You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2012/11/28 13:47:34 UTC
svn commit: r1414652 [1/2] - in /cxf/trunk: osgi/bundle/all/
osgi/bundle/minimal/ osgi/karaf/features/src/main/resources/ rt/
rt/security/ rt/security/src/ rt/security/src/main/
rt/security/src/main/java/ rt/security/src/main/java/org/ rt/security/src/...
Author: coheigea
Date: Wed Nov 28 12:47:26 2012
New Revision: 1414652
URL: http://svn.apache.org/viewvc?rev=1414652&view=rev
Log:
[CXF-4657] - Add XACML functionality to CXF runtime
Added:
cxf/trunk/rt/security/
cxf/trunk/rt/security/pom.xml
cxf/trunk/rt/security/src/
cxf/trunk/rt/security/src/main/
cxf/trunk/rt/security/src/main/java/
cxf/trunk/rt/security/src/main/java/org/
cxf/trunk/rt/security/src/main/java/org/apache/
cxf/trunk/rt/security/src/main/java/org/apache/cxf/
cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/
cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/
cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/
cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java
cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java
cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java
cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java
cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLConstants.java
cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java
cxf/trunk/rt/security/src/test/
cxf/trunk/rt/security/src/test/java/
cxf/trunk/rt/security/src/test/java/org/
cxf/trunk/rt/security/src/test/java/org/apache/
cxf/trunk/rt/security/src/test/java/org/apache/cxf/
cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/
cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/
cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/
cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilderTest.java
cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilderTest.java
cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java
cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptorTest.java
cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlRoleCallbackHandler.java
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/server/XACMLAuthorizingInterceptor.java
Modified:
cxf/trunk/osgi/bundle/all/pom.xml
cxf/trunk/osgi/bundle/minimal/pom.xml
cxf/trunk/osgi/karaf/features/src/main/resources/features.xml
cxf/trunk/rt/pom.xml
cxf/trunk/systests/ws-security/pom.xml
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
Modified: cxf/trunk/osgi/bundle/all/pom.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/osgi/bundle/all/pom.xml?rev=1414652&r1=1414651&r2=1414652&view=diff
==============================================================================
--- cxf/trunk/osgi/bundle/all/pom.xml (original)
+++ cxf/trunk/osgi/bundle/all/pom.xml Wed Nov 28 12:47:26 2012
@@ -301,6 +301,11 @@
</dependency>
<dependency>
<groupId>${project.groupId}</groupId>
+ <artifactId>cxf-rt-security</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>${project.groupId}</groupId>
<artifactId>cxf-rt-ws-policy</artifactId>
<version>${project.version}</version>
</dependency>
Modified: cxf/trunk/osgi/bundle/minimal/pom.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/osgi/bundle/minimal/pom.xml?rev=1414652&r1=1414651&r2=1414652&view=diff
==============================================================================
--- cxf/trunk/osgi/bundle/minimal/pom.xml (original)
+++ cxf/trunk/osgi/bundle/minimal/pom.xml Wed Nov 28 12:47:26 2012
@@ -112,6 +112,11 @@
</dependency>
<dependency>
<groupId>${project.groupId}</groupId>
+ <artifactId>cxf-rt-security</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>${project.groupId}</groupId>
<artifactId>cxf-rt-ws-policy</artifactId>
<version>${project.version}</version>
</dependency>
Modified: cxf/trunk/osgi/karaf/features/src/main/resources/features.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/osgi/karaf/features/src/main/resources/features.xml?rev=1414652&r1=1414651&r2=1414652&view=diff
==============================================================================
--- cxf/trunk/osgi/karaf/features/src/main/resources/features.xml (original)
+++ cxf/trunk/osgi/karaf/features/src/main/resources/features.xml Wed Nov 28 12:47:26 2012
@@ -111,6 +111,10 @@
<bundle start-level='40' dependency="true">mvn:org.apache.servicemix.bundles/org.apache.servicemix.bundles.ehcache/${cxf.ehcache.bundle.version}</bundle>
<bundle start-level='40'>mvn:org.apache.cxf/cxf-rt-ws-security/${project.version}</bundle>
</feature>
+ <feature name="cxf-rt-security" version="${project.version}" resolver='(obr)'>
+ <feature version="${cxf.wss4j.version}">wss4j</feature>
+ <bundle start-level='40'>mvn:org.apache.cxf/cxf-rt-security/${project.version}</bundle>
+ </feature>
<feature name="cxf-http" version="${project.version}" resolver='(obr)'>
<feature version="${project.version}">cxf-core</feature>
<feature version="[2,4)">http-whiteboard</feature>
Modified: cxf/trunk/rt/pom.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/pom.xml?rev=1414652&r1=1414651&r2=1414652&view=diff
==============================================================================
--- cxf/trunk/rt/pom.xml (original)
+++ cxf/trunk/rt/pom.xml Wed Nov 28 12:47:26 2012
@@ -65,6 +65,7 @@
<module>management</module>
<module>management-web</module>
<module>javascript</module>
+ <module>security</module>
</modules>
</project>
Added: cxf/trunk/rt/security/pom.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/pom.xml?rev=1414652&view=auto
==============================================================================
--- cxf/trunk/rt/security/pom.xml (added)
+++ cxf/trunk/rt/security/pom.xml Wed Nov 28 12:47:26 2012
@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <artifactId>cxf-rt-security</artifactId>
+ <packaging>jar</packaging>
+ <name>Apache CXF Runtime Security functionality</name>
+ <description>Apache CXF Runtime Security functionality</description>
+ <url>http://cxf.apache.org</url>
+
+ <parent>
+ <groupId>org.apache.cxf</groupId>
+ <artifactId>cxf-parent</artifactId>
+ <version>2.7.1-SNAPSHOT</version>
+ <relativePath>../../parent/pom.xml</relativePath>
+ </parent>
+ <properties>
+ <cxf.osgi.import>
+ org.opensaml*,
+ </cxf.osgi.import>
+ </properties>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.cxf</groupId>
+ <artifactId>cxf-rt-core</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.ws.security</groupId>
+ <artifactId>wss4j</artifactId>
+ <version>${cxf.wss4j.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>xerces</groupId>
+ <artifactId>xercesImpl</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>xml-apis</groupId>
+ <artifactId>xml-apis</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>commons-logging</groupId>
+ <artifactId>commons-logging</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <scope>test</scope>
+ </dependency>
+
+ </dependencies>
+
+</project>
Added: cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java?rev=1414652&view=auto
==============================================================================
--- cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java (added)
+++ cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java Wed Nov 28 12:47:26 2012
@@ -0,0 +1,150 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.xacml;
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.interceptor.security.AccessDeniedException;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.phase.AbstractPhaseInterceptor;
+import org.apache.cxf.phase.Phase;
+import org.apache.cxf.security.LoginSecurityContext;
+import org.apache.cxf.security.SecurityContext;
+import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+import org.opensaml.xacml.ctx.DecisionType;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResponseType;
+import org.opensaml.xacml.ctx.ResultType;
+
+
+/**
+ * An abstract interceptor to perform an XACML authorization request to a remote PDP,
+ * and make an authorization decision based on the response. It takes the principal and roles
+ * from the SecurityContext, and uses the XACMLRequestBuilder to construct an XACML Request
+ * statement.
+ *
+ * This class must be subclassed to actually perform the request to the PDP.
+ */
+public abstract class AbstractXACMLAuthorizingInterceptor extends AbstractPhaseInterceptor<Message> {
+
+ private static final Logger LOG = LogUtils.getL7dLogger(AbstractXACMLAuthorizingInterceptor.class);
+
+ private XACMLRequestBuilder requestBuilder = new DefaultXACMLRequestBuilder();
+
+ public AbstractXACMLAuthorizingInterceptor() {
+ super(Phase.PRE_INVOKE);
+ OpenSAMLUtil.initSamlEngine();
+ }
+
+ public void handleMessage(Message message) throws Fault {
+ SecurityContext sc = message.get(SecurityContext.class);
+
+ if (sc instanceof LoginSecurityContext) {
+ Principal principal = sc.getUserPrincipal();
+
+ LoginSecurityContext loginSecurityContext = (LoginSecurityContext)sc;
+ Set<Principal> principalRoles = loginSecurityContext.getUserRoles();
+ List<String> roles = new ArrayList<String>();
+ if (principalRoles != null) {
+ for (Principal p : principalRoles) {
+ if (p != principal) {
+ roles.add(p.getName());
+ }
+ }
+ }
+
+ try {
+ if (authorize(principal, roles, message)) {
+ return;
+ }
+ } catch (Exception e) {
+ LOG.log(Level.FINE, "Unauthorized: " + e.getMessage(), e);
+ throw new AccessDeniedException("Unauthorized");
+ }
+ }
+
+ throw new AccessDeniedException("Unauthorized");
+ }
+
+ public XACMLRequestBuilder getRequestBuilder() {
+ return requestBuilder;
+ }
+
+ public void setRequestBuilder(XACMLRequestBuilder requestBuilder) {
+ this.requestBuilder = requestBuilder;
+ }
+
+ /**
+ * Perform a (remote) authorization decision and return a boolean depending on the result
+ */
+ protected boolean authorize(
+ Principal principal, List<String> roles, Message message
+ ) throws Exception {
+ RequestType request = requestBuilder.createRequest(principal, roles, message);
+
+ ResponseType response = performRequest(request, message);
+
+ ResultType result = response.getResult();
+
+ // Handle any Obligations returned by the PDP
+ handleObligations(request, principal, message, result);
+
+ String resource = requestBuilder.getResource(message);
+ if (result != null
+ && (result.getResourceId() == null || resource.equals(result.getResourceId()))
+ && (result.getDecision().getDecision() == DecisionType.DECISION.Permit)) {
+ LOG.fine("XACML authorization permitted");
+ return true;
+ }
+ LOG.fine("XACML authorization not permitted:");
+ if (result != null && result.getStatus() != null) {
+ if (result.getStatus().getStatusCode() != null) {
+ LOG.fine("XACML Status Code: " + result.getStatus().getStatusCode().getValue());
+ }
+ if (result.getStatus().getStatusMessage() != null) {
+ LOG.fine("XACML Status Message: " + result.getStatus().getStatusMessage().getValue());
+ }
+ }
+
+ return false;
+ }
+
+ public abstract ResponseType performRequest(RequestType request, Message message) throws Exception;
+
+ /**
+ * Handle any Obligations returned by the PDP
+ */
+ protected void handleObligations(
+ RequestType request,
+ Principal principal,
+ Message message,
+ ResultType result
+ ) throws Exception {
+ // Do nothing by default
+ }
+
+}
Added: cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java?rev=1414652&view=auto
==============================================================================
--- cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java (added)
+++ cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java Wed Nov 28 12:47:26 2012
@@ -0,0 +1,236 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.xacml;
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.w3c.dom.Element;
+
+import org.apache.cxf.interceptor.security.SAMLSecurityContext;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.security.SecurityContext;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.joda.time.DateTime;
+import org.opensaml.xacml.ctx.ActionType;
+import org.opensaml.xacml.ctx.AttributeType;
+import org.opensaml.xacml.ctx.AttributeValueType;
+import org.opensaml.xacml.ctx.EnvironmentType;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResourceType;
+import org.opensaml.xacml.ctx.SubjectType;
+
+
+/**
+ * This class constructs an XACML Request given a Principal, list of roles and MessageContext,
+ * following the SAML 2.0 profile of XACML 2.0. The principal name is inserted as the Subject ID,
+ * and the list of roles associated with that principal are inserted as Subject roles.
+ *
+ * The action to send defaults to "execute". The resource is the WSDL Operation for a SOAP service,
+ * and the request URI for a REST service. You can also configure the ability to send the full
+ * request URL instead for a SOAP or REST service. The current DateTime is also sent in an
+ * Environment, however this can be disabled via configuration.
+ */
+public class DefaultXACMLRequestBuilder implements XACMLRequestBuilder {
+
+ private String action = "execute";
+ private boolean sendDateTime = true;
+ private boolean sendFullRequestURL;
+
+ /**
+ * Set a new Action String to use
+ */
+ public void setAction(String newAction) {
+ action = newAction;
+ }
+
+ /**
+ * Get the Action String currently in use
+ */
+ public String getAction() {
+ return action;
+ }
+
+ /**
+ * Create an XACML Request given a Principal, list of roles and Message.
+ */
+ public RequestType createRequest(
+ Principal principal, List<String> roles, Message message
+ ) throws Exception {
+ String issuer = getIssuer(message);
+ String resource = getResource(message);
+ String actionToUse = getAction(message);
+
+ // Subject
+ List<AttributeType> attributes = new ArrayList<AttributeType>();
+ AttributeValueType subjectIdAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(principal.getName());
+ AttributeType subjectIdAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.SUBJECT_ID,
+ XACMLConstants.XS_STRING,
+ issuer,
+ Collections.singletonList(subjectIdAttributeValue)
+ );
+ attributes.add(subjectIdAttribute);
+
+ for (String role : roles) {
+ AttributeValueType subjectRoleAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(role);
+ AttributeType subjectRoleAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.SUBJECT_ROLE,
+ XACMLConstants.XS_ANY_URI,
+ issuer,
+ Collections.singletonList(subjectRoleAttributeValue)
+ );
+ attributes.add(subjectRoleAttribute);
+ }
+ SubjectType subjectType = RequestComponentBuilder.createSubjectType(attributes, null);
+
+ // Resource
+ AttributeValueType resourceAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(resource);
+ AttributeType resourceAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.RESOURCE_ID,
+ XACMLConstants.XS_STRING,
+ null,
+ Collections.singletonList(resourceAttributeValue)
+ );
+ attributes.clear();
+ attributes.add(resourceAttribute);
+ ResourceType resourceType = RequestComponentBuilder.createResourceType(attributes, null);
+
+ // Action
+ AttributeValueType actionAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(actionToUse);
+ AttributeType actionAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.ACTION_ID,
+ XACMLConstants.XS_STRING,
+ null,
+ Collections.singletonList(actionAttributeValue)
+ );
+ attributes.clear();
+ attributes.add(actionAttribute);
+ ActionType actionType = RequestComponentBuilder.createActionType(attributes);
+
+ // Environment
+ EnvironmentType environmentType = null;
+ if (sendDateTime) {
+ DateTime dateTime = new DateTime();
+ AttributeValueType environmentAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(dateTime.toString());
+ AttributeType environmentAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.CURRENT_DATETIME,
+ XACMLConstants.XS_DATETIME,
+ null,
+ Collections.singletonList(environmentAttributeValue)
+ );
+ attributes.clear();
+ attributes.add(environmentAttribute);
+ environmentType = RequestComponentBuilder.createEnvironmentType(attributes);
+ }
+
+ // Request
+ RequestType request =
+ RequestComponentBuilder.createRequestType(
+ Collections.singletonList(subjectType),
+ Collections.singletonList(resourceType),
+ actionType,
+ environmentType
+ );
+
+ return request;
+ }
+
+ /**
+ * Get the Issuer of the SAML Assertion
+ */
+ private String getIssuer(Message message) throws WSSecurityException {
+ SecurityContext sc = message.get(SecurityContext.class);
+
+ if (sc instanceof SAMLSecurityContext) {
+ Element assertionElement = ((SAMLSecurityContext)sc).getAssertionElement();
+ if (assertionElement != null) {
+ AssertionWrapper wrapper = new AssertionWrapper(assertionElement);
+ return wrapper.getIssuerString();
+ }
+ }
+
+ return null;
+ }
+
+ public boolean isSendDateTime() {
+ return sendDateTime;
+ }
+
+ public void setSendDateTime(boolean sendDateTime) {
+ this.sendDateTime = sendDateTime;
+ }
+
+ public boolean isSendFullRequestURL() {
+ return sendFullRequestURL;
+ }
+
+ /**
+ * Whether to send the full Request URL as the resource or not. If set to true,
+ * the full Request URL will be sent for both a JAX-WS and JAX-RS service. If set
+ * to false (the default), a JAX-WS service will send the "{namespace}operation" QName,
+ * and a JAX-RS service will send the RequestURI (i.e. minus the initial https:<ip> prefix).
+ */
+ public void setSendFullRequestURL(boolean sendFullRequestURL) {
+ this.sendFullRequestURL = sendFullRequestURL;
+ }
+
+
+ /**
+ * Return the Resource that has been inserted into the Request
+ */
+ public String getResource(Message message) {
+ if (message == null) {
+ return null;
+ }
+ String resource = null;
+ if (sendFullRequestURL) {
+ resource = (String)message.get(Message.REQUEST_URL);
+ } else if (message.get(Message.WSDL_OPERATION) != null) {
+ resource = message.get(Message.WSDL_OPERATION).toString();
+ } else {
+ resource = (String)message.get(Message.REQUEST_URI);
+ }
+ return resource;
+ }
+
+ private String getAction(Message message) {
+ String actionToUse = action;
+ // For REST use the HTTP Verb
+ if (message.get(Message.WSDL_OPERATION) == null
+ && message.get(Message.HTTP_REQUEST_METHOD) != null) {
+ actionToUse = (String)message.get(Message.HTTP_REQUEST_METHOD);
+ }
+ return actionToUse;
+ }
+}
Added: cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java?rev=1414652&view=auto
==============================================================================
--- cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java (added)
+++ cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java Wed Nov 28 12:47:26 2012
@@ -0,0 +1,182 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.xacml;
+
+import java.util.List;
+
+import org.opensaml.Configuration;
+import org.opensaml.xacml.XACMLObjectBuilder;
+import org.opensaml.xacml.ctx.ActionType;
+import org.opensaml.xacml.ctx.AttributeType;
+import org.opensaml.xacml.ctx.AttributeValueType;
+import org.opensaml.xacml.ctx.EnvironmentType;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResourceContentType;
+import org.opensaml.xacml.ctx.ResourceType;
+import org.opensaml.xacml.ctx.SubjectType;
+import org.opensaml.xml.XMLObjectBuilderFactory;
+
+/**
+ * A set of utility methods to construct XACML 2.0 Request statements
+ */
+public final class RequestComponentBuilder {
+ private static volatile XACMLObjectBuilder<AttributeValueType> attributeValueTypeBuilder;
+
+ private static volatile XACMLObjectBuilder<AttributeType> attributeTypeBuilder;
+
+ private static volatile XACMLObjectBuilder<SubjectType> subjectTypeBuilder;
+
+ private static volatile XACMLObjectBuilder<ResourceType> resourceTypeBuilder;
+
+ private static volatile XACMLObjectBuilder<ActionType> actionTypeBuilder;
+
+ private static volatile XACMLObjectBuilder<EnvironmentType> environmentTypeBuilder;
+
+ private static volatile XACMLObjectBuilder<RequestType> requestTypeBuilder;
+
+ private static volatile XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory();
+
+ private RequestComponentBuilder() {
+ // complete
+ }
+
+ @SuppressWarnings("unchecked")
+ public static AttributeValueType createAttributeValueType(
+ String value
+ ) {
+ if (attributeValueTypeBuilder == null) {
+ attributeValueTypeBuilder = (XACMLObjectBuilder<AttributeValueType>)
+ builderFactory.getBuilder(AttributeValueType.DEFAULT_ELEMENT_NAME);
+ }
+ AttributeValueType attributeValue = attributeValueTypeBuilder.buildObject();
+ attributeValue.setValue(value);
+
+ return attributeValue;
+ }
+
+ @SuppressWarnings("unchecked")
+ public static AttributeType createAttributeType(
+ String attributeId,
+ String dataType,
+ String issuer,
+ List<AttributeValueType> attributeValues
+ ) {
+ if (attributeTypeBuilder == null) {
+ attributeTypeBuilder = (XACMLObjectBuilder<AttributeType>)
+ builderFactory.getBuilder(AttributeType.DEFAULT_ELEMENT_NAME);
+ }
+ AttributeType attributeType = attributeTypeBuilder.buildObject();
+ attributeType.setAttributeID(attributeId);
+ attributeType.setDataType(dataType);
+ attributeType.setIssuer(issuer);
+ attributeType.getAttributeValues().addAll(attributeValues);
+
+ return attributeType;
+ }
+
+ @SuppressWarnings("unchecked")
+ public static SubjectType createSubjectType(
+ List<AttributeType> attributes,
+ String subjectCategory
+ ) {
+ if (subjectTypeBuilder == null) {
+ subjectTypeBuilder = (XACMLObjectBuilder<SubjectType>)
+ builderFactory.getBuilder(SubjectType.DEFAULT_ELEMENT_NAME);
+ }
+ SubjectType subject = subjectTypeBuilder.buildObject();
+ if (attributes != null) {
+ subject.getAttributes().addAll(attributes);
+ }
+ subject.setSubjectCategory(subjectCategory);
+
+ return subject;
+ }
+
+ @SuppressWarnings("unchecked")
+ public static ResourceType createResourceType(
+ List<AttributeType> attributes,
+ ResourceContentType resourceContent
+ ) {
+ if (resourceTypeBuilder == null) {
+ resourceTypeBuilder = (XACMLObjectBuilder<ResourceType>)
+ builderFactory.getBuilder(ResourceType.DEFAULT_ELEMENT_NAME);
+ }
+ ResourceType resource = resourceTypeBuilder.buildObject();
+ if (attributes != null) {
+ resource.getAttributes().addAll(attributes);
+ }
+ resource.setResourceContent(resourceContent);
+
+ return resource;
+ }
+
+ @SuppressWarnings("unchecked")
+ public static ActionType createActionType(
+ List<AttributeType> attributes
+ ) {
+ if (actionTypeBuilder == null) {
+ actionTypeBuilder = (XACMLObjectBuilder<ActionType>)
+ builderFactory.getBuilder(ActionType.DEFAULT_ELEMENT_NAME);
+ }
+ ActionType action = actionTypeBuilder.buildObject();
+ if (attributes != null) {
+ action.getAttributes().addAll(attributes);
+ }
+
+ return action;
+ }
+
+ @SuppressWarnings("unchecked")
+ public static EnvironmentType createEnvironmentType(
+ List<AttributeType> attributes
+ ) {
+ if (environmentTypeBuilder == null) {
+ environmentTypeBuilder = (XACMLObjectBuilder<EnvironmentType>)
+ builderFactory.getBuilder(EnvironmentType.DEFAULT_ELEMENT_NAME);
+ }
+ EnvironmentType enviroment = environmentTypeBuilder.buildObject();
+ if (attributes != null) {
+ enviroment.getAttributes().addAll(attributes);
+ }
+
+ return enviroment;
+ }
+
+ @SuppressWarnings("unchecked")
+ public static RequestType createRequestType(
+ List<SubjectType> subjects,
+ List<ResourceType> resources,
+ ActionType action,
+ EnvironmentType environment
+ ) {
+ if (requestTypeBuilder == null) {
+ requestTypeBuilder = (XACMLObjectBuilder<RequestType>)
+ builderFactory.getBuilder(RequestType.DEFAULT_ELEMENT_NAME);
+ }
+ RequestType request = requestTypeBuilder.buildObject();
+ request.getSubjects().addAll(subjects);
+ request.getResources().addAll(resources);
+ request.setAction(action);
+ request.setEnvironment(environment);
+
+ return request;
+ }
+
+}
Added: cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java?rev=1414652&view=auto
==============================================================================
--- cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java (added)
+++ cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java Wed Nov 28 12:47:26 2012
@@ -0,0 +1,117 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.xacml;
+
+import java.util.UUID;
+
+import org.joda.time.DateTime;
+import org.opensaml.Configuration;
+import org.opensaml.common.SAMLObjectBuilder;
+import org.opensaml.common.SAMLVersion;
+import org.opensaml.saml2.core.Issuer;
+import org.opensaml.xacml.XACMLObjectBuilder;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.profile.saml.SAMLProfileConstants;
+import org.opensaml.xacml.profile.saml.XACMLAuthzDecisionQueryType;
+import org.opensaml.xml.XMLObjectBuilderFactory;
+
+/**
+ * A set of utility methods to construct XACML SAML Request statements, based on the
+ * SAML 2.0 profile of XACML v2.0 specification.
+ */
+public final class SamlRequestComponentBuilder {
+ private static volatile XACMLObjectBuilder<XACMLAuthzDecisionQueryType> xacmlAuthzDecisionQueryTypeBuilder;
+
+ private static volatile SAMLObjectBuilder<Issuer> issuerBuilder;
+
+ private static volatile XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory();
+
+ private SamlRequestComponentBuilder() {
+ // complete
+ }
+
+ /**
+ * Create an AuthzDecisionQuery using the defaults
+ */
+ public static XACMLAuthzDecisionQueryType createAuthzDecisionQuery(
+ String issuerValue,
+ RequestType request,
+ String namespace
+ ) {
+ return createAuthzDecisionQuery(false, false, issuerValue, request, namespace);
+ }
+
+ @SuppressWarnings("unchecked")
+ public static XACMLAuthzDecisionQueryType createAuthzDecisionQuery(
+ boolean inputContextOnly,
+ boolean returnContext,
+ String issuerValue,
+ RequestType request,
+ String namespace
+ ) {
+ if (xacmlAuthzDecisionQueryTypeBuilder == null) {
+ xacmlAuthzDecisionQueryTypeBuilder = (XACMLObjectBuilder<XACMLAuthzDecisionQueryType>)
+ builderFactory.getBuilder(XACMLAuthzDecisionQueryType.DEFAULT_ELEMENT_NAME_XACML20);
+ }
+ XACMLAuthzDecisionQueryType authzQuery =
+ xacmlAuthzDecisionQueryTypeBuilder.buildObject(
+ namespace,
+ XACMLAuthzDecisionQueryType.DEFAULT_ELEMENT_LOCAL_NAME,
+ SAMLProfileConstants.SAML20XACMLPROTOCOL_PREFIX
+ );
+ authzQuery.setID("_" + UUID.randomUUID().toString());
+ authzQuery.setVersion(SAMLVersion.VERSION_20);
+ authzQuery.setIssueInstant(new DateTime());
+ authzQuery.setInputContextOnly(Boolean.valueOf(inputContextOnly));
+ authzQuery.setReturnContext(Boolean.valueOf(returnContext));
+
+ if (issuerValue != null) {
+ Issuer issuer = createIssuer(issuerValue);
+ authzQuery.setIssuer(issuer);
+ }
+
+ authzQuery.setRequest(request);
+
+ return authzQuery;
+ }
+
+
+ /**
+ * Create an Issuer object
+ *
+ * @param issuerValue of type String
+ * @return an Issuer object
+ */
+ @SuppressWarnings("unchecked")
+ public static Issuer createIssuer(String issuerValue) {
+ if (issuerBuilder == null) {
+ issuerBuilder = (SAMLObjectBuilder<Issuer>)
+ builderFactory.getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
+
+ }
+ Issuer issuer = issuerBuilder.buildObject();
+ //
+ // The SAML authority that is making the claim(s) in the assertion. The issuer SHOULD
+ // be unambiguous to the intended relying parties.
+ issuer.setValue(issuerValue);
+ return issuer;
+ }
+
+}
Added: cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLConstants.java?rev=1414652&view=auto
==============================================================================
--- cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLConstants.java (added)
+++ cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLConstants.java Wed Nov 28 12:47:26 2012
@@ -0,0 +1,197 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.xacml;
+
+
+
+/**
+ * XACML 1.x and 2.0 Constants.
+ */
+public final class XACMLConstants {
+
+ //
+ // Attributes
+ //
+
+ public static final String CURRENT_TIME =
+ "urn:oasis:names:tc:xacml:1.0:environment:current-time";
+ public static final String CURRENT_DATE =
+ "urn:oasis:names:tc:xacml:1.0:environment:current-date";
+ public static final String CURRENT_DATETIME =
+ "urn:oasis:names:tc:xacml:1.0:environment:current-dateTime";
+
+ //
+ // Identifiers
+ //
+
+ public static final String SUBJECT_DNS_NAME =
+ "urn:oasis:names:tc:xacml:1.0:subject:authn-locality:dns-name";
+ public static final String SUBJECT_IP_ADDR =
+ "urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address";
+ public static final String SUBJECT_AUTHN_METHOD =
+ "urn:oasis:names:tc:xacml:1.0:subject:authentication-method";
+ public static final String SUBJECT_AUTHN_TIME =
+ "urn:oasis:names:tc:xacml:1.0:subject:authentication-time";
+ public static final String SUBJECT_KEY_INFO =
+ "urn:oasis:names:tc:xacml:1.0:subject:key-info";
+ public static final String SUBJECT_REQ_TIME =
+ "urn:oasis:names:tc:xacml:1.0:subject:request-time";
+ public static final String SUBJECT_START_TIME =
+ "urn:oasis:names:tc:xacml:1.0:subject:session-start-time";
+ public static final String SUBJECT_ID =
+ "urn:oasis:names:tc:xacml:1.0:subject:subject-id";
+ public static final String SUBJECT_ID_QUALIFIER =
+ "urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifier";
+ public static final String SUBJECT_CAT_ACCESS_SUBJECT =
+ "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject";
+ public static final String SUBJECT_CAT_CODEBASE =
+ "urn:oasis:names:tc:xacml:1.0:subject-category:codebase";
+ public static final String SUBJECT_CAT_INTERMED_SUBJECT =
+ "urn:oasis:names:tc:xacml:1.0:subject-category:intermediary-subject";
+ public static final String SUBJECT_CAT_REC_SUBJECT =
+ "urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject";
+ public static final String SUBJECT_CAT_REQ_MACHINE =
+ "urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine";
+ public static final String RESOURCE_LOC =
+ "urn:oasis:names:tc:xacml:1.0:resource:resource-location";
+ public static final String RESOURCE_ID =
+ "urn:oasis:names:tc:xacml:1.0:resource:resource-id";
+ public static final String RESOURCE_FILE_NAME =
+ "urn:oasis:names:tc:xacml:1.0:resource:simple-file-name";
+ public static final String ACTION_ID =
+ "urn:oasis:names:tc:xacml:1.0:action:action-id";
+ public static final String ACTION_IMPLIED =
+ "urn:oasis:names:tc:xacml:1.0:action:implied-action";
+ public static final String SUBJECT_ROLE =
+ "urn:oasis:names:tc:xacml:2.0:subject:role";
+
+
+ //
+ // Datatypes
+ //
+
+ public static final String XS_STRING =
+ "http://www.w3.org/2001/XMLSchema#string";
+ public static final String XS_BOOLEAN =
+ "http://www.w3.org/2001/XMLSchema#boolean";
+ public static final String XS_INT =
+ "http://www.w3.org/2001/XMLSchema#integer";
+ public static final String XS_DOUBLE =
+ "http://www.w3.org/2001/XMLSchema#double";
+ public static final String XS_TIME =
+ "http://www.w3.org/2001/XMLSchema#time";
+ public static final String XS_DATE =
+ "http://www.w3.org/2001/XMLSchema#date";
+ public static final String XS_DATETIME =
+ "http://www.w3.org/2001/XMLSchema#dateTime";
+ public static final String XS_ANY_URI =
+ "http://www.w3.org/2001/XMLSchema#anyURI";
+ public static final String XS_HEX =
+ "http://www.w3.org/2001/XMLSchema#hexBinary";
+ public static final String XS_BASE64 =
+ "http://www.w3.org/2001/XMLSchema#base64Binary";
+ public static final String RFC_822_NAME =
+ "urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name";
+ public static final String X500_NAME =
+ "urn:oasis:names:tc:xacml:1.0:data-type:x500Name";
+
+ //
+ // Functions
+ //
+ public static final String FUNC_STRING_EQUAL =
+ "urn:oasis:names:tc:xacml:1.0:function:string-equal";
+ public static final String FUNC_BOOL_EQUAL =
+ "urn:oasis:names:tc:xacml:1.0:function:boolean-equal";
+ public static final String FUNC_INT_EQUAL =
+ "urn:oasis:names:tc:xacml:1.0:function:integer-equal";
+ public static final String FUNC_DOUBLE_EQUAL =
+ "urn:oasis:names:tc:xacml:1.0:function:double-equal";
+ public static final String FUNC_DATE_EQUAL =
+ "urn:oasis:names:tc:xacml:1.0:function:date-equal";
+ public static final String FUNC_TIME_EQUAL =
+ "urn:oasis:names:tc:xacml:1.0:function:time-equal";
+ public static final String FUNC_DATETIME_EQUAL =
+ "urn:oasis:names:tc:xacml:1.0:function:dateTime-equal";
+ public static final String FUNC_ANY_URI_EQUAL =
+ "urn:oasis:names:tc:xacml:1.0:function:anyURI-equal";
+ public static final String FUNC_X500_NAME_EQUAL =
+ "urn:oasis:names:tc:xacml:1.0:function:x500Name-equal";
+ public static final String FUNC_RFC_822_NAME_EQUAL =
+ "urn:oasis:names:tc:xacml:1.0:function:rfc822Name-equal";
+ public static final String FUNC_HEX_EQUAL =
+ "urn:oasis:names:tc:xacml:1.0:function:hexBinary-equal";
+ public static final String FUNC_BASE64_EQUAL =
+ "urn:oasis:names:tc:xacml:1.0:function:base64Binary-equal";
+
+ public static final String FUNC_INT_GT =
+ "urn:oasis:names:tc:xacml:1.0:function:integer-greater-than";
+ public static final String FUNC_INT_GTE =
+ "urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal";
+ public static final String FUNC_INT_LT =
+ "urn:oasis:names:tc:xacml:1.0:function:integer-less-than";
+ public static final String FUNC_INT_LTE =
+ "urn:oasis:names:tc:xacml:1.0:function:integer-less-than-or-equal";
+ public static final String FUNC_DOUBLE_GT =
+ "urn:oasis:names:tc:xacml:1.0:function:double-greater-than";
+ public static final String FUNC_DOUBLE_GTE =
+ "urn:oasis:names:tc:xacml:1.0:function:double-greater-than-or-equal";
+ public static final String FUNC_DOUBLE_LT =
+ "urn:oasis:names:tc:xacml:1.0:function:double-less-than";
+ public static final String FUNC_DOUBLE_LTE =
+ "urn:oasis:names:tc:xacml:1.0:function:double-less-than-or-equal";
+
+ public static final String FUNC_STRING_GT =
+ "urn:oasis:names:tc:xacml:1.0:function:string-greater-than";
+ public static final String FUNC_STRING_GTE =
+ "urn:oasis:names:tc:xacml:1.0:function:string-greater-than-or-equal";
+ public static final String FUNC_STRING_LT =
+ "urn:oasis:names:tc:xacml:1.0:function:string-less-than";
+ public static final String FUNC_STRING_LTE =
+ "urn:oasis:names:tc:xacml:1.0:function:string-less-than-or-equal";
+ public static final String FUNC_TIME_GT =
+ "urn:oasis:names:tc:xacml:1.0:function:time-greater-than";
+ public static final String FUNC_TIME_GTE =
+ "urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal";
+ public static final String FUNC_TIME_LT =
+ "urn:oasis:names:tc:xacml:1.0:function:time-less-than";
+ public static final String FUNC_TIME_LTE =
+ "urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal";
+ public static final String FUNC_DATETIME_GT =
+ "urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than";
+ public static final String FUNC_DATETIME_GTE =
+ "urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than-or-equal";
+ public static final String FUNC_DATETIME_LT =
+ "urn:oasis:names:tc:xacml:1.0:function:dateTime-less-than";
+ public static final String FUNC_DATETIME_LTE =
+ "urn:oasis:names:tc:xacml:1.0:function:dateTime-less-than-or-equal";
+ public static final String FUNC_DATE_GT =
+ "urn:oasis:names:tc:xacml:1.0:function:date-greater-than";
+ public static final String FUNC_DATE_GTE =
+ "urn:oasis:names:tc:xacml:1.0:function:date-greater-than-or-equal";
+ public static final String FUNC_DATE_LT =
+ "urn:oasis:names:tc:xacml:1.0:function:date-less-than";
+ public static final String FUNC_DATE_LTE =
+ "urn:oasis:names:tc:xacml:1.0:function:date-less-than-or-equal";
+
+
+ private XACMLConstants() {
+ // complete
+ }
+}
Added: cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java?rev=1414652&view=auto
==============================================================================
--- cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java (added)
+++ cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java Wed Nov 28 12:47:26 2012
@@ -0,0 +1,54 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.xacml;
+
+import java.security.Principal;
+import java.util.List;
+
+import org.apache.cxf.message.Message;
+import org.opensaml.xacml.ctx.RequestType;
+
+
+/**
+ * This interface defines a way to create an XACML Request.
+ */
+public interface XACMLRequestBuilder {
+
+ /**
+ * Create an XACML Request given a Principal, list of roles and Message.
+ *
+ * @param principal The principal to insert into the Subject of the Request
+ * @param roles The list of roles associated with the principal
+ * @param message The Message from which to retrieve the resource
+ * @return An OpenSAML RequestType object
+ * @throws Exception
+ */
+ RequestType createRequest(
+ Principal principal, List<String> roles, Message message
+ ) throws Exception;
+
+ /**
+ * Return the Resource that has been inserted into the Request.
+ *
+ * @param message The Message from which to retrieve the resource
+ * @return the Resource that has been inserted into the Request
+ */
+ String getResource(Message message);
+}
Added: cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilderTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilderTest.java?rev=1414652&view=auto
==============================================================================
--- cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilderTest.java (added)
+++ cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilderTest.java Wed Nov 28 12:47:26 2012
@@ -0,0 +1,222 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.xacml;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+import org.joda.time.DateTime;
+import org.opensaml.xacml.ctx.ActionType;
+import org.opensaml.xacml.ctx.AttributeType;
+import org.opensaml.xacml.ctx.AttributeValueType;
+import org.opensaml.xacml.ctx.EnvironmentType;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResourceType;
+import org.opensaml.xacml.ctx.SubjectType;
+
+
+/**
+ * Some unit tests to create a XACML Request using the RequestComponentBuilder.
+ */
+public class RequestComponentBuilderTest extends org.junit.Assert {
+
+ private DocumentBuilder docBuilder;
+ static {
+ OpenSAMLUtil.initSamlEngine();
+ }
+
+ public RequestComponentBuilderTest() throws ParserConfigurationException {
+ DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
+ docBuilderFactory.setNamespaceAware(true);
+ docBuilder = docBuilderFactory.newDocumentBuilder();
+ }
+
+ @org.junit.Test
+ public void testCreateXACMLRequest() throws Exception {
+ Document doc = docBuilder.newDocument();
+
+ // Subject
+ AttributeValueType subjectIdAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "alice-user@apache.org"
+ );
+ AttributeType subjectIdAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.SUBJECT_ID,
+ XACMLConstants.RFC_822_NAME,
+ null,
+ Collections.singletonList(subjectIdAttributeValue)
+ );
+
+ AttributeValueType subjectGroupAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "manager"
+ );
+ AttributeType subjectGroupAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.SUBJECT_ROLE,
+ XACMLConstants.XS_ANY_URI,
+ "admin-user@apache.org",
+ Collections.singletonList(subjectGroupAttributeValue)
+ );
+ List<AttributeType> attributes = new ArrayList<AttributeType>();
+ attributes.add(subjectIdAttribute);
+ attributes.add(subjectGroupAttribute);
+ SubjectType subject = RequestComponentBuilder.createSubjectType(attributes, null);
+
+ // Resource
+ AttributeValueType resourceAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "{http://www.example.org/contract/DoubleIt}DoubleIt"
+ );
+ AttributeType resourceAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.RESOURCE_ID,
+ XACMLConstants.XS_STRING,
+ null,
+ Collections.singletonList(resourceAttributeValue)
+ );
+ attributes.clear();
+ attributes.add(resourceAttribute);
+ ResourceType resource = RequestComponentBuilder.createResourceType(attributes, null);
+
+ // Action
+ AttributeValueType actionAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "execute"
+ );
+ AttributeType actionAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.ACTION_ID,
+ XACMLConstants.XS_STRING,
+ null,
+ Collections.singletonList(actionAttributeValue)
+ );
+ attributes.clear();
+ attributes.add(actionAttribute);
+ ActionType action = RequestComponentBuilder.createActionType(attributes);
+
+ // Request
+ RequestType request =
+ RequestComponentBuilder.createRequestType(
+ Collections.singletonList(subject),
+ Collections.singletonList(resource),
+ action,
+ null
+ );
+
+ Element policyElement = OpenSAMLUtil.toDom(request, doc);
+ // String outputString = DOM2Writer.nodeToString(policyElement);
+ assertNotNull(policyElement);
+ }
+
+ @org.junit.Test
+ public void testEnvironment() throws Exception {
+ Document doc = docBuilder.newDocument();
+
+ // Subject
+ AttributeValueType subjectIdAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "alice-user@apache.org"
+ );
+ AttributeType subjectIdAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.SUBJECT_ID,
+ XACMLConstants.RFC_822_NAME,
+ null,
+ Collections.singletonList(subjectIdAttributeValue)
+ );
+
+ List<AttributeType> attributes = new ArrayList<AttributeType>();
+ attributes.add(subjectIdAttribute);
+ SubjectType subject = RequestComponentBuilder.createSubjectType(attributes, null);
+
+ // Resource
+ AttributeValueType resourceAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "{http://www.example.org/contract/DoubleIt}DoubleIt"
+ );
+ AttributeType resourceAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.RESOURCE_ID,
+ XACMLConstants.XS_STRING,
+ null,
+ Collections.singletonList(resourceAttributeValue)
+ );
+ attributes.clear();
+ attributes.add(resourceAttribute);
+ ResourceType resource = RequestComponentBuilder.createResourceType(attributes, null);
+
+ // Action
+ AttributeValueType actionAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "execute"
+ );
+ AttributeType actionAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.ACTION_ID,
+ XACMLConstants.XS_STRING,
+ null,
+ Collections.singletonList(actionAttributeValue)
+ );
+ attributes.clear();
+ attributes.add(actionAttribute);
+ ActionType action = RequestComponentBuilder.createActionType(attributes);
+
+ // Environment
+ DateTime dateTime = new DateTime();
+ AttributeValueType environmentAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(dateTime.toString());
+ AttributeType environmentAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.CURRENT_DATETIME,
+ XACMLConstants.XS_DATETIME,
+ null,
+ Collections.singletonList(environmentAttributeValue)
+ );
+ attributes.clear();
+ attributes.add(environmentAttribute);
+ EnvironmentType environmentType =
+ RequestComponentBuilder.createEnvironmentType(attributes);
+
+ // Request
+ RequestType request =
+ RequestComponentBuilder.createRequestType(
+ Collections.singletonList(subject),
+ Collections.singletonList(resource),
+ action,
+ environmentType
+ );
+
+ Element policyElement = OpenSAMLUtil.toDom(request, doc);
+ // String outputString = DOM2Writer.nodeToString(policyElement);
+ assertNotNull(policyElement);
+ }
+
+}
Added: cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilderTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilderTest.java?rev=1414652&view=auto
==============================================================================
--- cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilderTest.java (added)
+++ cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilderTest.java Wed Nov 28 12:47:26 2012
@@ -0,0 +1,154 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.xacml;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+
+import org.opensaml.xacml.ctx.ActionType;
+import org.opensaml.xacml.ctx.AttributeType;
+import org.opensaml.xacml.ctx.AttributeValueType;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResourceType;
+import org.opensaml.xacml.ctx.SubjectType;
+import org.opensaml.xacml.profile.saml.SAMLProfileConstants;
+import org.opensaml.xacml.profile.saml.XACMLAuthzDecisionQueryType;
+
+
+/**
+ * Some unit tests for creating a SAML XACML Request.
+ */
+public class SamlRequestComponentBuilderTest extends org.junit.Assert {
+
+ private DocumentBuilder docBuilder;
+ static {
+ OpenSAMLUtil.initSamlEngine();
+ }
+
+ public SamlRequestComponentBuilderTest() throws ParserConfigurationException {
+ DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
+ docBuilderFactory.setNamespaceAware(true);
+ docBuilder = docBuilderFactory.newDocumentBuilder();
+ }
+
+ @org.junit.Test
+ public void testCreateXACMLSamlAuthzQueryRequest() throws Exception {
+ Document doc = docBuilder.newDocument();
+
+ //
+ // Create XACML request
+ //
+
+ // Subject
+ AttributeValueType subjectIdAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "alice-user@apache.org"
+ );
+ AttributeType subjectIdAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.SUBJECT_ID,
+ XACMLConstants.RFC_822_NAME,
+ null,
+ Collections.singletonList(subjectIdAttributeValue)
+ );
+
+ AttributeValueType subjectGroupAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "manager"
+ );
+ AttributeType subjectGroupAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.SUBJECT_ROLE,
+ XACMLConstants.XS_ANY_URI,
+ "admin-user@apache.org",
+ Collections.singletonList(subjectGroupAttributeValue)
+ );
+ List<AttributeType> attributes = new ArrayList<AttributeType>();
+ attributes.add(subjectIdAttribute);
+ attributes.add(subjectGroupAttribute);
+ SubjectType subject = RequestComponentBuilder.createSubjectType(attributes, null);
+
+ // Resource
+ AttributeValueType resourceAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "{http://www.example.org/contract/DoubleIt}DoubleIt"
+ );
+ AttributeType resourceAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.RESOURCE_ID,
+ XACMLConstants.XS_STRING,
+ null,
+ Collections.singletonList(resourceAttributeValue)
+ );
+ attributes.clear();
+ attributes.add(resourceAttribute);
+ ResourceType resource = RequestComponentBuilder.createResourceType(attributes, null);
+
+ // Action
+ AttributeValueType actionAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "execute"
+ );
+ AttributeType actionAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.ACTION_ID,
+ XACMLConstants.XS_STRING,
+ null,
+ Collections.singletonList(actionAttributeValue)
+ );
+ attributes.clear();
+ attributes.add(actionAttribute);
+ ActionType action = RequestComponentBuilder.createActionType(attributes);
+
+ // Request
+ RequestType request =
+ RequestComponentBuilder.createRequestType(
+ Collections.singletonList(subject),
+ Collections.singletonList(resource),
+ action,
+ null
+ );
+
+ //
+ // Create SAML wrapper
+ //
+
+ XACMLAuthzDecisionQueryType authzQuery =
+ SamlRequestComponentBuilder.createAuthzDecisionQuery(
+ "Issuer", request, SAMLProfileConstants.SAML20XACML20P_NS
+ );
+
+ Element policyElement = OpenSAMLUtil.toDom(authzQuery, doc);
+ // String outputString = DOM2Writer.nodeToString(policyElement);
+ assertNotNull(policyElement);
+ }
+
+
+}
Added: cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java?rev=1414652&view=auto
==============================================================================
--- cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java (added)
+++ cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java Wed Nov 28 12:47:26 2012
@@ -0,0 +1,116 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.xacml;
+
+import java.util.List;
+
+import org.apache.cxf.message.Message;
+import org.opensaml.Configuration;
+import org.opensaml.xacml.XACMLObjectBuilder;
+import org.opensaml.xacml.ctx.AttributeType;
+import org.opensaml.xacml.ctx.DecisionType;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResponseType;
+import org.opensaml.xacml.ctx.ResultType;
+import org.opensaml.xacml.ctx.StatusCodeType;
+import org.opensaml.xacml.ctx.StatusType;
+import org.opensaml.xacml.ctx.SubjectType;
+import org.opensaml.xml.XMLObjectBuilderFactory;
+
+
+/**
+ * A test implementation of AbstractXACMLAuthorizingInterceptor. It just mocks up a Response
+ * object based on the role of the Subject. If the role is "manager" then it permits the
+ * request, otherwise it denies it.
+ */
+public class XACMLAuthorizingInterceptor extends AbstractXACMLAuthorizingInterceptor {
+
+ public ResponseType performRequest(RequestType request, Message message) throws Exception {
+
+ XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory();
+
+ @SuppressWarnings("unchecked")
+ XACMLObjectBuilder<ResponseType> responseTypeBuilder =
+ (XACMLObjectBuilder<ResponseType>)
+ builderFactory.getBuilder(ResponseType.DEFAULT_ELEMENT_NAME);
+
+ @SuppressWarnings("unchecked")
+ XACMLObjectBuilder<ResultType> resultTypeBuilder =
+ (XACMLObjectBuilder<ResultType>)
+ builderFactory.getBuilder(ResultType.DEFAULT_ELEMENT_NAME);
+
+ @SuppressWarnings("unchecked")
+ XACMLObjectBuilder<DecisionType> decisionTypeBuilder =
+ (XACMLObjectBuilder<DecisionType>)
+ builderFactory.getBuilder(DecisionType.DEFAULT_ELEMENT_NAME);
+
+ @SuppressWarnings("unchecked")
+ XACMLObjectBuilder<StatusType> statusTypeBuilder =
+ (XACMLObjectBuilder<StatusType>)
+ builderFactory.getBuilder(StatusType.DEFAULT_ELEMENT_NAME);
+
+ @SuppressWarnings("unchecked")
+ XACMLObjectBuilder<StatusCodeType> statusCodeTypeBuilder =
+ (XACMLObjectBuilder<StatusCodeType>)
+ builderFactory.getBuilder(StatusCodeType.DEFAULT_ELEMENT_NAME);
+
+ DecisionType decisionType = decisionTypeBuilder.buildObject();
+
+ String role = getSubjectRole(request);
+ if ("manager".equals(role)) {
+ decisionType.setDecision(DecisionType.DECISION.Permit);
+ } else {
+ decisionType.setDecision(DecisionType.DECISION.Deny);
+ }
+
+ ResultType result = resultTypeBuilder.buildObject();
+ result.setDecision(decisionType);
+
+ StatusType status = statusTypeBuilder.buildObject();
+ StatusCodeType statusCode = statusCodeTypeBuilder.buildObject();
+ statusCode.setValue("urn:oasis:names:tc:xacml:1.0:status:ok");
+ status.setStatusCode(statusCode);
+ result.setStatus(status);
+
+ ResponseType response = responseTypeBuilder.buildObject();
+ response.setResult(result);
+
+ return response;
+ }
+
+ private String getSubjectRole(RequestType request) {
+ List<SubjectType> subjects = request.getSubjects();
+ if (subjects != null) {
+ for (SubjectType subject : subjects) {
+ List<AttributeType> attributes = subject.getAttributes();
+ if (attributes != null) {
+ for (AttributeType attribute : attributes) {
+ if (XACMLConstants.SUBJECT_ROLE.equals(attribute.getAttributeID())) {
+ return attribute.getAttributeValues().get(0).getValue();
+ }
+ }
+ }
+ }
+ }
+ return null;
+ }
+
+
+}
Added: cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptorTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptorTest.java?rev=1414652&view=auto
==============================================================================
--- cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptorTest.java (added)
+++ cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptorTest.java Wed Nov 28 12:47:26 2012
@@ -0,0 +1,116 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.xacml;
+
+import java.security.Principal;
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageImpl;
+import org.apache.cxf.security.LoginSecurityContext;
+import org.apache.cxf.security.SecurityContext;
+import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+
+
+/**
+ * Some unit tests to test the AbstractXACMLAuthorizingInterceptor.
+ */
+public class XACMLAuthorizingInterceptorTest extends org.junit.Assert {
+
+ static {
+ OpenSAMLUtil.initSamlEngine();
+ }
+
+ @org.junit.Test
+ public void testPermit() throws Exception {
+ // Mock up a Security Context
+ SecurityContext sc = createSecurityContext("alice", "manager");
+
+ String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+ MessageImpl msg = new MessageImpl();
+ msg.put(Message.WSDL_OPERATION, operation);
+ msg.put(SecurityContext.class, sc);
+
+ XACMLAuthorizingInterceptor authorizingInterceptor =
+ new XACMLAuthorizingInterceptor();
+ authorizingInterceptor.handleMessage(msg);
+ }
+
+ @org.junit.Test
+ public void testDeny() throws Exception {
+ // Mock up a Security Context
+ SecurityContext sc = createSecurityContext("alice", "boss");
+
+ String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+ MessageImpl msg = new MessageImpl();
+ msg.put(Message.WSDL_OPERATION, operation);
+ msg.put(SecurityContext.class, sc);
+
+ XACMLAuthorizingInterceptor authorizingInterceptor =
+ new XACMLAuthorizingInterceptor();
+
+ try {
+ authorizingInterceptor.handleMessage(msg);
+ fail("Failure expected on deny");
+ } catch (Exception ex) {
+ // Failure expected
+ }
+ }
+
+ private SecurityContext createSecurityContext(final String user, final String role) {
+ return new LoginSecurityContext() {
+
+ @Override
+ public Principal getUserPrincipal() {
+ return new Principal() {
+ public String getName() {
+ return user;
+ }
+ };
+ }
+
+ @Override
+ public boolean isUserInRole(String role) {
+ return false;
+ }
+
+ @Override
+ public Subject getSubject() {
+ return null;
+ }
+
+ @Override
+ public Set<Principal> getUserRoles() {
+ Set<Principal> principals = new HashSet<Principal>();
+ principals.add(new Principal() {
+ public String getName() {
+ return role;
+ }
+ });
+ return principals;
+ }
+
+ };
+ }
+
+}
Added: cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java?rev=1414652&view=auto
==============================================================================
--- cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java (added)
+++ cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java Wed Nov 28 12:47:26 2012
@@ -0,0 +1,155 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.xacml;
+
+import java.security.Principal;
+import java.util.Collections;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageImpl;
+import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+import org.opensaml.xacml.ctx.RequestType;
+
+
+/**
+ * Some unit tests to create a XACML Request via the XACMLRequestBuilder interface.
+ */
+public class XACMLRequestBuilderTest extends org.junit.Assert {
+
+ static {
+ OpenSAMLUtil.initSamlEngine();
+ }
+
+ @org.junit.Test
+ public void testXACMLRequestBuilder() throws Exception {
+ // Mock up a request
+ Principal principal = new Principal() {
+ public String getName() {
+ return "alice";
+ }
+ };
+
+ String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+ MessageImpl msg = new MessageImpl();
+ msg.put(Message.WSDL_OPERATION, operation);
+
+ XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
+ RequestType request =
+ builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ assertNotNull(request);
+ }
+
+ @org.junit.Test
+ public void testResource() throws Exception {
+ // Mock up a request
+ Principal principal = new Principal() {
+ public String getName() {
+ return "alice";
+ }
+ };
+
+ String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+ MessageImpl msg = new MessageImpl();
+ msg.put(Message.WSDL_OPERATION, operation);
+
+ XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
+ RequestType request =
+ builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ assertNotNull(request);
+
+ assertEquals(operation, builder.getResource(msg));
+
+ operation = "user/list.json";
+ msg = new MessageImpl();
+ msg.put(Message.REQUEST_URI, operation);
+
+ request = builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ assertNotNull(request);
+
+ assertEquals(operation, builder.getResource(msg));
+
+ operation = "https://localhost:8080/user/list.json";
+ msg = new MessageImpl();
+ msg.put(Message.REQUEST_URL, operation);
+
+ ((DefaultXACMLRequestBuilder)builder).setSendFullRequestURL(true);
+ request = builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ assertNotNull(request);
+
+ assertEquals(operation, builder.getResource(msg));
+ }
+
+ @org.junit.Test
+ public void testAction() throws Exception {
+ // Mock up a request
+ Principal principal = new Principal() {
+ public String getName() {
+ return "alice";
+ }
+ };
+
+ String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+ MessageImpl msg = new MessageImpl();
+ msg.put(Message.WSDL_OPERATION, operation);
+
+ XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
+ RequestType request =
+ builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ assertNotNull(request);
+
+ String action =
+ request.getAction().getAttributes().get(0).getAttributeValues().get(0).getValue();
+ assertEquals(action, "execute");
+
+ ((DefaultXACMLRequestBuilder)builder).setAction("write");
+ request = builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ assertNotNull(request);
+
+ action =
+ request.getAction().getAttributes().get(0).getAttributeValues().get(0).getValue();
+ assertEquals(action, "write");
+ }
+
+ @org.junit.Test
+ public void testEnvironment() throws Exception {
+ // Mock up a request
+ Principal principal = new Principal() {
+ public String getName() {
+ return "alice";
+ }
+ };
+
+ String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+ MessageImpl msg = new MessageImpl();
+ msg.put(Message.WSDL_OPERATION, operation);
+
+ XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
+ RequestType request =
+ builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ assertNotNull(request);
+ assertNotNull(request.getEnvironment());
+
+ ((DefaultXACMLRequestBuilder)builder).setSendDateTime(false);
+ request = builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ assertNotNull(request);
+ assertNull(request.getEnvironment());
+ }
+
+}
Modified: cxf/trunk/systests/ws-security/pom.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/pom.xml?rev=1414652&r1=1414651&r2=1414652&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/pom.xml (original)
+++ cxf/trunk/systests/ws-security/pom.xml Wed Nov 28 12:47:26 2012
@@ -110,6 +110,11 @@
</dependency>
<dependency>
<groupId>org.apache.cxf</groupId>
+ <artifactId>cxf-rt-security</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-databinding-jaxb</artifactId>
<version>${project.version}</version>
</dependency>
Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java?rev=1414652&r1=1414651&r2=1414652&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java (original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java Wed Nov 28 12:47:26 2012
@@ -29,6 +29,7 @@ import org.apache.cxf.Bus;
import org.apache.cxf.bus.spring.SpringBusFactory;
import org.apache.cxf.systest.ws.common.SecurityTestUtil;
import org.apache.cxf.systest.ws.saml.client.SamlCallbackHandler;
+import org.apache.cxf.systest.ws.saml.client.SamlRoleCallbackHandler;
import org.apache.cxf.systest.ws.saml.server.Server;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
import org.apache.ws.security.saml.ext.bean.KeyInfoBean.CERT_IDENTIFIER;
@@ -561,5 +562,54 @@ public class SamlTokenTest extends Abstr
bus.shutdown(true);
}
+ // In this test-case, the WSP is configured with a XACML PEP interceptor, which in this
+ // case just mocks the call to the PDP + enforces the decision
+ @org.junit.Test
+ public void testSaml2PEP() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = SamlTokenTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItSaml2PEPPort");
+ DoubleItPortType saml2Port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(saml2Port, PORT);
+
+ try {
+ saml2Port.doubleIt(25);
+ fail("Failure expected as Assertion doesn't contain Role information");
+ } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+ // expected
+ }
+
+ SamlRoleCallbackHandler roleCallbackHandler =
+ new SamlRoleCallbackHandler();
+ roleCallbackHandler.setRoleName("manager");
+ ((BindingProvider)saml2Port).getRequestContext().put(
+ "ws-security.saml-callback-handler", roleCallbackHandler
+ );
+
+ int result = saml2Port.doubleIt(25);
+ assertTrue(result == 50);
+
+ // Expected failure on incorrect role
+ roleCallbackHandler.setRoleName("boss");
+ try {
+ saml2Port.doubleIt(25);
+ fail("Failure expected as Assertion doesn't contain correct role");
+ } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+ // expected
+ }
+
+ ((java.io.Closeable)saml2Port).close();
+ bus.shutdown(true);
+ }
+
}