * @param message The Message from which to retrieve the resource
- * @return the Resource that has been inserted into the Request
- */
- @Deprecated
- String getResource(Message message);
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PolicyDecisionPoint.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PolicyDecisionPoint.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PolicyDecisionPoint.java
deleted file mode 100644
index c23272f..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PolicyDecisionPoint.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rt.security.xacml.pdp.api;
-
-import javax.xml.transform.Source;
-
-/**
- * An interface that describes a PolicyDecisionPoint (PDP).
- */
-public interface PolicyDecisionPoint {
-
- /**
- * Evaluate an XACML Request and return a Response
- * @param request an XACML Request as a Source
- * @return the XACML Response as a Source
- */
- Source evaluate(Source request);
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/test/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptorTest.java
----------------------------------------------------------------------
diff --git a/rt/security/src/test/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptorTest.java b/rt/security/src/test/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptorTest.java
deleted file mode 100644
index 4d9e11d..0000000
--- a/rt/security/src/test/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptorTest.java
+++ /dev/null
@@ -1,295 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rt.security.claims;
-
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
-import java.security.Principal;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.Set;
-
-import org.apache.cxf.common.security.SimplePrincipal;
-import org.apache.cxf.interceptor.security.AccessDeniedException;
-import org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor;
-import org.apache.cxf.message.ExchangeImpl;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.message.MessageImpl;
-import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
-import org.apache.cxf.rt.security.saml.SAMLUtils;
-import org.apache.cxf.security.SecurityContext;
-import org.apache.cxf.security.claims.authorization.Claim;
-import org.apache.cxf.security.claims.authorization.ClaimMode;
-import org.apache.cxf.security.claims.authorization.Claims;
-import org.apache.wss4j.common.saml.builder.SAML2Constants;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.Test;
-
-
-public class ClaimsAuthorizingInterceptorTest extends Assert {
-
- private ClaimsAuthorizingInterceptor interceptor;
-
- @Before
- public void setUp() {
- interceptor = new ClaimsAuthorizingInterceptor();
- interceptor.setNameAliases(
- Collections.singletonMap("authentication", "http://authentication"));
- interceptor.setFormatAliases(
- Collections.singletonMap("claims", "http://claims"));
- interceptor.setSecuredObject(new TestService());
-
- }
-
- @Test
- public void testClaimDefaultNameAndFormat() throws Exception {
- doTestClaims("claimWithDefaultNameAndFormat",
- createDefaultClaim("admin", "user"),
- createClaim("http://authentication", "http://claims", "password"));
- try {
- doTestClaims("claimWithDefaultNameAndFormat",
- createDefaultClaim("user"),
- createClaim("http://authentication", "http://claims", "password"));
- fail("AccessDeniedException expected");
- } catch (AccessDeniedException ex) {
- // expected
- }
- }
-
- @Test
- public void testClaimMatchAll() throws Exception {
- doTestClaims("claimMatchAll",
- createDefaultClaim("admin", "manager"),
- createClaim("http://authentication", "http://claims", "password"));
- try {
- doTestClaims("claimMatchAll",
- createDefaultClaim("admin"),
- createClaim("http://authentication", "http://claims", "password"));
- doTestClaims("claimMatchAll",
- createDefaultClaim("manager"),
- createClaim("http://authentication", "http://claims", "password"));
- fail("AccessDeniedException expected");
- } catch (AccessDeniedException ex) {
- // expected
- }
- }
-
- @Test
- public void testMissingExpectedClaim() throws Exception {
- doTestClaims("claimWithDefaultNameAndFormat",
- createDefaultClaim("admin"),
- createClaim("http://authentication", "http://claims", "password"));
- try {
- doTestClaims("claimWithDefaultNameAndFormat",
- createDefaultClaim("admin"));
- fail("AccessDeniedException expected");
- } catch (AccessDeniedException ex) {
- // expected
- }
- }
-
- @Test
- public void testExtraNonExpectedClaim() throws Exception {
- doTestClaims("claimWithDefaultNameAndFormat",
- createDefaultClaim("admin", "user"),
- createClaim("http://authentication", "http://claims", "password"),
- createClaim("http://extra/claims", "http://claims", "claim"));
- }
-
- @Test
- public void testClaimSpecificNameAndFormat() throws Exception {
- doTestClaims("claimWithSpecificNameAndFormat",
- createClaim("http://cxf/roles", "http://claims", "admin", "user"),
- createClaim("http://authentication", "http://claims", "password"));
- try {
- doTestClaims("claimWithSpecificNameAndFormat",
- createDefaultClaim("admin", "user"),
- createClaim("http://authentication", "http://claims", "password"));
- fail("AccessDeniedException expected");
- } catch (AccessDeniedException ex) {
- // expected
- }
- }
-
- @Test
- public void testClaimLaxMode() throws Exception {
- doTestClaims("claimLaxMode",
- createClaim("http://authentication", "http://claims", "password"));
- doTestClaims("claimLaxMode");
- try {
- doTestClaims("claimLaxMode",
- createClaim("http://authentication", "http://claims", "smartcard"));
- fail("AccessDeniedException expected");
- } catch (AccessDeniedException ex) {
- // expected
- }
- }
-
- @Test
- public void testMultipleClaims() throws Exception {
- doTestClaims("multipleClaims",
- createDefaultClaim("admin"),
- createClaim("http://authentication", "http://claims", "smartcard"),
- createClaim("http://location", "http://claims", "UK"));
- doTestClaims("multipleClaims",
- createDefaultClaim("admin"),
- createClaim("http://authentication", "http://claims", "password"),
- createClaim("http://location", "http://claims", "USA"));
- try {
- doTestClaims("multipleClaims",
- createDefaultClaim("admin"),
- createClaim("http://authentication", "http://claims", "unsecuretransport"),
- createClaim("http://location", "http://claims", "UK"));
- fail("AccessDeniedException expected");
- } catch (AccessDeniedException ex) {
- // expected
- }
- }
-
- @Test
- public void testUserInRoleAndClaims() throws Exception {
- SecureAnnotationsInterceptor in = new SecureAnnotationsInterceptor();
- in.setAnnotationClassName(SecureRole.class.getName());
- in.setSecuredObject(new TestService2());
-
- Message m = prepareMessage(TestService2.class, "test",
- createDefaultClaim("admin"),
- createClaim("a", "b", "c"));
-
- in.handleMessage(m);
-
- ClaimsAuthorizingInterceptor in2 = new ClaimsAuthorizingInterceptor();
- org.apache.cxf.rt.security.claims.SAMLClaim claim =
- new org.apache.cxf.rt.security.claims.SAMLClaim();
- claim.setNameFormat("a");
- claim.setName("b");
- claim.addValue("c");
- in2.setClaims(Collections.singletonMap("test",
- Collections.singletonList(
- new ClaimBean(claim))));
- in2.handleMessage(m);
-
- try {
- in.handleMessage(prepareMessage(TestService2.class, "test",
- createDefaultClaim("user")));
- fail("AccessDeniedException expected");
- } catch (AccessDeniedException ex) {
- // expected
- }
- }
-
-
- private void doTestClaims(String methodName,
- org.apache.cxf.rt.security.claims.Claim... claim)
- throws Exception {
- Message m = prepareMessage(TestService.class, methodName, claim);
- interceptor.handleMessage(m);
- }
-
- private Message prepareMessage(Class<?> cls,
- String methodName,
- org.apache.cxf.rt.security.claims.Claim... claim)
- throws Exception {
- ClaimCollection claims = new ClaimCollection();
- claims.addAll(Arrays.asList(claim));
-
- Set<Principal> roles =
- SAMLUtils.parseRolesFromClaims(claims, SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT,
- SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
-
- SecurityContext sc = new SAMLSecurityContext(new SimplePrincipal("user"), roles, claims);
- Message m = new MessageImpl();
- m.setExchange(new ExchangeImpl());
- m.put(SecurityContext.class, sc);
- m.put("org.apache.cxf.resource.method",
- cls.getMethod(methodName, new Class[]{}));
- return m;
- }
-
- private org.apache.cxf.rt.security.claims.Claim createDefaultClaim(
- Object... values) {
- return createClaim(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT,
- SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED,
- values);
- }
-
- private org.apache.cxf.rt.security.claims.Claim createClaim(
- String name, String format, Object... values) {
- SAMLClaim claim = new SAMLClaim();
- claim.setName(name);
- claim.setNameFormat(format);
- claim.setValues(Arrays.asList(values));
- return claim;
- }
-
- @Claim(name = "authentication", format = "claims",
- value = "password")
- public static class TestService {
- // default name and format are used
- @Claim({"admin", "manager" })
- public void claimWithDefaultNameAndFormat() {
-
- }
-
- // explicit name and format
- @Claim(name = "http://cxf/roles", format = "http://claims",
- value = {"admin", "manager" })
- public void claimWithSpecificNameAndFormat() {
-
- }
-
- @Claim(name = "http://authentication", format = "http://claims",
- value = "password", mode = ClaimMode.LAX)
- public void claimLaxMode() {
-
- }
-
- @Claims({
- @Claim(name = "http://location", format = "http://claims",
- value = {"UK", "USA" }),
- @Claim(value = {"admin", "manager" }),
- @Claim(name = "authentication", format = "claims",
- value = {"password", "smartcard" })
- })
- public void multipleClaims() {
-
- }
-
- // user must have both admin and manager roles, default is 'or'
- @Claim(value = {"admin", "manager" },
- matchAll = true)
- public void claimMatchAll() {
-
- }
- }
- public static class TestService2 {
- @SecureRole("admin")
- public void test() {
-
- }
- }
- @Target(ElementType.METHOD)
- @Retention(RetentionPolicy.RUNTIME)
- public @interface SecureRole {
- String[] value();
- }
-}