You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2014/01/10 17:48:06 UTC
svn commit: r1557188 - in /cxf/trunk:
rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/
systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/
Author: coheigea
Date: Fri Jan 10 16:48:05 2014
New Revision: 1557188
URL: http://svn.apache.org/r1557188
Log:
Added a streaming XML Security in-interceptor for JAX-RS endpoints + tests
Added:
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/StaxBookServerXmlSec.java
cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml
Modified:
cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
Added: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java?rev=1557188&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java (added)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java Fri Jan 10 16:48:05 2014
@@ -0,0 +1,352 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.xml;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.Key;
+import java.security.PublicKey;
+import java.security.cert.X509Certificate;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Set;
+import java.util.logging.Logger;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.ws.rs.BadRequestException;
+import javax.ws.rs.core.Response;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamReader;
+
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.interceptor.StaxInInterceptor;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.phase.Phase;
+import org.apache.cxf.phase.PhaseInterceptor;
+import org.apache.cxf.rs.security.common.CryptoLoader;
+import org.apache.cxf.rs.security.common.SecurityUtils;
+import org.apache.cxf.rs.security.common.TrustValidator;
+import org.apache.cxf.staxutils.StaxUtils;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoType;
+import org.apache.wss4j.common.ext.WSPasswordCallback;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.ext.InboundXMLSec;
+import org.apache.xml.security.stax.ext.XMLSec;
+import org.apache.xml.security.stax.ext.XMLSecurityConstants;
+import org.apache.xml.security.stax.ext.XMLSecurityProperties;
+import org.apache.xml.security.stax.securityEvent.AlgorithmSuiteSecurityEvent;
+import org.apache.xml.security.stax.securityEvent.SecurityEvent;
+import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
+import org.apache.xml.security.stax.securityEvent.SecurityEventListener;
+import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
+import org.apache.xml.security.stax.securityToken.SecurityToken;
+
+/**
+ * A new StAX-based interceptor for processing messages with XML Signature + Encryption content.
+ */
+public class XmlSecInInterceptor implements PhaseInterceptor<Message> {
+
+ private static final Logger LOG = LogUtils.getL7dLogger(XmlSecInInterceptor.class);
+
+ private Set<String> before = new HashSet<String>();
+ private Set<String> after = new HashSet<String>();
+ private EncryptionProperties encryptionProperties;
+ private SignatureProperties sigProps;
+ private String phase;
+ private String decryptionAlias;
+ private String signatureVerificationAlias;
+
+ public XmlSecInInterceptor() {
+ setPhase(Phase.POST_STREAM);
+ getAfter().add(StaxInInterceptor.class.getName());
+ }
+
+ public void handleFault(Message message) {
+ }
+
+ public void handleMessage(Message message) throws Fault {
+ String method = (String)message.get(Message.HTTP_REQUEST_METHOD);
+ if ("GET".equals(method)) {
+ return;
+ }
+
+ Message outMs = message.getExchange().getOutMessage();
+ Message inMsg = outMs == null ? message : outMs.getExchange().getInMessage();
+
+ XMLStreamReader originalXmlStreamReader = inMsg.getContent(XMLStreamReader.class);
+ if (originalXmlStreamReader == null) {
+ InputStream is = inMsg.getContent(InputStream.class);
+ if (is != null) {
+ originalXmlStreamReader = StaxUtils.createXMLStreamReader(is);
+ }
+ }
+
+ try {
+ XMLSecurityProperties properties = new XMLSecurityProperties();
+ configureDecryptionKeys(inMsg, properties);
+ Crypto signatureCrypto = getSignatureCrypto(inMsg);
+ configureSignatureKeys(signatureCrypto, inMsg, properties);
+
+ SecurityEventListener securityEventListener =
+ configureSecurityEventListener(signatureCrypto, inMsg, properties);
+ InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
+
+ XMLStreamReader newXmlStreamReader =
+ inboundXMLSec.processInMessage(originalXmlStreamReader, null, securityEventListener);
+ inMsg.setContent(XMLStreamReader.class, newXmlStreamReader);
+
+ } catch (XMLStreamException e) {
+ throwFault(e.getMessage(), e);
+ } catch (XMLSecurityException e) {
+ throwFault(e.getMessage(), e);
+ } catch (IOException e) {
+ throwFault(e.getMessage(), e);
+ } catch (UnsupportedCallbackException e) {
+ throwFault(e.getMessage(), e);
+ }
+ }
+
+ private void configureDecryptionKeys(Message message, XMLSecurityProperties properties)
+ throws IOException,
+ UnsupportedCallbackException, WSSecurityException {
+ String cryptoKey = null;
+ String propKey = null;
+ if (SecurityUtils.isSignedAndEncryptedTwoWay(message)) {
+ cryptoKey = SecurityConstants.SIGNATURE_CRYPTO;
+ propKey = SecurityConstants.SIGNATURE_PROPERTIES;
+ } else {
+ cryptoKey = SecurityConstants.ENCRYPT_CRYPTO;
+ propKey = SecurityConstants.ENCRYPT_PROPERTIES;
+ }
+
+ Crypto crypto = null;
+ try {
+ crypto = new CryptoLoader().getCrypto(message, cryptoKey, propKey);
+ } catch (Exception ex) {
+ throwFault("Crypto can not be loaded", ex);
+ }
+
+ if (crypto != null && decryptionAlias != null) {
+ CallbackHandler callback = SecurityUtils.getCallbackHandler(message, this.getClass());
+ WSPasswordCallback passwordCallback =
+ new WSPasswordCallback(decryptionAlias, WSPasswordCallback.DECRYPT);
+ callback.handle(new Callback[] {passwordCallback});
+
+ Key privateKey = crypto.getPrivateKey(decryptionAlias, passwordCallback.getPassword());
+ properties.setDecryptionKey(privateKey);
+ }
+ }
+
+ private Crypto getSignatureCrypto(Message message) {
+ String cryptoKey = null;
+ String propKey = null;
+ if (SecurityUtils.isSignedAndEncryptedTwoWay(message)) {
+ cryptoKey = SecurityConstants.ENCRYPT_CRYPTO;
+ propKey = SecurityConstants.ENCRYPT_PROPERTIES;
+ } else {
+ cryptoKey = SecurityConstants.SIGNATURE_CRYPTO;
+ propKey = SecurityConstants.SIGNATURE_PROPERTIES;
+ }
+
+ try {
+ return new CryptoLoader().getCrypto(message, cryptoKey, propKey);
+ } catch (Exception ex) {
+ throwFault("Crypto can not be loaded", ex);
+ return null;
+ }
+ }
+
+ private void configureSignatureKeys(
+ Crypto sigCrypto, Message message, XMLSecurityProperties properties
+ ) throws IOException,
+ UnsupportedCallbackException, WSSecurityException {
+
+ if (sigCrypto != null && signatureVerificationAlias != null) {
+ CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+ cryptoType.setAlias(signatureVerificationAlias);
+ X509Certificate[] certs = sigCrypto.getX509Certificates(cryptoType);
+ if (certs != null && certs.length > 0) {
+ properties.setSignatureVerificationKey(certs[0].getPublicKey());
+ }
+ }
+ }
+
+ protected SecurityEventListener configureSecurityEventListener(
+ final Crypto sigCrypto, Message msg, XMLSecurityProperties securityProperties
+ ) {
+ final List<SecurityEvent> incomingSecurityEventList = new LinkedList<SecurityEvent>();
+ SecurityEventListener securityEventListener = new SecurityEventListener() {
+ @Override
+ public void registerSecurityEvent(SecurityEvent securityEvent) throws XMLSecurityException {
+ if (securityEvent.getSecurityEventType() == SecurityEventConstants.AlgorithmSuite) {
+ if (encryptionProperties != null) {
+ checkEncryptionAlgorithms((AlgorithmSuiteSecurityEvent)securityEvent);
+ }
+ if (sigProps != null) {
+ checkSignatureAlgorithms((AlgorithmSuiteSecurityEvent)securityEvent);
+ }
+ } else if (securityEvent.getSecurityEventType() != SecurityEventConstants.EncryptedKeyToken
+ && securityEvent instanceof TokenSecurityEvent<?>) {
+ checkSignatureTrust(sigCrypto, (TokenSecurityEvent<?>)securityEvent);
+ }
+ incomingSecurityEventList.add(securityEvent);
+ }
+ };
+ msg.getExchange().put(SecurityEvent.class.getName() + ".in", incomingSecurityEventList);
+ msg.put(SecurityEvent.class.getName() + ".in", incomingSecurityEventList);
+
+ return securityEventListener;
+ }
+
+ private void checkEncryptionAlgorithms(AlgorithmSuiteSecurityEvent event)
+ throws XMLSecurityException {
+ if (XMLSecurityConstants.Enc.equals(event.getAlgorithmUsage())
+ && encryptionProperties.getEncryptionSymmetricKeyAlgo() != null
+ && !encryptionProperties.getEncryptionSymmetricKeyAlgo().equals(event.getAlgorithmURI())) {
+ throw new XMLSecurityException("empty", "The symmetric encryption algorithm "
+ + event.getAlgorithmURI() + " is not allowed");
+ } else if ((XMLSecurityConstants.Sym_Key_Wrap.equals(event.getAlgorithmUsage())
+ || XMLSecurityConstants.Asym_Key_Wrap.equals(event.getAlgorithmUsage()))
+ && encryptionProperties.getEncryptionKeyTransportAlgo() != null
+ && !encryptionProperties.getEncryptionKeyTransportAlgo().equals(event.getAlgorithmURI())) {
+ throw new XMLSecurityException("empty", "The key transport algorithm "
+ + event.getAlgorithmURI() + " is not allowed");
+ } else if (XMLSecurityConstants.Dig.equals(event.getAlgorithmUsage())
+ && encryptionProperties.getEncryptionDigestAlgo() != null
+ && !encryptionProperties.getEncryptionDigestAlgo().equals(event.getAlgorithmURI())) {
+ throw new XMLSecurityException("empty", "The encryption digest algorithm "
+ + event.getAlgorithmURI() + " is not allowed");
+ }
+ }
+
+ private void checkSignatureAlgorithms(AlgorithmSuiteSecurityEvent event)
+ throws XMLSecurityException {
+ if (XMLSecurityConstants.Asym_Sig.equals(event.getAlgorithmUsage())
+ || XMLSecurityConstants.Sym_Sig.equals(event.getAlgorithmUsage())
+ && sigProps.getSignatureAlgo() != null
+ && !sigProps.getSignatureAlgo().equals(event.getAlgorithmURI())) {
+ throw new XMLSecurityException("empty", "The signature algorithm "
+ + event.getAlgorithmURI() + " is not allowed");
+ } else if (XMLSecurityConstants.Dig.equals(event.getAlgorithmUsage())
+ && sigProps.getSignatureDigestAlgo() != null
+ && !sigProps.getSignatureDigestAlgo().equals(event.getAlgorithmURI())) {
+ throw new XMLSecurityException("empty", "The signature digest algorithm "
+ + event.getAlgorithmURI() + " is not allowed");
+ } /*else if (XMLSecurityConstants.C14n.equals(event.getAlgorithmUsage())
+ && sigProps.getSignatureC14Method() != null
+ && !sigProps.getSignatureC14Method().equals(event.getAlgorithmURI())) {
+ throw new XMLSecurityException("empty", "The signature c14n algorithm "
+ + event.getAlgorithmURI() + " is not allowed");
+ }*/
+ // TODO Signature Digest Transform checking
+ }
+
+ private void checkSignatureTrust(
+ Crypto sigCrypto, TokenSecurityEvent<?> event
+ ) throws XMLSecurityException {
+ SecurityToken token = event.getSecurityToken();
+ if (token != null) {
+ X509Certificate[] certs = token.getX509Certificates();
+ PublicKey publicKey = token.getPublicKey();
+ X509Certificate cert = null;
+ if (certs != null && certs.length > 0) {
+ cert = certs[0];
+ }
+
+ // validate trust
+ try {
+ new TrustValidator().validateTrust(sigCrypto, cert, publicKey);
+ } catch (WSSecurityException e) {
+ throw new XMLSecurityException("empty", "Error during Signature Trust "
+ + "validation: " + e.getMessage());
+ }
+ }
+ }
+
+ protected void throwFault(String error, Exception ex) {
+ LOG.warning(error);
+ Response response = Response.status(400).entity(error).build();
+ throw ex != null ? new BadRequestException(response, ex) : new BadRequestException(response);
+ }
+
+ public Collection<PhaseInterceptor<? extends Message>> getAdditionalInterceptors() {
+ return null;
+ }
+
+ public Set<String> getAfter() {
+ return after;
+ }
+
+ public void setAfter(Set<String> after) {
+ this.after = after;
+ }
+
+ public Set<String> getBefore() {
+ return before;
+ }
+
+ public void setBefore(Set<String> before) {
+ this.before = before;
+ }
+
+ public String getId() {
+ return getClass().getName();
+ }
+
+ public String getPhase() {
+ return phase;
+ }
+
+ public void setPhase(String phase) {
+ this.phase = phase;
+ }
+
+ public void setEncryptionProperties(EncryptionProperties properties) {
+ this.encryptionProperties = properties;
+ }
+
+ public void setSignatureProperties(SignatureProperties properties) {
+ this.sigProps = properties;
+ }
+
+ public String getDecryptionAlias() {
+ return decryptionAlias;
+ }
+
+ public void setDecryptionAlias(String decryptionAlias) {
+ this.decryptionAlias = decryptionAlias;
+ }
+
+ public String getSignatureVerificationAlias() {
+ return signatureVerificationAlias;
+ }
+
+ public void setSignatureVerificationAlias(String signatureVerificationAlias) {
+ this.signatureVerificationAlias = signatureVerificationAlias;
+ }
+
+}
Modified: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java?rev=1557188&r1=1557187&r2=1557188&view=diff
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java (original)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java Fri Jan 10 16:48:05 2014
@@ -20,6 +20,8 @@
package org.apache.cxf.systest.jaxrs.security.xml;
import java.net.URL;
+import java.util.Arrays;
+import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
@@ -40,34 +42,57 @@ import org.apache.cxf.systest.jaxrs.secu
import org.apache.cxf.systest.jaxrs.security.BookStore;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
import org.apache.xml.security.encryption.XMLCipher;
-
import org.junit.BeforeClass;
import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized.Parameters;
+@RunWith(value = org.junit.runners.Parameterized.class)
public class JAXRSXmlSecTest extends AbstractBusClientServerTestBase {
public static final String PORT = BookServerXmlSec.PORT;
+ public static final String STAX_PORT = StaxBookServerXmlSec.PORT;
+
+ final TestParam test;
+
+ public JAXRSXmlSecTest(TestParam type) {
+ this.test = type;
+ }
@BeforeClass
public static void startServers() throws Exception {
assertTrue("server did not launch correctly",
launchServer(BookServerXmlSec.class, true));
+ assertTrue("server did not launch correctly",
+ launchServer(StaxBookServerXmlSec.class, true));
+ }
+
+ @Parameters(name = "{0}")
+ public static Collection<TestParam[]> data() {
+
+ return Arrays.asList(new TestParam[][] {{new TestParam(PORT, false)},
+ {new TestParam(STAX_PORT, false)},
+ });
}
@Test
public void testPostBookWithEnvelopedSigAndProxy() throws Exception {
- String address = "https://localhost:" + PORT + "/xmlsig";
+ String address = "https://localhost:" + test.port + "/xmlsig";
doTestSignatureProxy(address, false, null);
}
@Test
public void testPostBookWithEnvelopedSigAndProxy2() throws Exception {
- String address = "https://localhost:" + PORT + "/xmlsig";
+ String address = "https://localhost:" + test.port + "/xmlsig";
doTestSignatureProxy(address, false, "");
}
@Test
public void testPostBookEnvelopingSigAndProxy() throws Exception {
- String address = "https://localhost:" + PORT + "/xmlsig";
+ if (STAX_PORT.equals(test.port)) {
+ // TODO Supporting Enveloping
+ return;
+ }
+ String address = "https://localhost:" + test.port + "/xmlsig";
doTestSignatureProxy(address, true, "file:");
}
@@ -115,25 +140,33 @@ public class JAXRSXmlSecTest extends Abs
@Test
public void testPostBookWithEnvelopedSig() throws Exception {
- String address = "https://localhost:" + PORT + "/xmlsig/bookstore/books";
+ String address = "https://localhost:" + test.port + "/xmlsig/bookstore/books";
doTestSignature(address, false, false, true);
}
@Test
public void testPostBookWithEnvelopedSigNoKeyInfo() throws Exception {
- String address = "https://localhost:" + PORT + "/xmlsignokeyinfo/bookstore/books";
+ String address = "https://localhost:" + test.port + "/xmlsignokeyinfo/bookstore/books";
doTestSignature(address, false, false, false);
}
@Test
public void testPostBookWithEnvelopingSig() throws Exception {
- String address = "https://localhost:" + PORT + "/xmlsig/bookstore/books";
+ if (STAX_PORT.equals(test.port)) {
+ // TODO Supporting Enveloping
+ return;
+ }
+ String address = "https://localhost:" + test.port + "/xmlsig/bookstore/books";
doTestSignature(address, true, false, true);
}
@Test
public void testPostBookWithEnvelopingSigFromResponse() throws Exception {
- String address = "https://localhost:" + PORT + "/xmlsig/bookstore/books";
+ if (STAX_PORT.equals(test.port)) {
+ // TODO Supporting Enveloping
+ return;
+ }
+ String address = "https://localhost:" + test.port + "/xmlsig/bookstore/books";
doTestSignature(address, true, true, true);
}
@@ -189,7 +222,7 @@ public class JAXRSXmlSecTest extends Abs
@Test
public void testPostEncryptedBook() throws Exception {
- String address = "https://localhost:" + PORT + "/xmlenc/bookstore/books";
+ String address = "https://localhost:" + test.port + "/xmlenc/bookstore/books";
Map<String, Object> properties = new HashMap<String, Object>();
properties.put("ws-security.callback-handler",
"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
@@ -213,7 +246,7 @@ public class JAXRSXmlSecTest extends Abs
return;
}
- String address = "https://localhost:" + PORT + "/xmlenc/bookstore/books";
+ String address = "https://localhost:" + test.port + "/xmlenc/bookstore/books";
Map<String, Object> properties = new HashMap<String, Object>();
properties.put("ws-security.callback-handler",
"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
@@ -226,7 +259,7 @@ public class JAXRSXmlSecTest extends Abs
@Test
public void testPostEncryptedBookSHA256() throws Exception {
- String address = "https://localhost:" + PORT + "/xmlenc/bookstore/books";
+ String address = "https://localhost:" + test.port + "/xmlenc/bookstore/books";
Map<String, Object> properties = new HashMap<String, Object>();
properties.put("ws-security.callback-handler",
"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
@@ -240,7 +273,7 @@ public class JAXRSXmlSecTest extends Abs
@Test
public void testPostEncryptedBookIssuerSerial() throws Exception {
- String address = "https://localhost:" + PORT + "/xmlenc/bookstore/books";
+ String address = "https://localhost:" + test.port + "/xmlenc/bookstore/books";
Map<String, Object> properties = new HashMap<String, Object>();
properties.put("ws-security.callback-handler",
"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
@@ -254,7 +287,7 @@ public class JAXRSXmlSecTest extends Abs
@Test
public void testPostEncryptedSignedBook() throws Exception {
- String address = "https://localhost:" + PORT + "/xmlsec-validate/bookstore/books";
+ String address = "https://localhost:" + test.port + "/xmlsec-validate/bookstore/books";
Map<String, Object> properties = new HashMap<String, Object>();
properties.put("ws-security.callback-handler",
"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
@@ -270,7 +303,7 @@ public class JAXRSXmlSecTest extends Abs
@Test
public void testPostEncryptedSignedBookInvalid() throws Exception {
- String address = "https://localhost:" + PORT + "/xmlsec-validate/bookstore/books";
+ String address = "https://localhost:" + test.port + "/xmlsec-validate/bookstore/books";
Map<String, Object> properties = new HashMap<String, Object>();
properties.put("ws-security.callback-handler",
"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
@@ -291,7 +324,11 @@ public class JAXRSXmlSecTest extends Abs
@Test
public void testPostEncryptedSignedBookUseReqSigCert() throws Exception {
- String address = "https://localhost:" + PORT + "/xmlsec-useReqSigCert/bookstore/books";
+ if (STAX_PORT.equals(test.port)) {
+ // TODO Supporting UseReqSigCert
+ return;
+ }
+ String address = "https://localhost:" + test.port + "/xmlsec-useReqSigCert/bookstore/books";
Map<String, Object> properties = new HashMap<String, Object>();
properties.put("ws-security.callback-handler",
"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
@@ -362,5 +399,19 @@ public class JAXRSXmlSecTest extends Abs
}
+ private static final class TestParam {
+ final String port;
+ final boolean streaming;
+
+ public TestParam(String p, boolean b) {
+ port = p;
+ streaming = b;
+ }
+
+ public String toString() {
+ return port + ":" + (streaming ? "streaming" : "dom");
+ }
+
+ }
}
Added: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/StaxBookServerXmlSec.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/StaxBookServerXmlSec.java?rev=1557188&view=auto
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/StaxBookServerXmlSec.java (added)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/StaxBookServerXmlSec.java Fri Jan 10 16:48:05 2014
@@ -0,0 +1,57 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.jaxrs.security.xml;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
+import org.apache.cxf.testutil.common.TestUtil;
+
+public class StaxBookServerXmlSec extends AbstractBusTestServerBase {
+ public static final String PORT = TestUtil.getPortNumber("jaxrs-xmlsec-stax");
+ private static final String SERVER_CONFIG_FILE =
+ "org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml";
+
+ protected void run() {
+ SpringBusFactory bf = new SpringBusFactory();
+ Bus springBus = bf.createBus(SERVER_CONFIG_FILE);
+ BusFactory.setDefaultBus(springBus);
+ setBus(springBus);
+
+ try {
+ new StaxBookServerXmlSec();
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ }
+
+ public static void main(String[] args) {
+ try {
+ StaxBookServerXmlSec s = new StaxBookServerXmlSec();
+ s.start();
+ } catch (Exception ex) {
+ ex.printStackTrace();
+ System.exit(-1);
+ } finally {
+ System.out.println("done!");
+ }
+ }
+}
Added: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml?rev=1557188&view=auto
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml (added)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml Fri Jan 10 16:48:05 2014
@@ -0,0 +1,181 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" xmlns:sec="http://cxf.apache.org/configuration/security" xmlns:cxf="http://cxf.apache.org/core" xmlns:jaxrs="http://cxf.apache.org/jaxrs" xsi:schemaLocation=" http://cxf.apache.org/jaxrs http://cxf.apache.org/schemas/jaxrs.xsd http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd ">
+ <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+ <cxf:bus>
+ <cxf:features>
+ <cxf:logging/>
+ </cxf:features>
+ </cxf:bus>
+ <httpj:engine-factory id="port-9095-tls-config">
+ <httpj:engine port="${testutil.ports.jaxrs-xmlsec-stax}">
+ <httpj:tlsServerParameters>
+ <sec:keyManagers keyPassword="password">
+ <sec:keyStore type="JKS" password="password" file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/>
+ </sec:keyManagers>
+ <sec:trustManagers>
+ <sec:keyStore type="JKS" password="password" file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
+ </sec:trustManagers>
+ <sec:cipherSuitesFilter>
+ <sec:include>.*_EXPORT_.*</sec:include>
+ <sec:include>.*_EXPORT1024_.*</sec:include>
+ <sec:include>.*_WITH_DES_.*</sec:include>
+ <sec:include>.*_WITH_AES_.*</sec:include>
+ <sec:include>.*_WITH_NULL_.*</sec:include>
+ <sec:exclude>.*_DH_anon_.*</sec:exclude>
+ </sec:cipherSuitesFilter>
+ <sec:clientAuthentication want="true" required="true"/>
+ </httpj:tlsServerParameters>
+ </httpj:engine>
+ </httpj:engine-factory>
+ <bean id="serviceBean" class="org.apache.cxf.systest.jaxrs.security.BookStore"/>
+ <bean id="sigProps" class="org.apache.cxf.rs.security.xml.SignatureProperties">
+ <property name="signatureAlgo" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+ <property name="signatureDigestAlgo" value="http://www.w3.org/2000/09/xmldsig#sha1"/>
+ <property name="signatureC14Method" value="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
+ <property name="signatureC14Transform" value="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+ </bean>
+ <bean id="encProps" class="org.apache.cxf.rs.security.xml.EncryptionProperties">
+ <property name="encryptionKeyTransportAlgo" value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+ <property name="encryptionSymmetricKeyAlgo" value="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+ </bean>
+ <bean id="xmlSecInHandler" class="org.apache.cxf.rs.security.xml.XmlSecInInterceptor">
+ <property name="decryptionAlias" value="bob" />
+ <property name="signatureVerificationAlias" value="alice" />
+ </bean>
+ <bean id="xmlSecInHandlerWithProps" class="org.apache.cxf.rs.security.xml.XmlSecInInterceptor">
+ <property name="signatureProperties" ref="sigProps"/>
+ <property name="encryptionProperties" ref="encProps"/>
+ <property name="decryptionAlias" value="bob" />
+ <property name="signatureVerificationAlias" value="alice" />
+ </bean>
+ <bean id="xmlSigOutHandler" class="org.apache.cxf.rs.security.xml.XmlSigOutInterceptor"/>
+ <bean id="xmlSigOutHandlerWithProps" class="org.apache.cxf.rs.security.xml.XmlSigOutInterceptor">
+ <property name="signatureProperties" ref="sigProps"/>
+ </bean>
+ <bean id="xmlSigOutHandlerNoKeyInfo" class="org.apache.cxf.rs.security.xml.XmlSigOutInterceptor">
+ </bean>
+ <bean id="xmlEncOutHandler" class="org.apache.cxf.rs.security.xml.XmlEncOutInterceptor">
+ <property name="symmetricEncAlgorithm" value="aes128-cbc"/>
+ </bean>
+ <bean id="xmlEncOutHandlerWithProps" class="org.apache.cxf.rs.security.xml.XmlEncOutInterceptor">
+ <property name="encryptionProperties" ref="encProps"/>
+ </bean>
+ <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec-stax}/xmlsig">
+ <jaxrs:serviceBeans>
+ <ref bean="serviceBean"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:inInterceptors>
+ <ref bean="xmlSecInHandler"/>
+ </jaxrs:inInterceptors>
+ <jaxrs:outInterceptors>
+ <ref bean="xmlSigOutHandler"/>
+ </jaxrs:outInterceptors>
+ <jaxrs:properties>
+ <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/alice.properties"/>
+ </jaxrs:properties>
+ </jaxrs:server>
+
+ <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec-stax}/xmlsignokeyinfo">
+ <jaxrs:serviceBeans>
+ <ref bean="serviceBean"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:inInterceptors>
+ <ref bean="xmlSecInHandler"/>
+ </jaxrs:inInterceptors>
+ <jaxrs:outInterceptors>
+ <ref bean="xmlSigOutHandlerNoKeyInfo"/>
+ </jaxrs:outInterceptors>
+ <jaxrs:properties>
+ <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/alice.properties"/>
+ </jaxrs:properties>
+ </jaxrs:server>
+
+ <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec-stax}/xmlenc">
+ <jaxrs:serviceBeans>
+ <ref bean="serviceBean"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:inInterceptors>
+ <ref bean="xmlSecInHandler"/>
+ </jaxrs:inInterceptors>
+ <jaxrs:outInterceptors>
+ <ref bean="xmlEncOutHandler"/>
+ </jaxrs:outInterceptors>
+ <jaxrs:properties>
+ <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
+ <entry key="ws-security.encryption.properties" value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
+ </jaxrs:properties>
+ </jaxrs:server>
+ <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec-stax}/xmlsec">
+ <jaxrs:serviceBeans>
+ <ref bean="serviceBean"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:inInterceptors>
+ <ref bean="xmlSecInHandler"/>
+ </jaxrs:inInterceptors>
+ <jaxrs:outInterceptors>
+ <ref bean="xmlSigOutHandler"/>
+ <ref bean="xmlEncOutHandler"/>
+ </jaxrs:outInterceptors>
+ <jaxrs:properties>
+ <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
+ <entry key="ws-security.encryption.properties" value="org/apache/cxf/systest/jaxrs/security/alice.properties"/>
+ <entry key="ws-security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
+ </jaxrs:properties>
+ </jaxrs:server>
+ <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec-stax}/xmlsec-validate">
+ <jaxrs:serviceBeans>
+ <ref bean="serviceBean"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:inInterceptors>
+ <ref bean="xmlSecInHandlerWithProps"/>
+ </jaxrs:inInterceptors>
+ <jaxrs:outInterceptors>
+ <ref bean="xmlSigOutHandlerWithProps"/>
+ <ref bean="xmlEncOutHandlerWithProps"/>
+ </jaxrs:outInterceptors>
+ <jaxrs:properties>
+ <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
+ <entry key="ws-security.encryption.properties" value="org/apache/cxf/systest/jaxrs/security/alice.properties"/>
+ <entry key="ws-security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
+ </jaxrs:properties>
+ </jaxrs:server>
+ <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec-stax}/xmlsec-useReqSigCert">
+ <jaxrs:serviceBeans>
+ <ref bean="serviceBean"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:inInterceptors>
+ <ref bean="xmlSecInHandler"/>
+ </jaxrs:inInterceptors>
+ <jaxrs:outInterceptors>
+ <ref bean="xmlSigOutHandler"/>
+ <ref bean="xmlEncOutHandler"/>
+ </jaxrs:outInterceptors>
+ <jaxrs:properties>
+ <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
+ <entry key="ws-security.encryption.properties" value="org/apache/cxf/systest/jaxrs/security/alice.properties"/>
+ <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+ </jaxrs:properties>
+ </jaxrs:server>
+
+</beans>