You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/02/10 18:24:13 UTC
[3/6] cxf git commit: Renaming test
Renaming test
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/acd0e238
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/acd0e238
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/acd0e238
Branch: refs/heads/master
Commit: acd0e23863edf73600e13a0f917750ba06430cc2
Parents: a245aad
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Feb 10 16:14:59 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Feb 10 17:22:03 2016 +0000
----------------------------------------------------------------------
.../cxf/systest/sts/rest/RESTUnitTest.java | 866 -------------------
.../cxf/systest/sts/rest/STSRESTTest.java | 866 +++++++++++++++++++
2 files changed, 866 insertions(+), 866 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/acd0e238/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java
deleted file mode 100644
index a5ff4c0..0000000
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java
+++ /dev/null
@@ -1,866 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.systest.sts.rest;
-
-import java.io.IOException;
-import java.net.URL;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.util.List;
-
-import javax.security.auth.callback.CallbackHandler;
-import javax.ws.rs.core.Response;
-import javax.xml.bind.JAXBElement;
-import javax.xml.transform.dom.DOMSource;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-
-import org.apache.cxf.Bus;
-import org.apache.cxf.bus.spring.SpringBusFactory;
-import org.apache.cxf.jaxrs.client.WebClient;
-import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
-import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
-import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
-import org.apache.cxf.rs.security.jose.jwt.JwtToken;
-import org.apache.cxf.rt.security.claims.Claim;
-import org.apache.cxf.rt.security.claims.ClaimCollection;
-import org.apache.cxf.rt.security.saml.utils.SAMLUtils;
-import org.apache.cxf.staxutils.StaxUtils;
-import org.apache.cxf.staxutils.W3CDOMStreamWriter;
-import org.apache.cxf.systest.sts.common.SecurityTestUtil;
-import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
-import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType;
-import org.apache.cxf.ws.security.sts.provider.model.RequestedSecurityTokenType;
-import org.apache.cxf.ws.security.sts.provider.model.StatusType;
-import org.apache.cxf.ws.security.trust.STSUtils;
-import org.apache.wss4j.common.crypto.Crypto;
-import org.apache.wss4j.common.crypto.CryptoFactory;
-import org.apache.wss4j.common.saml.OpenSAMLUtil;
-import org.apache.wss4j.common.saml.SAMLKeyInfo;
-import org.apache.wss4j.common.saml.SamlAssertionWrapper;
-import org.apache.wss4j.common.util.Loader;
-import org.apache.wss4j.dom.WSDocInfo;
-import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
-import org.apache.wss4j.dom.handler.RequestData;
-import org.apache.wss4j.dom.processor.Processor;
-import org.apache.wss4j.dom.processor.SAMLTokenProcessor;
-import org.junit.Assert;
-import org.junit.BeforeClass;
-
-/**
- * Some unit tests for the REST interface of the CXF STS.
- */
-public class RESTUnitTest extends AbstractBusClientServerTestBase {
-
- static final String STSPORT = allocatePort(STSRESTServer.class);
-
- private static final String SAML1_TOKEN_TYPE =
- "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";
- private static final String SAML2_TOKEN_TYPE =
- "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";
- private static final String SYMMETRIC_KEY_KEYTYPE =
- "http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey";
- private static final String PUBLIC_KEY_KEYTYPE =
- "http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey";
- private static final String BEARER_KEYTYPE =
- "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer";
- private static final String DEFAULT_ADDRESS =
- "https://localhost:8081/doubleit/services/doubleittransportsaml1";
-
- @BeforeClass
- public static void startServers() throws Exception {
- assertTrue(
- "Server failed to launch",
- // run the server in the same process
- // set this to false to fork
- launchServer(STSRESTServer.class, true)
- );
- }
-
- @org.junit.AfterClass
- public static void cleanup() throws Exception {
- SecurityTestUtil.cleanup();
- stopAllServers();
- }
-
- @org.junit.Test
- public void testIssueSAML2Token() throws Exception {
- SpringBusFactory bf = new SpringBusFactory();
- URL busFile = RESTUnitTest.class.getResource("cxf-client.xml");
-
- Bus bus = bf.createBus(busFile.toString());
- SpringBusFactory.setDefaultBus(bus);
- SpringBusFactory.setThreadDefaultBus(bus);
-
- String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
- WebClient client = WebClient.create(address, busFile.toString());
-
- client.type("application/xml").accept("application/xml");
- client.path("saml2.0");
-
- Response response = client.get();
- Document assertionDoc = response.readEntity(Document.class);
- assertNotNull(assertionDoc);
-
- // Process the token
- List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement());
-
- assertTrue(results != null && results.size() == 1);
- SamlAssertionWrapper assertion =
- (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
- assertTrue(assertion != null);
- assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null);
- assertTrue(assertion.isSigned());
-
- bus.shutdown(true);
- }
-
- @org.junit.Test
- public void testIssueSAML1Token() throws Exception {
- SpringBusFactory bf = new SpringBusFactory();
- URL busFile = RESTUnitTest.class.getResource("cxf-client.xml");
-
- Bus bus = bf.createBus(busFile.toString());
- SpringBusFactory.setDefaultBus(bus);
- SpringBusFactory.setThreadDefaultBus(bus);
-
- String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
- WebClient client = WebClient.create(address, busFile.toString());
-
- client.type("application/xml").accept("application/xml");
- client.path("saml1.1");
-
- Response response = client.get();
- Document assertionDoc = response.readEntity(Document.class);
- assertNotNull(assertionDoc);
-
- // Process the token
- List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement());
-
- assertTrue(results != null && results.size() == 1);
- SamlAssertionWrapper assertion =
- (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
- assertTrue(assertion != null);
- assertTrue(assertion.getSaml2() == null && assertion.getSaml1() != null);
- assertTrue(assertion.isSigned());
-
- bus.shutdown(true);
- }
-
- @org.junit.Test
- public void testIssueSymmetricKeySaml1() throws Exception {
- SpringBusFactory bf = new SpringBusFactory();
- URL busFile = RESTUnitTest.class.getResource("cxf-client.xml");
-
- Bus bus = bf.createBus(busFile.toString());
- SpringBusFactory.setDefaultBus(bus);
- SpringBusFactory.setThreadDefaultBus(bus);
-
- String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
- WebClient client = WebClient.create(address, busFile.toString());
-
- client.type("application/xml").accept("application/xml");
- client.path("saml1.1");
- client.query("keyType", SYMMETRIC_KEY_KEYTYPE);
-
- Response response = client.get();
- Document assertionDoc = response.readEntity(Document.class);
- assertNotNull(assertionDoc);
-
- // Process the token
- List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement());
-
- assertTrue(results != null && results.size() == 1);
- SamlAssertionWrapper assertion =
- (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
- assertTrue(assertion != null);
- assertTrue(assertion.getSaml2() == null && assertion.getSaml1() != null);
- assertTrue(assertion.isSigned());
-
- List<String> methods = assertion.getConfirmationMethods();
- String confirmMethod = null;
- if (methods != null && methods.size() > 0) {
- confirmMethod = methods.get(0);
- }
- assertTrue(OpenSAMLUtil.isMethodHolderOfKey(confirmMethod));
- SAMLKeyInfo subjectKeyInfo = assertion.getSubjectKeyInfo();
- assertTrue(subjectKeyInfo.getSecret() != null);
-
- bus.shutdown(true);
- }
-
- @org.junit.Test
- public void testIssuePublicKeySAML2Token() throws Exception {
- SpringBusFactory bf = new SpringBusFactory();
- URL busFile = RESTUnitTest.class.getResource("cxf-client.xml");
-
- Bus bus = bf.createBus(busFile.toString());
- SpringBusFactory.setDefaultBus(bus);
- SpringBusFactory.setThreadDefaultBus(bus);
-
- String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
- WebClient client = WebClient.create(address, busFile.toString());
-
- client.type("application/xml").accept("application/xml");
- client.path("saml2.0");
- client.query("keyType", PUBLIC_KEY_KEYTYPE);
-
- Response response = client.get();
- Document assertionDoc = response.readEntity(Document.class);
- assertNotNull(assertionDoc);
-
- // Process the token
- List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement());
-
- assertTrue(results != null && results.size() == 1);
- SamlAssertionWrapper assertion =
- (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
- assertTrue(assertion != null);
- assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null);
- assertTrue(assertion.isSigned());
-
- List<String> methods = assertion.getConfirmationMethods();
- String confirmMethod = null;
- if (methods != null && methods.size() > 0) {
- confirmMethod = methods.get(0);
- }
- assertTrue(OpenSAMLUtil.isMethodHolderOfKey(confirmMethod));
- SAMLKeyInfo subjectKeyInfo = assertion.getSubjectKeyInfo();
- assertTrue(subjectKeyInfo.getCerts() != null);
-
- bus.shutdown(true);
- }
-
- @org.junit.Test
- public void testIssueBearerSAML1Token() throws Exception {
- SpringBusFactory bf = new SpringBusFactory();
- URL busFile = RESTUnitTest.class.getResource("cxf-client.xml");
-
- Bus bus = bf.createBus(busFile.toString());
- SpringBusFactory.setDefaultBus(bus);
- SpringBusFactory.setThreadDefaultBus(bus);
-
- String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
- WebClient client = WebClient.create(address, busFile.toString());
-
- client.type("application/xml").accept("application/xml");
- client.path("saml1.1");
- client.query("keyType", BEARER_KEYTYPE);
-
- Response response = client.get();
- Document assertionDoc = response.readEntity(Document.class);
- assertNotNull(assertionDoc);
-
- // Process the token
- List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement());
-
- assertTrue(results != null && results.size() == 1);
- SamlAssertionWrapper assertion =
- (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
- assertTrue(assertion != null);
- assertTrue(assertion.getSaml2() == null && assertion.getSaml1() != null);
- assertTrue(assertion.isSigned());
-
- List<String> methods = assertion.getConfirmationMethods();
- String confirmMethod = null;
- if (methods != null && methods.size() > 0) {
- confirmMethod = methods.get(0);
- }
- assertTrue(confirmMethod.contains("bearer"));
-
- bus.shutdown(true);
- }
-
- @org.junit.Test
- public void testIssueSAML2TokenAppliesTo() throws Exception {
- SpringBusFactory bf = new SpringBusFactory();
- URL busFile = RESTUnitTest.class.getResource("cxf-client.xml");
-
- Bus bus = bf.createBus(busFile.toString());
- SpringBusFactory.setDefaultBus(bus);
- SpringBusFactory.setThreadDefaultBus(bus);
-
- String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
- WebClient client = WebClient.create(address, busFile.toString());
-
- client.type("application/xml").accept("application/xml");
- client.path("saml2.0");
- client.query("appliesTo", DEFAULT_ADDRESS);
-
- Response response = client.get();
- Document assertionDoc = response.readEntity(Document.class);
- assertNotNull(assertionDoc);
-
- // Process the token
- List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement());
-
- assertTrue(results != null && results.size() == 1);
- SamlAssertionWrapper assertion =
- (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
- assertTrue(assertion != null);
- assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null);
- assertTrue(assertion.isSigned());
-
- bus.shutdown(true);
- }
-
- @org.junit.Test
- public void testIssueSAML2TokenUnknownAppliesTo() throws Exception {
- SpringBusFactory bf = new SpringBusFactory();
- URL busFile = RESTUnitTest.class.getResource("cxf-client.xml");
-
- Bus bus = bf.createBus(busFile.toString());
- SpringBusFactory.setDefaultBus(bus);
- SpringBusFactory.setThreadDefaultBus(bus);
-
- String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
- WebClient client = WebClient.create(address, busFile.toString());
-
- client.type("application/xml").accept("application/xml");
- client.path("saml2.0");
- client.query("appliesTo", "https://localhost:8081/tripleit/");
-
- Response response = client.get();
- try {
- response.readEntity(Document.class);
- fail("Failure expected on an unknown AppliesTo address");
- } catch (Exception ex) {
- // expected
- }
-
- bus.shutdown(true);
- }
-
- @org.junit.Test
- public void testIssueSAML2TokenClaims() throws Exception {
- SpringBusFactory bf = new SpringBusFactory();
- URL busFile = RESTUnitTest.class.getResource("cxf-client.xml");
-
- Bus bus = bf.createBus(busFile.toString());
- SpringBusFactory.setDefaultBus(bus);
- SpringBusFactory.setThreadDefaultBus(bus);
-
- String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
- WebClient client = WebClient.create(address, busFile.toString());
-
- client.type("application/xml").accept("application/xml");
- client.path("saml2.0");
-
- // First check that the role isn't usually in the generated token
-
- Response response = client.get();
- Document assertionDoc = response.readEntity(Document.class);
- assertNotNull(assertionDoc);
-
- // Process the token
- List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement());
-
- assertTrue(results != null && results.size() == 1);
- SamlAssertionWrapper assertion =
- (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
- assertTrue(assertion != null);
- assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null);
- assertTrue(assertion.isSigned());
-
- ClaimCollection claims = SAMLUtils.getClaims(assertion);
- assertEquals(1, claims.size());
- Claim claim = claims.get(0);
- String role = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
- assertNotEquals(claim.getClaimType().toString(), role);
-
- // Now get another token specifying the role
- client.query("claim", role);
- response = client.get();
- assertionDoc = response.readEntity(Document.class);
- assertNotNull(assertionDoc);
-
- // Process the token
- results = processToken(assertionDoc.getDocumentElement());
-
- assertTrue(results != null && results.size() == 1);
- assertion =
- (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
- assertTrue(assertion != null);
- assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null);
- assertTrue(assertion.isSigned());
-
- claims = SAMLUtils.getClaims(assertion);
- assertEquals(1, claims.size());
- claim = claims.get(0);
- assertEquals(claim.getClaimType().toString(), role);
- assertEquals("ordinary-user", claim.getValues().get(0));
-
- bus.shutdown(true);
- }
-
- @org.junit.Test
- public void testIssueSAML2TokenViaWSTrust() throws Exception {
- SpringBusFactory bf = new SpringBusFactory();
- URL busFile = RESTUnitTest.class.getResource("cxf-client.xml");
-
- Bus bus = bf.createBus(busFile.toString());
- SpringBusFactory.setDefaultBus(bus);
- SpringBusFactory.setThreadDefaultBus(bus);
-
- String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token/ws-trust";
- WebClient client = WebClient.create(address, busFile.toString());
-
- client.type("application/xml").accept("application/xml");
- client.path("saml2.0");
-
- Response response = client.get();
- RequestSecurityTokenResponseType securityResponse =
- response.readEntity(RequestSecurityTokenResponseType.class);
-
- validateSAMLSecurityTokenResponse(securityResponse, true);
-
- bus.shutdown(true);
- }
-
- @org.junit.Test
- public void testIssueSAML2TokenViaPOST() throws Exception {
- SpringBusFactory bf = new SpringBusFactory();
- URL busFile = RESTUnitTest.class.getResource("cxf-client.xml");
-
- Bus bus = bf.createBus(busFile.toString());
- SpringBusFactory.setDefaultBus(bus);
- SpringBusFactory.setThreadDefaultBus(bus);
-
- String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
- WebClient client = WebClient.create(address, busFile.toString());
-
- client.type("application/xml").accept("application/xml");
-
- // Create RequestSecurityToken
- W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
- String namespace = STSUtils.WST_NS_05_12;
- writer.writeStartElement("wst", "RequestSecurityToken", namespace);
- writer.writeNamespace("wst", namespace);
-
- writer.writeStartElement("wst", "RequestType", namespace);
- writer.writeCharacters(namespace + "/Issue");
- writer.writeEndElement();
-
- writer.writeStartElement("wst", "TokenType", namespace);
- writer.writeCharacters(SAML2_TOKEN_TYPE);
- writer.writeEndElement();
-
- writer.writeEndElement();
-
- Response response = client.post(new DOMSource(writer.getDocument().getDocumentElement()));
-
- RequestSecurityTokenResponseType securityResponse =
- response.readEntity(RequestSecurityTokenResponseType.class);
-
- validateSAMLSecurityTokenResponse(securityResponse, true);
-
- bus.shutdown(true);
- }
-
- @org.junit.Test
- public void testExplicitlyIssueSAML2TokenViaPOST() throws Exception {
- SpringBusFactory bf = new SpringBusFactory();
- URL busFile = RESTUnitTest.class.getResource("cxf-client.xml");
-
- Bus bus = bf.createBus(busFile.toString());
- SpringBusFactory.setDefaultBus(bus);
- SpringBusFactory.setThreadDefaultBus(bus);
-
- String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
- WebClient client = WebClient.create(address, busFile.toString());
-
- client.type("application/xml").accept("application/xml");
- client.query("action", "issue");
-
- // Create RequestSecurityToken
- W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
- String namespace = STSUtils.WST_NS_05_12;
- writer.writeStartElement("wst", "RequestSecurityToken", namespace);
- writer.writeNamespace("wst", namespace);
-
- writer.writeStartElement("wst", "RequestType", namespace);
- writer.writeCharacters(namespace + "/Issue");
- writer.writeEndElement();
-
- writer.writeStartElement("wst", "TokenType", namespace);
- writer.writeCharacters(SAML2_TOKEN_TYPE);
- writer.writeEndElement();
-
- writer.writeEndElement();
-
- Response response = client.post(new DOMSource(writer.getDocument().getDocumentElement()));
-
- RequestSecurityTokenResponseType securityResponse =
- response.readEntity(RequestSecurityTokenResponseType.class);
-
- validateSAMLSecurityTokenResponse(securityResponse, true);
-
- bus.shutdown(true);
- }
-
- @org.junit.Test
- public void testExplicitlyIssueSAML1TokenViaPOST() throws Exception {
- SpringBusFactory bf = new SpringBusFactory();
- URL busFile = RESTUnitTest.class.getResource("cxf-client.xml");
-
- Bus bus = bf.createBus(busFile.toString());
- SpringBusFactory.setDefaultBus(bus);
- SpringBusFactory.setThreadDefaultBus(bus);
-
- String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
- WebClient client = WebClient.create(address, busFile.toString());
-
- client.type("application/xml").accept("application/xml");
- client.query("action", "issue");
-
- // Create RequestSecurityToken
- W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
- String namespace = STSUtils.WST_NS_05_12;
- writer.writeStartElement("wst", "RequestSecurityToken", namespace);
- writer.writeNamespace("wst", namespace);
-
- writer.writeStartElement("wst", "RequestType", namespace);
- writer.writeCharacters(namespace + "/Issue");
- writer.writeEndElement();
-
- writer.writeStartElement("wst", "TokenType", namespace);
- writer.writeCharacters(SAML1_TOKEN_TYPE);
- writer.writeEndElement();
-
- writer.writeEndElement();
-
- Response response = client.post(new DOMSource(writer.getDocument().getDocumentElement()));
-
- RequestSecurityTokenResponseType securityResponse =
- response.readEntity(RequestSecurityTokenResponseType.class);
-
- validateSAMLSecurityTokenResponse(securityResponse, false);
-
- bus.shutdown(true);
- }
-
- @org.junit.Test
- public void testValidateSAML2Token() throws Exception {
- SpringBusFactory bf = new SpringBusFactory();
- URL busFile = RESTUnitTest.class.getResource("cxf-client.xml");
-
- Bus bus = bf.createBus(busFile.toString());
- SpringBusFactory.setDefaultBus(bus);
- SpringBusFactory.setThreadDefaultBus(bus);
-
- String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
- WebClient client = WebClient.create(address, busFile.toString());
-
- client.type("application/xml").accept("application/xml");
- client.path("saml2.0");
-
- // 1. Get a token via GET
- Response response = client.get();
- Document assertionDoc = response.readEntity(Document.class);
- assertNotNull(assertionDoc);
-
- // 2. Now validate it in the STS using POST
- client = WebClient.create(address, busFile.toString());
-
- client.type("application/xml").accept("application/xml");
- client.query("action", "validate");
-
- // Create RequestSecurityToken
- W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
- String namespace = STSUtils.WST_NS_05_12;
- writer.writeStartElement("wst", "RequestSecurityToken", namespace);
- writer.writeNamespace("wst", namespace);
-
- writer.writeStartElement("wst", "RequestType", namespace);
- writer.writeCharacters(namespace + "/Validate");
- writer.writeEndElement();
-
- writer.writeStartElement("wst", "TokenType", namespace);
- String tokenType = namespace + "/RSTR/Status";
- writer.writeCharacters(tokenType);
- writer.writeEndElement();
-
- writer.writeStartElement("wst", "ValidateTarget", namespace);
- StaxUtils.copy(assertionDoc.getDocumentElement(), writer);
- writer.writeEndElement();
-
- writer.writeEndElement();
-
- response = client.post(new DOMSource(writer.getDocument().getDocumentElement()));
-
- RequestSecurityTokenResponseType securityResponse =
- response.readEntity(RequestSecurityTokenResponseType.class);
-
- StatusType status = null;
- for (Object obj : securityResponse.getAny()) {
- if (obj instanceof JAXBElement<?>) {
- JAXBElement<?> jaxbElement = (JAXBElement<?>)obj;
- if ("Status".equals(jaxbElement.getName().getLocalPart())) {
- status = (StatusType)jaxbElement.getValue();
- break;
- }
- }
- }
- assertNotNull(status);
-
- // Check the token was valid
- String validCode = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/valid";
- assertEquals(validCode, status.getCode());
-
- bus.shutdown(true);
- }
-
- @org.junit.Test
- public void testRenewSAML2Token() throws Exception {
- SpringBusFactory bf = new SpringBusFactory();
- URL busFile = RESTUnitTest.class.getResource("cxf-client.xml");
-
- Bus bus = bf.createBus(busFile.toString());
- SpringBusFactory.setDefaultBus(bus);
- SpringBusFactory.setThreadDefaultBus(bus);
-
- String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
- WebClient client = WebClient.create(address, busFile.toString());
-
- client.type("application/xml").accept("application/xml");
- client.query("action", "issue");
-
- // 1. Get a token via POST
-
- // Create RequestSecurityToken
- W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
- String namespace = STSUtils.WST_NS_05_12;
- writer.writeStartElement("wst", "RequestSecurityToken", namespace);
- writer.writeNamespace("wst", namespace);
-
- writer.writeStartElement("wst", "RequestType", namespace);
- writer.writeCharacters(namespace + "/Issue");
- writer.writeEndElement();
-
- writer.writeStartElement("wst", "TokenType", namespace);
- writer.writeCharacters(SAML2_TOKEN_TYPE);
- writer.writeEndElement();
-
- writer.writeEndElement();
-
- Response response = client.post(new DOMSource(writer.getDocument().getDocumentElement()));
-
- RequestSecurityTokenResponseType securityResponse =
- response.readEntity(RequestSecurityTokenResponseType.class);
- Element token = validateSAMLSecurityTokenResponse(securityResponse, true);
-
- // 2. Now validate it in the STS using POST
- client = WebClient.create(address, busFile.toString());
-
- client.type("application/xml").accept("application/xml");
- client.query("action", "renew");
-
- // Create RequestSecurityToken
- writer = new W3CDOMStreamWriter();
- writer.writeStartElement("wst", "RequestSecurityToken", namespace);
- writer.writeNamespace("wst", namespace);
-
- writer.writeStartElement("wst", "RequestType", namespace);
- writer.writeCharacters(namespace + "/Renew");
- writer.writeEndElement();
-
- writer.writeStartElement("wst", "RenewTarget", namespace);
- StaxUtils.copy(token, writer);
- writer.writeEndElement();
-
- writer.writeEndElement();
-
- response = client.post(new DOMSource(writer.getDocument().getDocumentElement()));
-
- securityResponse = response.readEntity(RequestSecurityTokenResponseType.class);
-
- validateSAMLSecurityTokenResponse(securityResponse, true);
-
- bus.shutdown(true);
- }
-
- @org.junit.Test
- public void testIssueJWTToken() throws Exception {
- SpringBusFactory bf = new SpringBusFactory();
- URL busFile = RESTUnitTest.class.getResource("cxf-client.xml");
-
- Bus bus = bf.createBus(busFile.toString());
- SpringBusFactory.setDefaultBus(bus);
- SpringBusFactory.setThreadDefaultBus(bus);
-
- String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
- WebClient client = WebClient.create(address, busFile.toString());
-
- client.type("application/json").accept("application/json");
- client.path("jwt");
-
- Response response = client.get();
- String token = response.readEntity(String.class);
- assertNotNull(token);
-
- validateJWTToken(token, null);
- }
-
- @org.junit.Test
- public void testIssueJWTTokenAppliesTo() throws Exception {
- SpringBusFactory bf = new SpringBusFactory();
- URL busFile = RESTUnitTest.class.getResource("cxf-client.xml");
-
- Bus bus = bf.createBus(busFile.toString());
- SpringBusFactory.setDefaultBus(bus);
- SpringBusFactory.setThreadDefaultBus(bus);
-
- String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
- WebClient client = WebClient.create(address, busFile.toString());
-
- client.type("application/json").accept("application/json");
- client.path("jwt");
- client.query("appliesTo", DEFAULT_ADDRESS);
-
- Response response = client.get();
- String token = response.readEntity(String.class);
- assertNotNull(token);
-
- validateJWTToken(token, DEFAULT_ADDRESS);
- }
-
- @org.junit.Test
- public void testIssueJWTTokenClaims() throws Exception {
- SpringBusFactory bf = new SpringBusFactory();
- URL busFile = RESTUnitTest.class.getResource("cxf-client.xml");
-
- Bus bus = bf.createBus(busFile.toString());
- SpringBusFactory.setDefaultBus(bus);
- SpringBusFactory.setThreadDefaultBus(bus);
-
- String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
- WebClient client = WebClient.create(address, busFile.toString());
-
- client.type("application/json").accept("application/json");
- client.path("jwt");
-
- // First check that the role isn't usually in the generated token
-
- Response response = client.get();
- String token = response.readEntity(String.class);
- assertNotNull(token);
-
- JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token);
- JwtToken jwt = jwtConsumer.getJwtToken();
-
- String role = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
- assertTrue(jwt.getClaim(role) == null);
-
- // Now get another token specifying the role
- client.query("claim", role);
-
- response = client.get();
- token = response.readEntity(String.class);
- assertNotNull(token);
-
- // Process the token
- validateJWTToken(token, null);
-
- jwtConsumer = new JwsJwtCompactConsumer(token);
- jwt = jwtConsumer.getJwtToken();
- assertEquals("ordinary-user", jwt.getClaim(role));
-
- bus.shutdown(true);
- }
-
- private Element validateSAMLSecurityTokenResponse(
- RequestSecurityTokenResponseType securityResponse, boolean saml2
- ) throws Exception {
- RequestedSecurityTokenType requestedSecurityToken = null;
- for (Object obj : securityResponse.getAny()) {
- if (obj instanceof JAXBElement<?>) {
- JAXBElement<?> jaxbElement = (JAXBElement<?>)obj;
- if ("RequestedSecurityToken".equals(jaxbElement.getName().getLocalPart())) {
- requestedSecurityToken = (RequestedSecurityTokenType)jaxbElement.getValue();
- break;
- }
- }
- }
- assertNotNull(requestedSecurityToken);
-
- // Process the token
- List<WSSecurityEngineResult> results =
- processToken((Element)requestedSecurityToken.getAny());
-
- assertTrue(results != null && results.size() == 1);
- SamlAssertionWrapper assertion =
- (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
- assertTrue(assertion != null);
- if (saml2) {
- assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null);
- } else {
- assertTrue(assertion.getSaml2() == null && assertion.getSaml1() != null);
- }
- assertTrue(assertion.isSigned());
-
- return (Element)results.get(0).get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
- }
-
- private List<WSSecurityEngineResult> processToken(Element assertionElement)
- throws Exception {
- RequestData requestData = new RequestData();
- requestData.setDisableBSPEnforcement(true);
- CallbackHandler callbackHandler = new org.apache.cxf.systest.sts.common.CommonCallbackHandler();
- requestData.setCallbackHandler(callbackHandler);
- Crypto crypto = CryptoFactory.getInstance("serviceKeystore.properties");
- requestData.setDecCrypto(crypto);
- requestData.setSigVerCrypto(crypto);
-
- Processor processor = new SAMLTokenProcessor();
- return processor.handleToken(
- assertionElement, requestData, new WSDocInfo(assertionElement.getOwnerDocument())
- );
- }
-
- private void validateJWTToken(String token, String audience)
- throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
- JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token);
- JwtToken jwt = jwtConsumer.getJwtToken();
-
- // Validate claims
- Assert.assertEquals("DoubleItSTSIssuer", jwt.getClaim(JwtConstants.CLAIM_ISSUER));
- if (audience != null) {
- @SuppressWarnings("unchecked")
- List<String> audiences = (List<String>)jwt.getClaim(JwtConstants.CLAIM_AUDIENCE);
- assertEquals(1, audiences.size());
- Assert.assertEquals(audience, audiences.get(0));
- }
- Assert.assertNotNull(jwt.getClaim(JwtConstants.CLAIM_EXPIRY));
- Assert.assertNotNull(jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT));
-
- KeyStore keystore = KeyStore.getInstance("JKS");
- keystore.load(Loader.getResource("servicestore.jks").openStream(), "sspass".toCharArray());
- Certificate cert = keystore.getCertificate("mystskey");
- Assert.assertNotNull(cert);
-
- Assert.assertTrue(jwtConsumer.verifySignatureWith((X509Certificate)cert,
- SignatureAlgorithm.RS256));
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/acd0e238/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/STSRESTTest.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/STSRESTTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/STSRESTTest.java
new file mode 100644
index 0000000..f9ec98c
--- /dev/null
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/STSRESTTest.java
@@ -0,0 +1,866 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.rest;
+
+import java.io.IOException;
+import java.net.URL;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+import javax.security.auth.callback.CallbackHandler;
+import javax.ws.rs.core.Response;
+import javax.xml.bind.JAXBElement;
+import javax.xml.transform.dom.DOMSource;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.jaxrs.client.WebClient;
+import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
+import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
+import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
+import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.rt.security.claims.Claim;
+import org.apache.cxf.rt.security.claims.ClaimCollection;
+import org.apache.cxf.rt.security.saml.utils.SAMLUtils;
+import org.apache.cxf.staxutils.StaxUtils;
+import org.apache.cxf.staxutils.W3CDOMStreamWriter;
+import org.apache.cxf.systest.sts.common.SecurityTestUtil;
+import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType;
+import org.apache.cxf.ws.security.sts.provider.model.RequestedSecurityTokenType;
+import org.apache.cxf.ws.security.sts.provider.model.StatusType;
+import org.apache.cxf.ws.security.trust.STSUtils;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoFactory;
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
+import org.apache.wss4j.common.saml.SAMLKeyInfo;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.common.util.Loader;
+import org.apache.wss4j.dom.WSDocInfo;
+import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.processor.Processor;
+import org.apache.wss4j.dom.processor.SAMLTokenProcessor;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+
+/**
+ * Some tests for the REST interface of the CXF STS.
+ */
+public class STSRESTTest extends AbstractBusClientServerTestBase {
+
+ static final String STSPORT = allocatePort(STSRESTServer.class);
+
+ private static final String SAML1_TOKEN_TYPE =
+ "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";
+ private static final String SAML2_TOKEN_TYPE =
+ "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";
+ private static final String SYMMETRIC_KEY_KEYTYPE =
+ "http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey";
+ private static final String PUBLIC_KEY_KEYTYPE =
+ "http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey";
+ private static final String BEARER_KEYTYPE =
+ "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer";
+ private static final String DEFAULT_ADDRESS =
+ "https://localhost:8081/doubleit/services/doubleittransportsaml1";
+
+ @BeforeClass
+ public static void startServers() throws Exception {
+ assertTrue(
+ "Server failed to launch",
+ // run the server in the same process
+ // set this to false to fork
+ launchServer(STSRESTServer.class, true)
+ );
+ }
+
+ @org.junit.AfterClass
+ public static void cleanup() throws Exception {
+ SecurityTestUtil.cleanup();
+ stopAllServers();
+ }
+
+ @org.junit.Test
+ public void testIssueSAML2Token() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
+ WebClient client = WebClient.create(address, busFile.toString());
+
+ client.type("application/xml").accept("application/xml");
+ client.path("saml2.0");
+
+ Response response = client.get();
+ Document assertionDoc = response.readEntity(Document.class);
+ assertNotNull(assertionDoc);
+
+ // Process the token
+ List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement());
+
+ assertTrue(results != null && results.size() == 1);
+ SamlAssertionWrapper assertion =
+ (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ assertTrue(assertion != null);
+ assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null);
+ assertTrue(assertion.isSigned());
+
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
+ public void testIssueSAML1Token() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
+ WebClient client = WebClient.create(address, busFile.toString());
+
+ client.type("application/xml").accept("application/xml");
+ client.path("saml1.1");
+
+ Response response = client.get();
+ Document assertionDoc = response.readEntity(Document.class);
+ assertNotNull(assertionDoc);
+
+ // Process the token
+ List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement());
+
+ assertTrue(results != null && results.size() == 1);
+ SamlAssertionWrapper assertion =
+ (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ assertTrue(assertion != null);
+ assertTrue(assertion.getSaml2() == null && assertion.getSaml1() != null);
+ assertTrue(assertion.isSigned());
+
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
+ public void testIssueSymmetricKeySaml1() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
+ WebClient client = WebClient.create(address, busFile.toString());
+
+ client.type("application/xml").accept("application/xml");
+ client.path("saml1.1");
+ client.query("keyType", SYMMETRIC_KEY_KEYTYPE);
+
+ Response response = client.get();
+ Document assertionDoc = response.readEntity(Document.class);
+ assertNotNull(assertionDoc);
+
+ // Process the token
+ List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement());
+
+ assertTrue(results != null && results.size() == 1);
+ SamlAssertionWrapper assertion =
+ (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ assertTrue(assertion != null);
+ assertTrue(assertion.getSaml2() == null && assertion.getSaml1() != null);
+ assertTrue(assertion.isSigned());
+
+ List<String> methods = assertion.getConfirmationMethods();
+ String confirmMethod = null;
+ if (methods != null && methods.size() > 0) {
+ confirmMethod = methods.get(0);
+ }
+ assertTrue(OpenSAMLUtil.isMethodHolderOfKey(confirmMethod));
+ SAMLKeyInfo subjectKeyInfo = assertion.getSubjectKeyInfo();
+ assertTrue(subjectKeyInfo.getSecret() != null);
+
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
+ public void testIssuePublicKeySAML2Token() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
+ WebClient client = WebClient.create(address, busFile.toString());
+
+ client.type("application/xml").accept("application/xml");
+ client.path("saml2.0");
+ client.query("keyType", PUBLIC_KEY_KEYTYPE);
+
+ Response response = client.get();
+ Document assertionDoc = response.readEntity(Document.class);
+ assertNotNull(assertionDoc);
+
+ // Process the token
+ List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement());
+
+ assertTrue(results != null && results.size() == 1);
+ SamlAssertionWrapper assertion =
+ (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ assertTrue(assertion != null);
+ assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null);
+ assertTrue(assertion.isSigned());
+
+ List<String> methods = assertion.getConfirmationMethods();
+ String confirmMethod = null;
+ if (methods != null && methods.size() > 0) {
+ confirmMethod = methods.get(0);
+ }
+ assertTrue(OpenSAMLUtil.isMethodHolderOfKey(confirmMethod));
+ SAMLKeyInfo subjectKeyInfo = assertion.getSubjectKeyInfo();
+ assertTrue(subjectKeyInfo.getCerts() != null);
+
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
+ public void testIssueBearerSAML1Token() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
+ WebClient client = WebClient.create(address, busFile.toString());
+
+ client.type("application/xml").accept("application/xml");
+ client.path("saml1.1");
+ client.query("keyType", BEARER_KEYTYPE);
+
+ Response response = client.get();
+ Document assertionDoc = response.readEntity(Document.class);
+ assertNotNull(assertionDoc);
+
+ // Process the token
+ List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement());
+
+ assertTrue(results != null && results.size() == 1);
+ SamlAssertionWrapper assertion =
+ (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ assertTrue(assertion != null);
+ assertTrue(assertion.getSaml2() == null && assertion.getSaml1() != null);
+ assertTrue(assertion.isSigned());
+
+ List<String> methods = assertion.getConfirmationMethods();
+ String confirmMethod = null;
+ if (methods != null && methods.size() > 0) {
+ confirmMethod = methods.get(0);
+ }
+ assertTrue(confirmMethod.contains("bearer"));
+
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
+ public void testIssueSAML2TokenAppliesTo() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
+ WebClient client = WebClient.create(address, busFile.toString());
+
+ client.type("application/xml").accept("application/xml");
+ client.path("saml2.0");
+ client.query("appliesTo", DEFAULT_ADDRESS);
+
+ Response response = client.get();
+ Document assertionDoc = response.readEntity(Document.class);
+ assertNotNull(assertionDoc);
+
+ // Process the token
+ List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement());
+
+ assertTrue(results != null && results.size() == 1);
+ SamlAssertionWrapper assertion =
+ (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ assertTrue(assertion != null);
+ assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null);
+ assertTrue(assertion.isSigned());
+
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
+ public void testIssueSAML2TokenUnknownAppliesTo() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
+ WebClient client = WebClient.create(address, busFile.toString());
+
+ client.type("application/xml").accept("application/xml");
+ client.path("saml2.0");
+ client.query("appliesTo", "https://localhost:8081/tripleit/");
+
+ Response response = client.get();
+ try {
+ response.readEntity(Document.class);
+ fail("Failure expected on an unknown AppliesTo address");
+ } catch (Exception ex) {
+ // expected
+ }
+
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
+ public void testIssueSAML2TokenClaims() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
+ WebClient client = WebClient.create(address, busFile.toString());
+
+ client.type("application/xml").accept("application/xml");
+ client.path("saml2.0");
+
+ // First check that the role isn't usually in the generated token
+
+ Response response = client.get();
+ Document assertionDoc = response.readEntity(Document.class);
+ assertNotNull(assertionDoc);
+
+ // Process the token
+ List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement());
+
+ assertTrue(results != null && results.size() == 1);
+ SamlAssertionWrapper assertion =
+ (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ assertTrue(assertion != null);
+ assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null);
+ assertTrue(assertion.isSigned());
+
+ ClaimCollection claims = SAMLUtils.getClaims(assertion);
+ assertEquals(1, claims.size());
+ Claim claim = claims.get(0);
+ String role = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
+ assertNotEquals(claim.getClaimType().toString(), role);
+
+ // Now get another token specifying the role
+ client.query("claim", role);
+ response = client.get();
+ assertionDoc = response.readEntity(Document.class);
+ assertNotNull(assertionDoc);
+
+ // Process the token
+ results = processToken(assertionDoc.getDocumentElement());
+
+ assertTrue(results != null && results.size() == 1);
+ assertion =
+ (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ assertTrue(assertion != null);
+ assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null);
+ assertTrue(assertion.isSigned());
+
+ claims = SAMLUtils.getClaims(assertion);
+ assertEquals(1, claims.size());
+ claim = claims.get(0);
+ assertEquals(claim.getClaimType().toString(), role);
+ assertEquals("ordinary-user", claim.getValues().get(0));
+
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
+ public void testIssueSAML2TokenViaWSTrust() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token/ws-trust";
+ WebClient client = WebClient.create(address, busFile.toString());
+
+ client.type("application/xml").accept("application/xml");
+ client.path("saml2.0");
+
+ Response response = client.get();
+ RequestSecurityTokenResponseType securityResponse =
+ response.readEntity(RequestSecurityTokenResponseType.class);
+
+ validateSAMLSecurityTokenResponse(securityResponse, true);
+
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
+ public void testIssueSAML2TokenViaPOST() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
+ WebClient client = WebClient.create(address, busFile.toString());
+
+ client.type("application/xml").accept("application/xml");
+
+ // Create RequestSecurityToken
+ W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
+ String namespace = STSUtils.WST_NS_05_12;
+ writer.writeStartElement("wst", "RequestSecurityToken", namespace);
+ writer.writeNamespace("wst", namespace);
+
+ writer.writeStartElement("wst", "RequestType", namespace);
+ writer.writeCharacters(namespace + "/Issue");
+ writer.writeEndElement();
+
+ writer.writeStartElement("wst", "TokenType", namespace);
+ writer.writeCharacters(SAML2_TOKEN_TYPE);
+ writer.writeEndElement();
+
+ writer.writeEndElement();
+
+ Response response = client.post(new DOMSource(writer.getDocument().getDocumentElement()));
+
+ RequestSecurityTokenResponseType securityResponse =
+ response.readEntity(RequestSecurityTokenResponseType.class);
+
+ validateSAMLSecurityTokenResponse(securityResponse, true);
+
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
+ public void testExplicitlyIssueSAML2TokenViaPOST() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
+ WebClient client = WebClient.create(address, busFile.toString());
+
+ client.type("application/xml").accept("application/xml");
+ client.query("action", "issue");
+
+ // Create RequestSecurityToken
+ W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
+ String namespace = STSUtils.WST_NS_05_12;
+ writer.writeStartElement("wst", "RequestSecurityToken", namespace);
+ writer.writeNamespace("wst", namespace);
+
+ writer.writeStartElement("wst", "RequestType", namespace);
+ writer.writeCharacters(namespace + "/Issue");
+ writer.writeEndElement();
+
+ writer.writeStartElement("wst", "TokenType", namespace);
+ writer.writeCharacters(SAML2_TOKEN_TYPE);
+ writer.writeEndElement();
+
+ writer.writeEndElement();
+
+ Response response = client.post(new DOMSource(writer.getDocument().getDocumentElement()));
+
+ RequestSecurityTokenResponseType securityResponse =
+ response.readEntity(RequestSecurityTokenResponseType.class);
+
+ validateSAMLSecurityTokenResponse(securityResponse, true);
+
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
+ public void testExplicitlyIssueSAML1TokenViaPOST() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
+ WebClient client = WebClient.create(address, busFile.toString());
+
+ client.type("application/xml").accept("application/xml");
+ client.query("action", "issue");
+
+ // Create RequestSecurityToken
+ W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
+ String namespace = STSUtils.WST_NS_05_12;
+ writer.writeStartElement("wst", "RequestSecurityToken", namespace);
+ writer.writeNamespace("wst", namespace);
+
+ writer.writeStartElement("wst", "RequestType", namespace);
+ writer.writeCharacters(namespace + "/Issue");
+ writer.writeEndElement();
+
+ writer.writeStartElement("wst", "TokenType", namespace);
+ writer.writeCharacters(SAML1_TOKEN_TYPE);
+ writer.writeEndElement();
+
+ writer.writeEndElement();
+
+ Response response = client.post(new DOMSource(writer.getDocument().getDocumentElement()));
+
+ RequestSecurityTokenResponseType securityResponse =
+ response.readEntity(RequestSecurityTokenResponseType.class);
+
+ validateSAMLSecurityTokenResponse(securityResponse, false);
+
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
+ public void testValidateSAML2Token() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
+ WebClient client = WebClient.create(address, busFile.toString());
+
+ client.type("application/xml").accept("application/xml");
+ client.path("saml2.0");
+
+ // 1. Get a token via GET
+ Response response = client.get();
+ Document assertionDoc = response.readEntity(Document.class);
+ assertNotNull(assertionDoc);
+
+ // 2. Now validate it in the STS using POST
+ client = WebClient.create(address, busFile.toString());
+
+ client.type("application/xml").accept("application/xml");
+ client.query("action", "validate");
+
+ // Create RequestSecurityToken
+ W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
+ String namespace = STSUtils.WST_NS_05_12;
+ writer.writeStartElement("wst", "RequestSecurityToken", namespace);
+ writer.writeNamespace("wst", namespace);
+
+ writer.writeStartElement("wst", "RequestType", namespace);
+ writer.writeCharacters(namespace + "/Validate");
+ writer.writeEndElement();
+
+ writer.writeStartElement("wst", "TokenType", namespace);
+ String tokenType = namespace + "/RSTR/Status";
+ writer.writeCharacters(tokenType);
+ writer.writeEndElement();
+
+ writer.writeStartElement("wst", "ValidateTarget", namespace);
+ StaxUtils.copy(assertionDoc.getDocumentElement(), writer);
+ writer.writeEndElement();
+
+ writer.writeEndElement();
+
+ response = client.post(new DOMSource(writer.getDocument().getDocumentElement()));
+
+ RequestSecurityTokenResponseType securityResponse =
+ response.readEntity(RequestSecurityTokenResponseType.class);
+
+ StatusType status = null;
+ for (Object obj : securityResponse.getAny()) {
+ if (obj instanceof JAXBElement<?>) {
+ JAXBElement<?> jaxbElement = (JAXBElement<?>)obj;
+ if ("Status".equals(jaxbElement.getName().getLocalPart())) {
+ status = (StatusType)jaxbElement.getValue();
+ break;
+ }
+ }
+ }
+ assertNotNull(status);
+
+ // Check the token was valid
+ String validCode = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/valid";
+ assertEquals(validCode, status.getCode());
+
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
+ public void testRenewSAML2Token() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
+ WebClient client = WebClient.create(address, busFile.toString());
+
+ client.type("application/xml").accept("application/xml");
+ client.query("action", "issue");
+
+ // 1. Get a token via POST
+
+ // Create RequestSecurityToken
+ W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
+ String namespace = STSUtils.WST_NS_05_12;
+ writer.writeStartElement("wst", "RequestSecurityToken", namespace);
+ writer.writeNamespace("wst", namespace);
+
+ writer.writeStartElement("wst", "RequestType", namespace);
+ writer.writeCharacters(namespace + "/Issue");
+ writer.writeEndElement();
+
+ writer.writeStartElement("wst", "TokenType", namespace);
+ writer.writeCharacters(SAML2_TOKEN_TYPE);
+ writer.writeEndElement();
+
+ writer.writeEndElement();
+
+ Response response = client.post(new DOMSource(writer.getDocument().getDocumentElement()));
+
+ RequestSecurityTokenResponseType securityResponse =
+ response.readEntity(RequestSecurityTokenResponseType.class);
+ Element token = validateSAMLSecurityTokenResponse(securityResponse, true);
+
+ // 2. Now validate it in the STS using POST
+ client = WebClient.create(address, busFile.toString());
+
+ client.type("application/xml").accept("application/xml");
+ client.query("action", "renew");
+
+ // Create RequestSecurityToken
+ writer = new W3CDOMStreamWriter();
+ writer.writeStartElement("wst", "RequestSecurityToken", namespace);
+ writer.writeNamespace("wst", namespace);
+
+ writer.writeStartElement("wst", "RequestType", namespace);
+ writer.writeCharacters(namespace + "/Renew");
+ writer.writeEndElement();
+
+ writer.writeStartElement("wst", "RenewTarget", namespace);
+ StaxUtils.copy(token, writer);
+ writer.writeEndElement();
+
+ writer.writeEndElement();
+
+ response = client.post(new DOMSource(writer.getDocument().getDocumentElement()));
+
+ securityResponse = response.readEntity(RequestSecurityTokenResponseType.class);
+
+ validateSAMLSecurityTokenResponse(securityResponse, true);
+
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
+ public void testIssueJWTToken() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
+ WebClient client = WebClient.create(address, busFile.toString());
+
+ client.type("application/json").accept("application/json");
+ client.path("jwt");
+
+ Response response = client.get();
+ String token = response.readEntity(String.class);
+ assertNotNull(token);
+
+ validateJWTToken(token, null);
+ }
+
+ @org.junit.Test
+ public void testIssueJWTTokenAppliesTo() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
+ WebClient client = WebClient.create(address, busFile.toString());
+
+ client.type("application/json").accept("application/json");
+ client.path("jwt");
+ client.query("appliesTo", DEFAULT_ADDRESS);
+
+ Response response = client.get();
+ String token = response.readEntity(String.class);
+ assertNotNull(token);
+
+ validateJWTToken(token, DEFAULT_ADDRESS);
+ }
+
+ @org.junit.Test
+ public void testIssueJWTTokenClaims() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
+ WebClient client = WebClient.create(address, busFile.toString());
+
+ client.type("application/json").accept("application/json");
+ client.path("jwt");
+
+ // First check that the role isn't usually in the generated token
+
+ Response response = client.get();
+ String token = response.readEntity(String.class);
+ assertNotNull(token);
+
+ JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token);
+ JwtToken jwt = jwtConsumer.getJwtToken();
+
+ String role = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
+ assertTrue(jwt.getClaim(role) == null);
+
+ // Now get another token specifying the role
+ client.query("claim", role);
+
+ response = client.get();
+ token = response.readEntity(String.class);
+ assertNotNull(token);
+
+ // Process the token
+ validateJWTToken(token, null);
+
+ jwtConsumer = new JwsJwtCompactConsumer(token);
+ jwt = jwtConsumer.getJwtToken();
+ assertEquals("ordinary-user", jwt.getClaim(role));
+
+ bus.shutdown(true);
+ }
+
+ private Element validateSAMLSecurityTokenResponse(
+ RequestSecurityTokenResponseType securityResponse, boolean saml2
+ ) throws Exception {
+ RequestedSecurityTokenType requestedSecurityToken = null;
+ for (Object obj : securityResponse.getAny()) {
+ if (obj instanceof JAXBElement<?>) {
+ JAXBElement<?> jaxbElement = (JAXBElement<?>)obj;
+ if ("RequestedSecurityToken".equals(jaxbElement.getName().getLocalPart())) {
+ requestedSecurityToken = (RequestedSecurityTokenType)jaxbElement.getValue();
+ break;
+ }
+ }
+ }
+ assertNotNull(requestedSecurityToken);
+
+ // Process the token
+ List<WSSecurityEngineResult> results =
+ processToken((Element)requestedSecurityToken.getAny());
+
+ assertTrue(results != null && results.size() == 1);
+ SamlAssertionWrapper assertion =
+ (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ assertTrue(assertion != null);
+ if (saml2) {
+ assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null);
+ } else {
+ assertTrue(assertion.getSaml2() == null && assertion.getSaml1() != null);
+ }
+ assertTrue(assertion.isSigned());
+
+ return (Element)results.get(0).get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
+ }
+
+ private List<WSSecurityEngineResult> processToken(Element assertionElement)
+ throws Exception {
+ RequestData requestData = new RequestData();
+ requestData.setDisableBSPEnforcement(true);
+ CallbackHandler callbackHandler = new org.apache.cxf.systest.sts.common.CommonCallbackHandler();
+ requestData.setCallbackHandler(callbackHandler);
+ Crypto crypto = CryptoFactory.getInstance("serviceKeystore.properties");
+ requestData.setDecCrypto(crypto);
+ requestData.setSigVerCrypto(crypto);
+
+ Processor processor = new SAMLTokenProcessor();
+ return processor.handleToken(
+ assertionElement, requestData, new WSDocInfo(assertionElement.getOwnerDocument())
+ );
+ }
+
+ private void validateJWTToken(String token, String audience)
+ throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
+ JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token);
+ JwtToken jwt = jwtConsumer.getJwtToken();
+
+ // Validate claims
+ Assert.assertEquals("DoubleItSTSIssuer", jwt.getClaim(JwtConstants.CLAIM_ISSUER));
+ if (audience != null) {
+ @SuppressWarnings("unchecked")
+ List<String> audiences = (List<String>)jwt.getClaim(JwtConstants.CLAIM_AUDIENCE);
+ assertEquals(1, audiences.size());
+ Assert.assertEquals(audience, audiences.get(0));
+ }
+ Assert.assertNotNull(jwt.getClaim(JwtConstants.CLAIM_EXPIRY));
+ Assert.assertNotNull(jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT));
+
+ KeyStore keystore = KeyStore.getInstance("JKS");
+ keystore.load(Loader.getResource("servicestore.jks").openStream(), "sspass".toCharArray());
+ Certificate cert = keystore.getCertificate("mystskey");
+ Assert.assertNotNull(cert);
+
+ Assert.assertTrue(jwtConsumer.verifySignatureWith((X509Certificate)cert,
+ SignatureAlgorithm.RS256));
+ }
+
+}