You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2012/11/16 17:56:58 UTC
svn commit: r1410467 - in /cxf/trunk:
rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/
rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/
rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/claims/
services/sts/sy...
Author: coheigea
Date: Fri Nov 16 16:56:56 2012
New Revision: 1410467
URL: http://svn.apache.org/viewvc?rev=1410467&view=rev
Log:
[CXF-4638][CXF-4639] - Add ability to set STSClient Claims via a CallbackHandler
- Add ability to send an existing SAML Token via the JAX-RS SAML code
Added:
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLConstants.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/claims/
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/claims/ClaimsCallback.java
cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsCallbackHandler.java
cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/DoubleItNoClaims.wsdl
cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/cxf-client-cbhandler.xml
cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlRetrievalInterceptor.java
Modified:
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SamlFormOutInterceptor.java
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SamlHeaderOutInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java
cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsTest.java
cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java
Added: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLConstants.java?rev=1410467&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLConstants.java (added)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLConstants.java Fri Nov 16 16:56:56 2012
@@ -0,0 +1,36 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.saml;
+
+/**
+ * Some constant configuration options
+ */
+public final class SAMLConstants {
+
+ /**
+ * This tag refers to a DOM Element representation of a SAML Token. If a SAML Token
+ * is stored on the Message Context, then the SamlFormOutInterceptor and
+ * SamlHeaderOutInterceptor will use this token instead of creating a new SAML Token.
+ */
+ public static final String SAML_TOKEN_ELEMENT = "rs-security.saml.token.element";
+
+ private SAMLConstants() {
+ // complete
+ }
+}
Modified: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SamlFormOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SamlFormOutInterceptor.java?rev=1410467&r1=1410466&r2=1410467&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SamlFormOutInterceptor.java (original)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SamlFormOutInterceptor.java Fri Nov 16 16:56:56 2012
@@ -25,6 +25,8 @@ import java.util.logging.Logger;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
+import org.w3c.dom.Element;
+
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.jaxrs.ext.form.Form;
@@ -42,8 +44,16 @@ public class SamlFormOutInterceptor exte
if (form == null) {
return;
}
- AssertionWrapper assertionWrapper = createAssertion(message);
+
try {
+ Element samlToken =
+ (Element)message.getContextualProperty(SAMLConstants.SAML_TOKEN_ELEMENT);
+ AssertionWrapper assertionWrapper;
+ if (samlToken != null) {
+ assertionWrapper = new AssertionWrapper(samlToken);
+ } else {
+ assertionWrapper = createAssertion(message);
+ }
String encodedToken = encodeToken(assertionWrapper.assertionToString());
Modified: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SamlHeaderOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SamlHeaderOutInterceptor.java?rev=1410467&r1=1410466&r2=1410467&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SamlHeaderOutInterceptor.java (original)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SamlHeaderOutInterceptor.java Fri Nov 16 16:56:56 2012
@@ -26,6 +26,8 @@ import java.util.List;
import java.util.Map;
import java.util.logging.Logger;
+import org.w3c.dom.Element;
+
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.interceptor.Fault;
@@ -37,8 +39,15 @@ public class SamlHeaderOutInterceptor ex
LogUtils.getL7dLogger(SamlHeaderOutInterceptor.class);
public void handleMessage(Message message) throws Fault {
- AssertionWrapper assertionWrapper = createAssertion(message);
try {
+ Element samlToken =
+ (Element)message.getContextualProperty(SAMLConstants.SAML_TOKEN_ELEMENT);
+ AssertionWrapper assertionWrapper;
+ if (samlToken != null) {
+ assertionWrapper = new AssertionWrapper(samlToken);
+ } else {
+ assertionWrapper = createAssertion(message);
+ }
String encodedToken = encodeToken(assertionWrapper.assertionToString());
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java?rev=1410467&r1=1410466&r2=1410467&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java Fri Nov 16 16:56:56 2012
@@ -103,6 +103,7 @@ import org.apache.cxf.ws.security.policy
import org.apache.cxf.ws.security.policy.model.Trust10;
import org.apache.cxf.ws.security.policy.model.Trust13;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.cxf.ws.security.trust.claims.ClaimsCallback;
import org.apache.cxf.ws.security.trust.delegation.DelegationCallback;
import org.apache.cxf.wsdl.EndpointReferenceUtils;
import org.apache.cxf.wsdl.WSDLManager;
@@ -154,6 +155,7 @@ public class STSClient implements Config
protected boolean requiresEntropy = true;
protected Element template;
protected Element claims;
+ protected CallbackHandler claimsCallbackHandler;
protected AlgorithmSuite algorithmSuite;
protected String namespace = STSUtils.WST_NS_05_12;
protected String addressingNamespace;
@@ -1267,9 +1269,16 @@ public class STSClient implements Config
}
}
- protected void addClaims(XMLStreamWriter writer) throws XMLStreamException {
+ protected void addClaims(XMLStreamWriter writer) throws Exception {
if (claims != null) {
StaxUtils.copy(claims, writer);
+ } else if (claimsCallbackHandler != null) {
+ ClaimsCallback callback = new ClaimsCallback(message);
+ claimsCallbackHandler.handle(new Callback[]{callback});
+ Element claimsElement = callback.getClaims();
+ if (claimsElement != null) {
+ StaxUtils.copy(claimsElement, writer);
+ }
}
}
@@ -1602,4 +1611,12 @@ public class STSClient implements Config
public List<Feature> getFeatures() {
return features;
}
+
+ public CallbackHandler getClaimsCallbackHandler() {
+ return claimsCallbackHandler;
+ }
+
+ public void setClaimsCallbackHandler(CallbackHandler claimsCallbackHandler) {
+ this.claimsCallbackHandler = claimsCallbackHandler;
+ }
}
Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/claims/ClaimsCallback.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/claims/ClaimsCallback.java?rev=1410467&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/claims/ClaimsCallback.java (added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/claims/ClaimsCallback.java Fri Nov 16 16:56:56 2012
@@ -0,0 +1,64 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.trust.claims;
+
+import javax.security.auth.callback.Callback;
+
+import org.w3c.dom.Element;
+
+import org.apache.cxf.message.Message;
+
+/**
+ * This Callback class provides a pluggable way of sending Claims to the STS. A CallbackHandler
+ * instance will be supplied with this class, which contains a reference to the current
+ * Message. The CallbackHandler implementation is required to set the claims Element to be
+ * sent in the request.
+ */
+public class ClaimsCallback implements Callback {
+
+ private Element claims;
+
+ private Message currentMessage;
+
+ public ClaimsCallback() {
+ //
+ }
+
+ public ClaimsCallback(Message currentMessage) {
+ this.currentMessage = currentMessage;
+ }
+
+ public void setClaims(Element claims) {
+ this.claims = claims;
+ }
+
+ public Element getClaims() {
+ return claims;
+ }
+
+ public void setCurrentMessage(Message currentMessage) {
+ this.currentMessage = currentMessage;
+ }
+
+ public Message getCurrentMessage() {
+ return currentMessage;
+ }
+
+}
Added: cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsCallbackHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsCallbackHandler.java?rev=1410467&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsCallbackHandler.java (added)
+++ cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsCallbackHandler.java Fri Nov 16 16:56:56 2012
@@ -0,0 +1,68 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.sts.claims;
+
+import java.io.IOException;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.ws.security.trust.claims.ClaimsCallback;
+
+/**
+ * This CallbackHandler implementation creates a Claims Element for a "role" ClaimType and
+ * stores it on the ClaimsCallback object.
+ */
+public class ClaimsCallbackHandler implements CallbackHandler {
+
+ public void handle(Callback[] callbacks)
+ throws IOException, UnsupportedCallbackException {
+ for (int i = 0; i < callbacks.length; i++) {
+ if (callbacks[i] instanceof ClaimsCallback) {
+ ClaimsCallback callback = (ClaimsCallback) callbacks[i];
+ callback.setClaims(createClaims());
+
+ } else {
+ throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
+ }
+ }
+ }
+
+ /**
+ * Create a Claims Element for a "role"
+ */
+ private Element createClaims() {
+ Document doc = DOMUtils.createDocument();
+ Element claimsElement =
+ doc.createElementNS("http://docs.oasis-open.org/ws-sx/ws-trust/200512", "Claims");
+ claimsElement.setAttributeNS(null, "Dialect", "http://schemas.xmlsoap.org/ws/2005/05/identity");
+ Element claimType =
+ doc.createElementNS("http://schemas.xmlsoap.org/ws/2005/05/identity", "ClaimType");
+ claimType.setAttributeNS(null, "Uri", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role");
+ claimsElement.appendChild(claimType);
+ return claimsElement;
+ }
+
+}
Modified: cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsTest.java?rev=1410467&r1=1410466&r2=1410467&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsTest.java (original)
+++ cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsTest.java Fri Nov 16 16:56:56 2012
@@ -222,6 +222,32 @@ public class ClaimsTest extends Abstract
bus.shutdown(true);
}
+ // In this test, the WSDL the client is using has no Claims Element (however the service
+ // is using a WSDL that requires Claims). A CallbackHandler is used to send the Claims
+ // Element to the STS.
+ @org.junit.Test
+ public void testSaml2ClaimsCallbackHandler() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = ClaimsTest.class.getResource("cxf-client-cbhandler.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = ClaimsTest.class.getResource("DoubleItNoClaims.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML2ClaimsPort");
+ DoubleItPortType transportClaimsPort =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(transportClaimsPort, PORT);
+
+ doubleIt(transportClaimsPort, 25);
+
+ ((java.io.Closeable)transportClaimsPort).close();
+ bus.shutdown(true);
+ }
+
private static void doubleIt(DoubleItPortType port, int numToDouble) {
int resp = port.doubleIt(numToDouble);
assertEquals(numToDouble * 2 , resp);
Added: cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/DoubleItNoClaims.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/DoubleItNoClaims.wsdl?rev=1410467&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/DoubleItNoClaims.wsdl (added)
+++ cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/DoubleItNoClaims.wsdl Fri Nov 16 16:56:56 2012
@@ -0,0 +1,186 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<wsdl:definitions name="DoubleIt"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
+ xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:di="http://www.example.org/schema/DoubleIt"
+ xmlns:tns="http://www.example.org/contract/DoubleIt" xmlns:wsp="http://www.w3.org/ns/ws-policy"
+ xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+ xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
+ xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wsaw="http://www.w3.org/2005/08/addressing"
+ xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" targetNamespace="http://www.example.org/contract/DoubleIt">
+
+ <wsdl:import location="src/test/resources/DoubleItLogical.wsdl"
+ namespace="http://www.example.org/contract/DoubleIt"/>
+
+ <wsdl:binding name="DoubleItTransportSAML2ClaimsBinding" type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItBindingTransportSAML2ClaimsPolicy" />
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http" />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction="" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy" />
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy" />
+ </wsdl:output>
+ </wsdl:operation>
+ </wsdl:binding>
+
+ <wsdl:service name="DoubleItService">
+ <wsdl:port name="DoubleItTransportSAML2ClaimsPort"
+ binding="tns:DoubleItTransportSAML2ClaimsBinding">
+ <soap:address
+ location="https://localhost:8081/doubleit/services/doubleittransportsaml2claims" />
+ </wsdl:port>
+ </wsdl:service>
+
+ <wsp:Policy wsu:Id="DoubleItBindingTransportSAML2ClaimsPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <wsam:Addressing wsp:Optional="false">
+ <wsp:Policy />
+ </wsam:Addressing>
+ <sp:TransportBinding
+ xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <wsp:Policy>
+ <sp:TransportToken>
+ <wsp:Policy>
+ <sp:HttpsToken>
+ <wsp:Policy/>
+ </sp:HttpsToken>
+ </wsp:Policy>
+ </sp:TransportToken>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:TripleDesRsa15 />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax />
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp />
+ </wsp:Policy>
+ </sp:TransportBinding>
+ <sp:SupportingTokens
+ xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <wsp:Policy>
+ <sp:IssuedToken
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <sp:RequestSecurityTokenTemplate>
+ <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
+ <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>
+ </sp:RequestSecurityTokenTemplate>
+ <wsp:Policy>
+ <sp:RequireInternalReference />
+ </wsp:Policy>
+ <sp:Issuer>
+ <wsaw:Address>http://localhost:8080/SecurityTokenService/UT
+ </wsaw:Address>
+ <wsaw:Metadata>
+ <wsx:Metadata>
+ <wsx:MetadataSection>
+ <wsx:MetadataReference>
+ <wsaw:Address>http://localhost:8080/SecurityTokenService/UT/mex
+ </wsaw:Address>
+ </wsx:MetadataReference>
+ </wsx:MetadataSection>
+ </wsx:Metadata>
+ </wsaw:Metadata>
+ </sp:Issuer>
+ </sp:IssuedToken>
+ </wsp:Policy>
+ </sp:SupportingTokens>
+ <sp:Wss11>
+ <wsp:Policy>
+ <sp:MustSupportRefIssuerSerial />
+ <sp:MustSupportRefThumbprint />
+ <sp:MustSupportRefEncryptedKey />
+ </wsp:Policy>
+ </sp:Wss11>
+ <sp:Trust13>
+ <wsp:Policy>
+ <sp:MustSupportIssuedTokens />
+ <sp:RequireClientEntropy />
+ <sp:RequireServerEntropy />
+ </wsp:Policy>
+ </sp:Trust13>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
+ <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:EncryptedParts>
+ <sp:Body />
+ </sp:EncryptedParts>
+ <sp:SignedParts>
+ <sp:Body />
+ <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="AckRequested"
+ Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
+ <sp:Header Name="SequenceAcknowledgement"
+ Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
+ <sp:Header Name="Sequence"
+ Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
+ <sp:Header Name="CreateSequence"
+ Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
+ </sp:SignedParts>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Output_Policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:EncryptedParts>
+ <sp:Body />
+ </sp:EncryptedParts>
+ <sp:SignedParts>
+ <sp:Body />
+ <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing" />
+ <sp:Header Name="AckRequested"
+ Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
+ <sp:Header Name="SequenceAcknowledgement"
+ Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
+ <sp:Header Name="Sequence"
+ Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
+ <sp:Header Name="CreateSequence"
+ Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
+ </sp:SignedParts>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+</wsdl:definitions>
Added: cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/cxf-client-cbhandler.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/cxf-client-cbhandler.xml?rev=1410467&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/cxf-client-cbhandler.xml (added)
+++ cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/cxf-client-cbhandler.xml Fri Nov 16 16:56:56 2012
@@ -0,0 +1,83 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:jaxws="http://cxf.apache.org/jaxws"
+ xmlns:cxf="http://cxf.apache.org/core"
+ xmlns:http="http://cxf.apache.org/transports/http/configuration"
+ xmlns:sec="http://cxf.apache.org/configuration/security"
+ xsi:schemaLocation="
+http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
+http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd
+http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd
+http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd">
+
+ <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+
+ <cxf:bus>
+ <cxf:features>
+ <cxf:logging/>
+ </cxf:features>
+ </cxf:bus>
+
+ <bean id="roleClaimsCallbackHandler" class="org.apache.cxf.systest.sts.claims.ClaimsCallbackHandler" />
+
+ <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItTransportSAML2ClaimsPort" createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
+ <entry key="ws-security.sts.client">
+ <bean class="org.apache.cxf.ws.security.trust.STSClient">
+ <constructor-arg ref="cxf"/>
+ <property name="wsdlLocation"
+ value="https://localhost:${testutil.ports.STSServer}/SecurityTokenService/Transport?wsdl"/>
+ <property name="serviceName"
+ value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"/>
+ <property name="endpointName"
+ value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port"/>
+ <property name="claimsCallbackHandler" ref="roleClaimsCallbackHandler" />
+ <property name="properties">
+ <map>
+ <entry key="ws-security.username" value="alice"/>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
+ <entry key="ws-security.sts.token.username" value="myclientkey"/>
+ <entry key="ws-security.sts.token.properties" value="clientKeystore.properties"/>
+ <entry key="ws-security.sts.token.usecert" value="true"/>
+ </map>
+ </property>
+ </bean>
+ </entry>
+ </jaxws:properties>
+ </jaxws:client>
+
+ <http:conduit name="https://localhost:.*">
+ <http:tlsClientParameters disableCNCheck="true">
+ <sec:trustManagers>
+ <sec:keyStore type="jks" password="cspass" resource="clientstore.jks"/>
+ </sec:trustManagers>
+ <sec:keyManagers keyPassword="ckpass">
+ <sec:keyStore type="jks" password="cspass" resource="clientstore.jks"/>
+ </sec:keyManagers>
+ </http:tlsClientParameters>
+ </http:conduit>
+
+</beans>
+
Modified: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java?rev=1410467&r1=1410466&r2=1410467&view=diff
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java (original)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java Fri Nov 16 16:56:56 2012
@@ -41,7 +41,6 @@ import org.apache.cxf.rs.security.saml.S
import org.apache.cxf.rs.security.xml.XmlSigOutInterceptor;
import org.apache.cxf.systest.jaxrs.security.Book;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
-
import org.junit.BeforeClass;
import org.junit.Test;
@@ -110,6 +109,53 @@ public class JAXRSSamlTest extends Abstr
doTestEnvelopedSAMLToken(false);
}
+ @Test
+ public void testGetBookPreviousSAMLTokenAsHeader() throws Exception {
+ String address = "https://localhost:" + PORT + "/samlheader/bookstore/books/123";
+
+ WebClient wc =
+ createWebClientForExistingToken(address, new SamlHeaderOutInterceptor(), null);
+
+ try {
+ Book book = wc.get(Book.class);
+ assertEquals(123L, book.getId());
+ } catch (WebApplicationException ex) {
+ fail(ex.getMessage());
+ } catch (ClientException ex) {
+ if (ex.getCause() != null && ex.getCause().getMessage() != null) {
+ fail(ex.getCause().getMessage());
+ } else {
+ fail(ex.getMessage());
+ }
+ }
+
+ }
+
+ @Test
+ public void testGetBookPreviousSAMLTokenInForm() throws Exception {
+ String address = "https://localhost:" + PORT + "/samlform/bookstore/books";
+ FormEncodingProvider<Form> formProvider = new FormEncodingProvider<Form>();
+ formProvider.setExpectedEncoded(true);
+ WebClient wc = createWebClientForExistingToken(address, new SamlFormOutInterceptor(),
+ formProvider);
+
+ wc.type(MediaType.APPLICATION_FORM_URLENCODED).accept(MediaType.APPLICATION_XML);
+ try {
+ Book book = wc.post(new Form().set("name", "CXF").set("id", 125),
+ Book.class);
+ assertEquals(125L, book.getId());
+ } catch (WebApplicationException ex) {
+ fail(ex.getMessage());
+ } catch (ClientException ex) {
+ if (ex.getCause() != null && ex.getCause().getMessage() != null) {
+ fail(ex.getCause().getMessage());
+ } else {
+ fail(ex.getMessage());
+ }
+ }
+
+ }
+
public void doTestEnvelopedSAMLToken(boolean signed) throws Exception {
String address = "https://localhost:" + PORT + "/samlxml/bookstore/books";
WebClient wc = createWebClient(address, new SamlEnvelopedOutInterceptor(!signed),
@@ -167,4 +213,23 @@ public class JAXRSSamlTest extends Abstr
}
return bean.createWebClient();
}
+
+ private WebClient createWebClientForExistingToken(String address,
+ Interceptor<Message> outInterceptor,
+ Object provider) {
+ JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
+ bean.setAddress(address);
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = JAXRSSamlTest.class.getResource("client.xml");
+ Bus springBus = bf.createBus(busFile.toString());
+ bean.setBus(springBus);
+
+ bean.getOutInterceptors().add(outInterceptor);
+ bean.getOutInterceptors().add(new SamlRetrievalInterceptor());
+ if (provider != null) {
+ bean.setProvider(provider);
+ }
+ return bean.createWebClient();
+ }
}
Added: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlRetrievalInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlRetrievalInterceptor.java?rev=1410467&view=auto
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlRetrievalInterceptor.java (added)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlRetrievalInterceptor.java Fri Nov 16 16:56:56 2012
@@ -0,0 +1,75 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.jaxrs.security.saml;
+
+import java.io.PrintWriter;
+import java.io.StringWriter;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.phase.AbstractPhaseInterceptor;
+import org.apache.cxf.phase.Phase;
+import org.apache.cxf.rs.security.saml.SAMLConstants;
+import org.apache.cxf.rs.security.saml.SamlFormOutInterceptor;
+import org.apache.cxf.rs.security.saml.SamlHeaderOutInterceptor;
+
+import org.apache.ws.security.WSSConfig;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.ws.security.saml.ext.SAMLParms;
+
+/**
+ * An Interceptor to "retrieve" a SAML Token, i.e. create one and set it on the message
+ * context so that the Saml*Interceptors can write it out in a particular way.
+ */
+public class SamlRetrievalInterceptor extends AbstractPhaseInterceptor<Message> {
+
+ static {
+ WSSConfig.init();
+ }
+
+ protected SamlRetrievalInterceptor() {
+ super(Phase.WRITE);
+ addBefore(SamlFormOutInterceptor.class.getName());
+ addBefore(SamlHeaderOutInterceptor.class.getName());
+ }
+
+ @Override
+ public void handleMessage(Message message) throws Fault {
+
+ // Create a SAML Token
+ SAMLParms samlParms = new SAMLParms();
+ samlParms.setCallbackHandler(new SamlCallbackHandler());
+ try {
+ AssertionWrapper assertion = new AssertionWrapper(samlParms);
+ Document doc = DOMUtils.createDocument();
+ Element token = assertion.toDOM(doc);
+ message.setContextualProperty(SAMLConstants.SAML_TOKEN_ELEMENT, token);
+ } catch (WSSecurityException ex) {
+ StringWriter sw = new StringWriter();
+ ex.printStackTrace(new PrintWriter(sw));
+ throw new Fault(new RuntimeException(ex.getMessage() + ", stacktrace: " + sw.toString()));
+ }
+
+ }
+}