You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2012/04/12 01:21:02 UTC
svn commit: r1325061 - in /cxf/trunk:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/
services/sts/sts-core/src/main/java/org/apache/cxf/sts/
services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/
services/sts/sts-core/src/mai...
Author: coheigea
Date: Wed Apr 11 23:21:01 2012
New Revision: 1325061
URL: http://svn.apache.org/viewvc?rev=1325061&view=rev
Log:
Added support for wst:Renewing semantics in the STS & STSClient
Added:
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/Renewing.java
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/QNameConstants.java
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/STSConstants.java
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenRenewOperation.java
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/RequestParser.java
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/TokenRequirements.java
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SCTProvider.java
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewer.java
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/RenewSamlUnitTest.java
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerLifetimeTest.java
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerRealmTest.java
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java
cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/SAMLRenewUnitTest.java
cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-client.xml
cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-sts.xml
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java Wed Apr 11 23:21:01 2012
@@ -165,6 +165,8 @@ public class STSClient implements Config
protected boolean isSpnego;
protected boolean enableLifetime;
protected int ttl = 300;
+ protected boolean allowRenewing = true;
+ protected boolean allowRenewingAfterExpiry;
protected Object actAs;
protected String tokenType;
@@ -292,6 +294,22 @@ public class STSClient implements Config
this.isSpnego = spnego;
}
+ public boolean isAllowRenewing() {
+ return allowRenewing;
+ }
+
+ public void setAllowRenewing(boolean allowRenewing) {
+ this.allowRenewing = allowRenewing;
+ }
+
+ public boolean isAllowRenewingAfterExpiry() {
+ return allowRenewingAfterExpiry;
+ }
+
+ public void setAllowRenewingAfterExpiry(boolean allowRenewingAfterExpiry) {
+ this.allowRenewingAfterExpiry = allowRenewingAfterExpiry;
+ }
+
public boolean isEnableAppliesTo() {
return enableAppliesTo;
}
@@ -581,16 +599,12 @@ public class STSClient implements Config
if (isSecureConv) {
action = namespace + "/RST/SCT";
}
- return requestSecurityToken(appliesTo, action, "/Issue", null, binaryExchange);
+ return requestSecurityToken(appliesTo, action, "/Issue", binaryExchange);
}
- public SecurityToken requestSecurityToken(String appliesTo, String action, String requestType,
- SecurityToken target) throws Exception {
- return requestSecurityToken(appliesTo, action, requestType, target, null);
- }
-
- public SecurityToken requestSecurityToken(String appliesTo, String action, String requestType,
- SecurityToken target, String binaryExchange) throws Exception {
+ public SecurityToken requestSecurityToken(
+ String appliesTo, String action, String requestType, String binaryExchange
+ ) throws Exception {
createClient();
BindingOperationInfo boi = findOperation("/RST/Issue");
@@ -682,13 +696,6 @@ public class STSClient implements Config
addKeySize(keySize, writer);
}
- if (target != null) {
- writer.writeStartElement("wst", "RenewTarget", namespace);
- client.getRequestContext().put(SecurityConstants.TOKEN, target);
- StaxUtils.copy(target.getToken(), writer);
- writer.writeEndElement();
- }
-
if (binaryExchange != null) {
addBinaryExchange(binaryExchange, writer);
}
@@ -700,6 +707,16 @@ public class STSClient implements Config
writer.writeEndElement();
}
+ // Write out renewal semantics
+ writer.writeStartElement("wst", "Renewing", namespace);
+ if (!allowRenewing) {
+ writer.writeAttribute(null, "Allow", "false");
+ }
+ if (allowRenewing && allowRenewingAfterExpiry) {
+ writer.writeAttribute(null, "OK", "true");
+ }
+ writer.writeEndElement();
+
writer.writeEndElement();
Object obj[] = client.invoke(boi, new DOMSource(writer.getDocument().getDocumentElement()));
Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/QNameConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/QNameConstants.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/QNameConstants.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/QNameConstants.java Wed Apr 11 23:21:01 2012
@@ -58,6 +58,8 @@ public final class QNameConstants {
WS_TRUST_FACTORY.createRequestType("").getName();
public static final QName CLAIMS =
WS_TRUST_FACTORY.createClaims(null).getName();
+ public static final QName RENEWING =
+ WS_TRUST_FACTORY.createRenewing(null).getName();
//
// Key Requirement QNames
Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/STSConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/STSConstants.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/STSConstants.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/STSConstants.java Wed Apr 11 23:21:01 2012
@@ -129,6 +129,19 @@ public final class STSConstants {
*/
public static final String TOKEN_REALM = "org.apache.cxf.sts.token.realm";
+ /**
+ * Constant to store whether the token is allowed to be renewed or not in the cached Security
+ * Token properties.
+ */
+ public static final String TOKEN_RENEWING_ALLOW = "org.apache.cxf.sts.token.renewing.allow";
+
+ /**
+ * Constant to store whether the token is allowed to be renewed after it has expired or not
+ * in the cached Security Token properties.
+ */
+ public static final String TOKEN_RENEWING_ALLOW_AFTER_EXPIRY =
+ "org.apache.cxf.sts.token.renewing.allow.after.expiry";
+
private STSConstants() {
// complete
}
Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenRenewOperation.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenRenewOperation.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenRenewOperation.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenRenewOperation.java Wed Apr 11 23:21:01 2012
@@ -62,15 +62,6 @@ public class TokenRenewOperation extends
private static final Logger LOG = LogUtils.getL7dLogger(TokenRenewOperation.class);
private List<TokenRenewer> tokenRenewers = new ArrayList<TokenRenewer>();
- private boolean allowRenewalBeforeExpiry;
-
- public boolean isAllowRenewalBeforeExpiry() {
- return allowRenewalBeforeExpiry;
- }
-
- public void setAllowRenewalBeforeExpiry(boolean allowRenewalBeforeExpiry) {
- this.allowRenewalBeforeExpiry = allowRenewalBeforeExpiry;
- }
public void setTokenRenewers(List<TokenRenewer> tokenRenewerList) {
this.tokenRenewers = tokenRenewerList;
@@ -129,10 +120,10 @@ public class TokenRenewOperation extends
);
}
- // Reject a non-expired token (valid or invalid) by default
+ // Reject an invalid token
if (tokenResponse.getToken().getState() != STATE.EXPIRED
- && !(allowRenewalBeforeExpiry && tokenResponse.getToken().getState() == STATE.VALID)) {
- LOG.fine("The token is not expired, and so it cannot be renewed");
+ && tokenResponse.getToken().getState() != STATE.VALID) {
+ LOG.fine("The token is not valid or expired, and so it cannot be renewed");
throw new STSException(
"No Token Validator has been found that can handle this token"
+ tokenRequirements.getTokenType(),
Added: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/Renewing.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/Renewing.java?rev=1325061&view=auto
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/Renewing.java (added)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/Renewing.java Wed Apr 11 23:21:01 2012
@@ -0,0 +1,43 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.sts.request;
+
+/**
+ * This class contains values that have been extracted from an Renewing structure.
+ */
+public class Renewing {
+ private boolean allowRenewing = true;
+ private boolean allowRenewingAfterExpiry;
+
+ public boolean isAllowRenewing() {
+ return allowRenewing;
+ }
+
+ public void setAllowRenewing(boolean allowRenewing) {
+ this.allowRenewing = allowRenewing;
+ }
+
+ public boolean isAllowRenewingAfterExpiry() {
+ return allowRenewingAfterExpiry;
+ }
+
+ public void setAllowRenewingAfterExpiry(boolean allowRenewingAfterExpiry) {
+ this.allowRenewingAfterExpiry = allowRenewingAfterExpiry;
+ }
+}
\ No newline at end of file
Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/RequestParser.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/RequestParser.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/RequestParser.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/RequestParser.java Wed Apr 11 23:21:01 2012
@@ -64,6 +64,7 @@ import org.apache.cxf.ws.security.sts.pr
import org.apache.cxf.ws.security.sts.provider.model.LifetimeType;
import org.apache.cxf.ws.security.sts.provider.model.OnBehalfOfType;
import org.apache.cxf.ws.security.sts.provider.model.RenewTargetType;
+import org.apache.cxf.ws.security.sts.provider.model.RenewingType;
import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType;
import org.apache.cxf.ws.security.sts.provider.model.UseKeyType;
import org.apache.cxf.ws.security.sts.provider.model.ValidateTargetType;
@@ -108,16 +109,24 @@ public class RequestParser {
// JAXB types
if (requestObject instanceof JAXBElement<?>) {
JAXBElement<?> jaxbElement = (JAXBElement<?>) requestObject;
- boolean found =
- parseTokenRequirements(jaxbElement, tokenRequirements, wsContext, claimsParsers);
- if (!found) {
- found = parseKeyRequirements(jaxbElement, keyRequirements, wsContext, stsProperties);
- }
- if (!found) {
- LOG.log(Level.WARNING, "Found a JAXB object of unknown type: " + jaxbElement.getName());
- throw new STSException(
- "An unknown element was received", STSException.BAD_REQUEST
- );
+ try {
+ boolean found =
+ parseTokenRequirements(jaxbElement, tokenRequirements, wsContext, claimsParsers);
+ if (!found) {
+ found = parseKeyRequirements(jaxbElement, keyRequirements, wsContext, stsProperties);
+ }
+ if (!found) {
+ LOG.log(Level.WARNING, "Found a JAXB object of unknown type: " + jaxbElement.getName());
+ throw new STSException(
+ "An unknown element was received", STSException.BAD_REQUEST
+ );
+ }
+ } catch (STSException ex) {
+ LOG.log(Level.WARNING, "", ex);
+ throw ex;
+ } catch (RuntimeException ex) {
+ LOG.log(Level.WARNING, "", ex);
+ throw ex;
}
// SecondaryParameters/AppliesTo
} else if (requestObject instanceof Element) {
@@ -280,6 +289,17 @@ public class RequestParser {
RequestClaimCollection requestedClaims = parseClaims(claimsType, claimsParsers);
tokenRequirements.setClaims(requestedClaims);
LOG.fine("Found Claims token");
+ } else if (QNameConstants.RENEWING.equals(jaxbElement.getName())) {
+ RenewingType renewingType = (RenewingType)jaxbElement.getValue();
+ Renewing renewing = new Renewing();
+ if (renewingType.isAllow() != null) {
+ renewing.setAllowRenewing(renewingType.isAllow());
+ }
+ if (renewingType.isOK() != null) {
+ renewing.setAllowRenewingAfterExpiry(renewingType.isOK());
+ }
+ tokenRequirements.setRenewing(renewing);
+ LOG.fine("Found Renewing token");
} else {
return false;
}
Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/TokenRequirements.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/TokenRequirements.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/TokenRequirements.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/TokenRequirements.java Wed Apr 11 23:21:01 2012
@@ -37,7 +37,16 @@ public class TokenRequirements {
private ReceivedToken renewTarget;
private Lifetime lifetime;
private RequestClaimCollection claims;
+ private Renewing renewing;
+ public Renewing getRenewing() {
+ return renewing;
+ }
+
+ public void setRenewing(Renewing renewing) {
+ this.renewing = renewing;
+ }
+
public String getTokenType() {
return tokenType;
}
Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java Wed Apr 11 23:21:01 2012
@@ -40,6 +40,7 @@ import org.apache.cxf.sts.STSConstants;
import org.apache.cxf.sts.STSPropertiesMBean;
import org.apache.cxf.sts.SignatureProperties;
import org.apache.cxf.sts.request.KeyRequirements;
+import org.apache.cxf.sts.request.Renewing;
import org.apache.cxf.sts.request.TokenRequirements;
import org.apache.cxf.sts.token.realm.SAMLRealm;
import org.apache.cxf.ws.security.sts.provider.STSException;
@@ -135,14 +136,32 @@ public class SAMLTokenProvider implement
SecurityToken securityToken = new SecurityToken(assertion.getId(), null, expires);
securityToken.setToken(token);
securityToken.setPrincipal(tokenParameters.getPrincipal());
+
+ Properties props = securityToken.getProperties();
+ if (props == null) {
+ props = new Properties();
+ }
+ securityToken.setProperties(props);
if (tokenParameters.getRealm() != null) {
- Properties props = securityToken.getProperties();
- if (props == null) {
- props = new Properties();
- }
props.setProperty(STSConstants.TOKEN_REALM, tokenParameters.getRealm());
- securityToken.setProperties(props);
}
+
+ // Handle Renewing logic
+ Renewing renewing = tokenParameters.getTokenRequirements().getRenewing();
+ if (renewing != null) {
+ props.put(
+ STSConstants.TOKEN_RENEWING_ALLOW,
+ String.valueOf(renewing.isAllowRenewing())
+ );
+ props.put(
+ STSConstants.TOKEN_RENEWING_ALLOW_AFTER_EXPIRY,
+ String.valueOf(renewing.isAllowRenewingAfterExpiry())
+ );
+ } else {
+ props.setProperty(STSConstants.TOKEN_RENEWING_ALLOW, "true");
+ props.setProperty(STSConstants.TOKEN_RENEWING_ALLOW_AFTER_EXPIRY, "false");
+ }
+
int hash = Arrays.hashCode(signatureValue);
securityToken.setTokenHash(hash);
String identifier = Integer.toString(hash);
Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SCTProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SCTProvider.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SCTProvider.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SCTProvider.java Wed Apr 11 23:21:01 2012
@@ -29,6 +29,7 @@ import org.w3c.dom.Document;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.sts.STSConstants;
+import org.apache.cxf.sts.request.Renewing;
import org.apache.cxf.sts.request.TokenRequirements;
import org.apache.cxf.ws.security.sts.provider.STSException;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
@@ -141,14 +142,32 @@ public class SCTProvider implements Toke
SecurityToken token = new SecurityToken(sct.getIdentifier(), null, expires);
token.setSecret(keyHandler.getSecret());
token.setPrincipal(tokenParameters.getPrincipal());
+
+ Properties props = token.getProperties();
+ if (props == null) {
+ props = new Properties();
+ }
+ token.setProperties(props);
if (tokenParameters.getRealm() != null) {
- Properties props = token.getProperties();
- if (props == null) {
- props = new Properties();
- }
props.setProperty(STSConstants.TOKEN_REALM, tokenParameters.getRealm());
- token.setProperties(props);
}
+
+ // Handle Renewing logic
+ Renewing renewing = tokenParameters.getTokenRequirements().getRenewing();
+ if (renewing != null) {
+ props.put(
+ STSConstants.TOKEN_RENEWING_ALLOW,
+ String.valueOf(renewing.isAllowRenewing())
+ );
+ props.put(
+ STSConstants.TOKEN_RENEWING_ALLOW_AFTER_EXPIRY,
+ String.valueOf(renewing.isAllowRenewingAfterExpiry())
+ );
+ } else {
+ props.setProperty(STSConstants.TOKEN_RENEWING_ALLOW, "true");
+ props.setProperty(STSConstants.TOKEN_RENEWING_ALLOW_AFTER_EXPIRY, "false");
+ }
+
tokenParameters.getTokenStore().add(token);
// Create the references
Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java Wed Apr 11 23:21:01 2012
@@ -87,6 +87,7 @@ public class SAMLTokenRenewer implements
private long maxExpiry = DEFAULT_MAX_EXPIRY;
// boolean to enable/disable the check of proof of possession
private boolean verifyProofOfPossession = true;
+ private boolean allowRenewalAfterExpiry;
/**
* Return true if this TokenRenewer implementation is able to renew a token.
@@ -123,6 +124,20 @@ public class SAMLTokenRenewer implements
}
/**
+ * Get whether we allow renewal after expiry. The default is false.
+ */
+ public boolean isAllowRenewalAfterExpiry() {
+ return allowRenewalAfterExpiry;
+ }
+
+ /**
+ * Set whether we allow renewal after expiry. The default is false.
+ */
+ public void setAllowRenewalAfterExpiry(boolean allowRenewalAfterExpiry) {
+ this.allowRenewalAfterExpiry = allowRenewalAfterExpiry;
+ }
+
+ /**
* Set a new value (in seconds) for how long a token is allowed to be expired for before renewal.
* The default is 30 minutes.
*/
@@ -152,15 +167,33 @@ public class SAMLTokenRenewer implements
);
}
+ TokenStore tokenStore = tokenParameters.getTokenStore();
+ if (tokenStore == null) {
+ LOG.log(Level.FINE, "A cache must be configured to use the SAMLTokenRenewer");
+ throw new STSException("Can't renew SAML assertion", STSException.REQUEST_FAILED);
+ }
+
try {
AssertionWrapper assertion = new AssertionWrapper((Element)tokenToRenew.getToken());
- validateAssertion(assertion, tokenToRenew, tokenParameters);
+ byte[] oldSignature = assertion.getSignatureValue();
+ // Remove the previous token (now expired) from the cache
+ int hash = Arrays.hashCode(oldSignature);
+ SecurityToken cachedToken = tokenStore.getToken(Integer.toString(hash));
+ if (cachedToken == null) {
+ LOG.log(Level.FINE, "The token to be renewed must be stored in the cache");
+ throw new STSException("Can't renew SAML assertion", STSException.REQUEST_FAILED);
+ }
+
+ // Validate the Assertion
+ validateAssertion(assertion, tokenToRenew, cachedToken, tokenParameters);
+
+ String oldId = createNewId(assertion);
+ tokenStore.remove(oldId);
+ tokenStore.remove(Integer.toString(hash));
// Create new Conditions & sign the Assertion
- byte[] oldSignature = assertion.getSignatureValue();
createNewConditions(assertion, tokenParameters);
- String oldId = createNewId(assertion);
signAssertion(assertion, tokenParameters);
Document doc = DOMUtils.createDocument();
@@ -172,17 +205,9 @@ public class SAMLTokenRenewer implements
}
doc.appendChild(token);
- // Remove the previous token (now expired) from the cache
- if (tokenParameters.getTokenStore() != null) {
- tokenParameters.getTokenStore().remove(oldId);
- int hash = Arrays.hashCode(oldSignature);
- tokenParameters.getTokenStore().remove(Integer.toString(hash));
- }
-
// Cache the token
- String realm = tokenParameters.getRealm();
storeTokenInCache(
- tokenParameters.getTokenStore(), assertion, tokenParameters.getPrincipal(), realm
+ tokenStore, assertion, tokenParameters.getPrincipal(), tokenParameters.getRealm()
);
response.setToken(token);
@@ -257,10 +282,37 @@ public class SAMLTokenRenewer implements
private void validateAssertion(
AssertionWrapper assertion,
ReceivedToken tokenToRenew,
+ SecurityToken token,
TokenRenewerParameters tokenParameters
) {
+ // Check the cached renewal properties
+ Properties props = token.getProperties();
+ if (props == null) {
+ LOG.log(Level.WARNING, "Error in getting properties from cached token");
+ throw new STSException("Error in getting properties from cached token", STSException.REQUEST_FAILED);
+ }
+ String isAllowRenewal = (String)props.get(STSConstants.TOKEN_RENEWING_ALLOW);
+ String isAllowRenewalAfterExpiry =
+ (String)props.get(STSConstants.TOKEN_RENEWING_ALLOW_AFTER_EXPIRY);
+ if (isAllowRenewal == null || isAllowRenewalAfterExpiry == null) {
+ LOG.log(Level.WARNING, "One of isAllowRenewal or isAllowRenewalAfterExpiry not set");
+ throw new STSException("Error with cached token", STSException.REQUEST_FAILED);
+ }
+
+ if (isAllowRenewal == null || !Boolean.valueOf(isAllowRenewal)) {
+ LOG.log(Level.WARNING, "The token is not allowed to be renewed");
+ throw new STSException("The token is not allowed to be renewed", STSException.REQUEST_FAILED);
+ }
+
// Check to see whether the token has expired greater than the configured max expiry time
if (tokenToRenew.getState() == STATE.EXPIRED) {
+ if (!allowRenewalAfterExpiry || isAllowRenewalAfterExpiry == null
+ || !Boolean.valueOf(isAllowRenewalAfterExpiry)) {
+ LOG.log(Level.WARNING, "Renewal after expiry is not allowed");
+ throw new STSException(
+ "Renewal after expiry is not allowed", STSException.REQUEST_FAILED
+ );
+ }
DateTime expiryDate = getExpiryDate(assertion);
DateTime currentDate = new DateTime();
if ((currentDate.getMillis() - expiryDate.getMillis()) > (maxExpiry * 1000L)) {
Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewer.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewer.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewer.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewer.java Wed Apr 11 23:21:01 2012
@@ -33,6 +33,11 @@ public interface TokenRenewer {
void setVerifyProofOfPossession(boolean verifyProofOfPossession);
/**
+ * boolean for enabling/disabling renewal after expiry.
+ */
+ void setAllowRenewalAfterExpiry(boolean allowRenewalAfterExpiry);
+
+ /**
* Return true if this TokenRenewer implementation is able to renew a token.
*/
boolean canHandleToken(ReceivedToken renewTarget);
Modified: cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/RenewSamlUnitTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/RenewSamlUnitTest.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/RenewSamlUnitTest.java (original)
+++ cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/RenewSamlUnitTest.java Wed Apr 11 23:21:01 2012
@@ -43,6 +43,7 @@ import org.apache.cxf.sts.cache.DefaultI
import org.apache.cxf.sts.common.PasswordCallbackHandler;
import org.apache.cxf.sts.request.KeyRequirements;
import org.apache.cxf.sts.request.Lifetime;
+import org.apache.cxf.sts.request.Renewing;
import org.apache.cxf.sts.request.TokenRequirements;
import org.apache.cxf.sts.service.EncryptionProperties;
import org.apache.cxf.sts.token.provider.DefaultConditionsProvider;
@@ -53,7 +54,6 @@ import org.apache.cxf.sts.token.renewer.
import org.apache.cxf.sts.token.renewer.TokenRenewer;
import org.apache.cxf.sts.token.validator.SAMLTokenValidator;
import org.apache.cxf.sts.token.validator.TokenValidator;
-import org.apache.cxf.ws.security.sts.provider.STSException;
import org.apache.cxf.ws.security.sts.provider.model.RenewTargetType;
import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType;
import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType;
@@ -86,10 +86,10 @@ public class RenewSamlUnitTest extends o
}
/**
- * Test to successfully renew an expired Saml 1.1 token (using the cache)
+ * Test to successfully renew a valid Saml 1.1 token
*/
@org.junit.Test
- public void testRenewExpiredSaml1Token() throws Exception {
+ public void testRenewValidSaml1Token() throws Exception {
TokenRenewOperation renewOperation = new TokenRenewOperation();
renewOperation.setTokenStore(tokenStore);
@@ -127,9 +127,9 @@ public class RenewSamlUnitTest extends o
// Get a SAML Token via the SAMLTokenProvider
CallbackHandler callbackHandler = new PasswordCallbackHandler();
Element samlToken =
- createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
- // Sleep to expire the token
- Thread.sleep(1000);
+ createSAMLAssertion(
+ WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50000, true, false
+ );
Document doc = samlToken.getOwnerDocument();
samlToken = (Element)doc.appendChild(samlToken);
@@ -151,10 +151,9 @@ public class RenewSamlUnitTest extends o
);
WebServiceContextImpl webServiceContext = new WebServiceContextImpl(msgCtx);
- // Validate a token
+ // Renew a token
RequestSecurityTokenResponseType response =
renewOperation.renew(request, webServiceContext);
-
assertTrue(response != null && response.getAny() != null && !response.getAny().isEmpty());
// Test the generated token.
@@ -176,17 +175,20 @@ public class RenewSamlUnitTest extends o
assertTrue(tokenString.contains(SAML1Constants.CONF_BEARER));
}
+
/**
- * Test to successfully renew an expired Saml 1.1 token without using the cache
+ * Test to successfully renew an expired Saml 1.1 token.
*/
@org.junit.Test
- public void testRenewExpiredSaml1TokenNoCache() throws Exception {
+ public void testRenewExpiredSaml1Token() throws Exception {
TokenRenewOperation renewOperation = new TokenRenewOperation();
+ renewOperation.setTokenStore(tokenStore);
// Add Token Renewer
List<TokenRenewer> renewerList = new ArrayList<TokenRenewer>();
TokenRenewer tokenRenewer = new SAMLTokenRenewer();
tokenRenewer.setVerifyProofOfPossession(false);
+ tokenRenewer.setAllowRenewalAfterExpiry(true);
renewerList.add(tokenRenewer);
renewOperation.setTokenRenewers(renewerList);
@@ -217,7 +219,9 @@ public class RenewSamlUnitTest extends o
// Get a SAML Token via the SAMLTokenProvider
CallbackHandler callbackHandler = new PasswordCallbackHandler();
Element samlToken =
- createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+ createSAMLAssertion(
+ WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50, true, true
+ );
// Sleep to expire the token
Thread.sleep(1000);
@@ -267,7 +271,7 @@ public class RenewSamlUnitTest extends o
}
/**
- * Test to successfully renew an expired Saml 2 token (using the cache)
+ * Test to successfully renew an expired Saml 2 token.
*/
@org.junit.Test
public void testRenewExpiredSaml2Token() throws Exception {
@@ -278,6 +282,7 @@ public class RenewSamlUnitTest extends o
List<TokenRenewer> renewerList = new ArrayList<TokenRenewer>();
TokenRenewer tokenRenewer = new SAMLTokenRenewer();
tokenRenewer.setVerifyProofOfPossession(false);
+ tokenRenewer.setAllowRenewalAfterExpiry(true);
renewerList.add(tokenRenewer);
renewOperation.setTokenRenewers(renewerList);
@@ -308,97 +313,9 @@ public class RenewSamlUnitTest extends o
// Get a SAML Token via the SAMLTokenProvider
CallbackHandler callbackHandler = new PasswordCallbackHandler();
Element samlToken =
- createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
- // Sleep to expire the token
- Thread.sleep(1000);
-
- Document doc = samlToken.getOwnerDocument();
- samlToken = (Element)doc.appendChild(samlToken);
- RenewTargetType renewTarget = new RenewTargetType();
- renewTarget.setAny(samlToken);
-
- JAXBElement<RenewTargetType> renewTargetType =
- new JAXBElement<RenewTargetType>(
- QNameConstants.RENEW_TARGET, RenewTargetType.class, renewTarget
- );
- request.getAny().add(renewTargetType);
-
- // Mock up message context
- MessageImpl msg = new MessageImpl();
- WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
- msgCtx.put(
- SecurityContext.class.getName(),
- createSecurityContext(new CustomTokenPrincipal("alice"))
- );
- WebServiceContextImpl webServiceContext = new WebServiceContextImpl(msgCtx);
-
- // Validate a token
- RequestSecurityTokenResponseType response =
- renewOperation.renew(request, webServiceContext);
-
- assertTrue(response != null && response.getAny() != null && !response.getAny().isEmpty());
-
- // Test the generated token.
- Element assertion = null;
- for (Object tokenObject : response.getAny()) {
- if (tokenObject instanceof JAXBElement<?>
- && REQUESTED_SECURITY_TOKEN.equals(((JAXBElement<?>)tokenObject).getName())) {
- RequestedSecurityTokenType rstType =
- (RequestedSecurityTokenType)((JAXBElement<?>)tokenObject).getValue();
- assertion = (Element)rstType.getAny();
- break;
- }
- }
-
- assertNotNull(assertion);
- String tokenString = DOM2Writer.nodeToString(assertion);
- assertTrue(tokenString.contains("AttributeStatement"));
- assertTrue(tokenString.contains("alice"));
- assertTrue(tokenString.contains(SAML2Constants.CONF_BEARER));
- }
-
- /**
- * Test to successfully renew an expired Saml 2 token without using the cache
- */
- @org.junit.Test
- public void testRenewExpiredSaml2TokenNoCache() throws Exception {
- TokenRenewOperation renewOperation = new TokenRenewOperation();
-
- // Add Token Renewer
- List<TokenRenewer> renewerList = new ArrayList<TokenRenewer>();
- TokenRenewer tokenRenewer = new SAMLTokenRenewer();
- tokenRenewer.setVerifyProofOfPossession(false);
- renewerList.add(tokenRenewer);
- renewOperation.setTokenRenewers(renewerList);
-
- // Add Token Validator
- List<TokenValidator> validatorList = new ArrayList<TokenValidator>();
- validatorList.add(new SAMLTokenValidator());
- renewOperation.setTokenValidators(validatorList);
-
- // Add STSProperties object
- STSPropertiesMBean stsProperties = new StaticSTSProperties();
- Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
- stsProperties.setEncryptionCrypto(crypto);
- stsProperties.setSignatureCrypto(crypto);
- stsProperties.setEncryptionUsername("myservicekey");
- stsProperties.setSignatureUsername("mystskey");
- stsProperties.setCallbackHandler(new PasswordCallbackHandler());
- stsProperties.setIssuer("STS");
- renewOperation.setStsProperties(stsProperties);
-
- // Mock up a request
- RequestSecurityTokenType request = new RequestSecurityTokenType();
- JAXBElement<String> tokenType =
- new JAXBElement<String>(
- QNameConstants.TOKEN_TYPE, String.class, STSConstants.BEARER_KEY_KEYTYPE
+ createSAMLAssertion(
+ WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50, true, true
);
- request.getAny().add(tokenType);
-
- // Get a SAML Token via the SAMLTokenProvider
- CallbackHandler callbackHandler = new PasswordCallbackHandler();
- Element samlToken =
- createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
// Sleep to expire the token
Thread.sleep(1000);
@@ -448,113 +365,18 @@ public class RenewSamlUnitTest extends o
}
/**
- * Test to successfully renew a valid Saml 1.1 token
- */
- @org.junit.Test
- public void testRenewValidSaml1Token() throws Exception {
- TokenRenewOperation renewOperation = new TokenRenewOperation();
-
- // Add Token Renewer
- List<TokenRenewer> renewerList = new ArrayList<TokenRenewer>();
- TokenRenewer tokenRenewer = new SAMLTokenRenewer();
- tokenRenewer.setVerifyProofOfPossession(false);
- renewerList.add(tokenRenewer);
- renewOperation.setTokenRenewers(renewerList);
-
- // Add Token Validator
- List<TokenValidator> validatorList = new ArrayList<TokenValidator>();
- validatorList.add(new SAMLTokenValidator());
- renewOperation.setTokenValidators(validatorList);
-
- // Add STSProperties object
- STSPropertiesMBean stsProperties = new StaticSTSProperties();
- Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
- stsProperties.setEncryptionCrypto(crypto);
- stsProperties.setSignatureCrypto(crypto);
- stsProperties.setEncryptionUsername("myservicekey");
- stsProperties.setSignatureUsername("mystskey");
- stsProperties.setCallbackHandler(new PasswordCallbackHandler());
- stsProperties.setIssuer("STS");
- renewOperation.setStsProperties(stsProperties);
-
- // Mock up a request
- RequestSecurityTokenType request = new RequestSecurityTokenType();
- JAXBElement<String> tokenType =
- new JAXBElement<String>(
- QNameConstants.TOKEN_TYPE, String.class, STSConstants.BEARER_KEY_KEYTYPE
- );
- request.getAny().add(tokenType);
-
- // Get a SAML Token via the SAMLTokenProvider
- CallbackHandler callbackHandler = new PasswordCallbackHandler();
- Element samlToken =
- createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50000);
-
- Document doc = samlToken.getOwnerDocument();
- samlToken = (Element)doc.appendChild(samlToken);
- RenewTargetType renewTarget = new RenewTargetType();
- renewTarget.setAny(samlToken);
-
- JAXBElement<RenewTargetType> renewTargetType =
- new JAXBElement<RenewTargetType>(
- QNameConstants.RENEW_TARGET, RenewTargetType.class, renewTarget
- );
- request.getAny().add(renewTargetType);
-
- // Mock up message context
- MessageImpl msg = new MessageImpl();
- WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
- msgCtx.put(
- SecurityContext.class.getName(),
- createSecurityContext(new CustomTokenPrincipal("alice"))
- );
- WebServiceContextImpl webServiceContext = new WebServiceContextImpl(msgCtx);
-
- // Validate a token
- try {
- renewOperation.renew(request, webServiceContext);
- fail("Failure expected on trying to renew a valid token");
- } catch (STSException ex) {
- // expected
- }
-
- renewOperation.setAllowRenewalBeforeExpiry(true);
- RequestSecurityTokenResponseType response =
- renewOperation.renew(request, webServiceContext);
-
- assertTrue(response != null && response.getAny() != null && !response.getAny().isEmpty());
-
- // Test the generated token.
- Element assertion = null;
- for (Object tokenObject : response.getAny()) {
- if (tokenObject instanceof JAXBElement<?>
- && REQUESTED_SECURITY_TOKEN.equals(((JAXBElement<?>)tokenObject).getName())) {
- RequestedSecurityTokenType rstType =
- (RequestedSecurityTokenType)((JAXBElement<?>)tokenObject).getValue();
- assertion = (Element)rstType.getAny();
- break;
- }
- }
-
- assertNotNull(assertion);
- String tokenString = DOM2Writer.nodeToString(assertion);
- assertTrue(tokenString.contains("AttributeStatement"));
- assertTrue(tokenString.contains("alice"));
- assertTrue(tokenString.contains(SAML1Constants.CONF_BEARER));
- }
-
- /**
- * Test to successfully renew an expired Saml 2 token without using the cache, and sending
- * no TokenType.
+ * Test to successfully renew an expired Saml 2 token and sending no TokenType.
*/
@org.junit.Test
public void testRenewExpiredSaml2TokenNoCacheNoTokenType() throws Exception {
TokenRenewOperation renewOperation = new TokenRenewOperation();
+ renewOperation.setTokenStore(tokenStore);
// Add Token Renewer
List<TokenRenewer> renewerList = new ArrayList<TokenRenewer>();
TokenRenewer tokenRenewer = new SAMLTokenRenewer();
tokenRenewer.setVerifyProofOfPossession(false);
+ tokenRenewer.setAllowRenewalAfterExpiry(true);
renewerList.add(tokenRenewer);
renewOperation.setTokenRenewers(renewerList);
@@ -580,7 +402,9 @@ public class RenewSamlUnitTest extends o
// Get a SAML Token via the SAMLTokenProvider
CallbackHandler callbackHandler = new PasswordCallbackHandler();
Element samlToken =
- createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+ createSAMLAssertion(
+ WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50, true, true
+ );
// Sleep to expire the token
Thread.sleep(1000);
@@ -628,6 +452,7 @@ public class RenewSamlUnitTest extends o
assertTrue(tokenString.contains("alice"));
assertTrue(tokenString.contains(SAML2Constants.CONF_BEARER));
}
+
/*
* Create a security context object
@@ -656,7 +481,8 @@ public class RenewSamlUnitTest extends o
private Element createSAMLAssertion(
String tokenType, Crypto crypto, String signatureUsername,
- CallbackHandler callbackHandler, long ttlMs
+ CallbackHandler callbackHandler, long ttlMs, boolean allowRenewing,
+ boolean allowRenewingAfterExpiry
) throws WSSecurityException {
SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
@@ -668,6 +494,11 @@ public class RenewSamlUnitTest extends o
tokenType, STSConstants.BEARER_KEY_KEYTYPE, crypto, signatureUsername, callbackHandler
);
+ Renewing renewing = new Renewing();
+ renewing.setAllowRenewing(allowRenewing);
+ renewing.setAllowRenewingAfterExpiry(allowRenewingAfterExpiry);
+ providerParameters.getTokenRequirements().setRenewing(renewing);
+
if (ttlMs != 0) {
Lifetime lifetime = new Lifetime();
Date creationTime = new Date();
@@ -720,6 +551,7 @@ public class RenewSamlUnitTest extends o
parameters.setStsProperties(stsProperties);
parameters.setEncryptionProperties(new EncryptionProperties());
+ parameters.setTokenStore(tokenStore);
return parameters;
}
Modified: cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerLifetimeTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerLifetimeTest.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerLifetimeTest.java (original)
+++ cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerLifetimeTest.java Wed Apr 11 23:21:01 2012
@@ -30,11 +30,13 @@ import org.apache.cxf.jaxws.context.Wrap
import org.apache.cxf.message.MessageImpl;
import org.apache.cxf.sts.STSConstants;
import org.apache.cxf.sts.StaticSTSProperties;
+import org.apache.cxf.sts.cache.DefaultInMemoryTokenStore;
import org.apache.cxf.sts.common.PasswordCallbackHandler;
import org.apache.cxf.sts.request.KeyRequirements;
import org.apache.cxf.sts.request.Lifetime;
import org.apache.cxf.sts.request.ReceivedToken;
import org.apache.cxf.sts.request.ReceivedToken.STATE;
+import org.apache.cxf.sts.request.Renewing;
import org.apache.cxf.sts.request.TokenRequirements;
import org.apache.cxf.sts.service.EncryptionProperties;
import org.apache.cxf.sts.token.provider.DefaultConditionsProvider;
@@ -42,12 +44,14 @@ import org.apache.cxf.sts.token.provider
import org.apache.cxf.sts.token.provider.TokenProviderParameters;
import org.apache.cxf.sts.token.provider.TokenProviderResponse;
import org.apache.cxf.ws.security.sts.provider.STSException;
+import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.ws.security.CustomTokenPrincipal;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoFactory;
import org.apache.ws.security.util.XmlSchemaDateFormat;
+import org.junit.BeforeClass;
/**
@@ -55,6 +59,13 @@ import org.apache.ws.security.util.XmlSc
*/
public class SAMLTokenRenewerLifetimeTest extends org.junit.Assert {
+ private static TokenStore tokenStore;
+
+ @BeforeClass
+ public static void init() {
+ tokenStore = new DefaultInMemoryTokenStore();
+ }
+
/**
* Renew SAML 2 token with a valid requested lifetime
*/
@@ -63,6 +74,8 @@ public class SAMLTokenRenewerLifetimeTes
int requestedLifetime = 60;
SAMLTokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
samlTokenRenewer.setVerifyProofOfPossession(false);
+ samlTokenRenewer.setAllowRenewalAfterExpiry(true);
+
DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
conditionsProvider.setAcceptClientLifetime(true);
samlTokenRenewer.setConditionsProvider(conditionsProvider);
@@ -83,7 +96,9 @@ public class SAMLTokenRenewerLifetimeTes
Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
// Create token.
Element samlToken =
- createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+ createSAMLAssertion(
+ WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50, true, true
+ );
// Sleep to expire the token
Thread.sleep(1000);
@@ -108,6 +123,7 @@ public class SAMLTokenRenewerLifetimeTes
public void testSaml2ProviderLifetime() throws Exception {
SAMLTokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
samlTokenRenewer.setVerifyProofOfPossession(false);
+ samlTokenRenewer.setAllowRenewalAfterExpiry(true);
long providerLifetime = 10 * 600L;
DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
@@ -120,7 +136,9 @@ public class SAMLTokenRenewerLifetimeTes
Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
// Create token.
Element samlToken =
- createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+ createSAMLAssertion(
+ WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50, true, true
+ );
// Sleep to expire the token
Thread.sleep(1000);
@@ -146,6 +164,8 @@ public class SAMLTokenRenewerLifetimeTes
long maxLifetime = 30 * 60L; // 30 minutes
SAMLTokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
samlTokenRenewer.setVerifyProofOfPossession(false);
+ samlTokenRenewer.setAllowRenewalAfterExpiry(true);
+
DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
conditionsProvider.setMaxLifetime(maxLifetime);
conditionsProvider.setAcceptClientLifetime(true);
@@ -168,7 +188,9 @@ public class SAMLTokenRenewerLifetimeTes
Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
// Create token.
Element samlToken =
- createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+ createSAMLAssertion(
+ WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50, true, true
+ );
// Sleep to expire the token
Thread.sleep(1000);
@@ -194,6 +216,8 @@ public class SAMLTokenRenewerLifetimeTes
public void testSaml2ExceededDefaultMaxLifetime() throws Exception {
SAMLTokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
samlTokenRenewer.setVerifyProofOfPossession(false);
+ samlTokenRenewer.setAllowRenewalAfterExpiry(true);
+
DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
conditionsProvider.setAcceptClientLifetime(true);
samlTokenRenewer.setConditionsProvider(conditionsProvider);
@@ -215,7 +239,9 @@ public class SAMLTokenRenewerLifetimeTes
Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
// Create token.
Element samlToken =
- createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+ createSAMLAssertion(
+ WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50, true, true
+ );
// Sleep to expire the token
Thread.sleep(1000);
@@ -244,6 +270,8 @@ public class SAMLTokenRenewerLifetimeTes
long maxLifetime = 30 * 60L; // 30 minutes
SAMLTokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
samlTokenRenewer.setVerifyProofOfPossession(false);
+ samlTokenRenewer.setAllowRenewalAfterExpiry(true);
+
DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
conditionsProvider.setMaxLifetime(maxLifetime);
conditionsProvider.setFailLifetimeExceedance(false);
@@ -267,7 +295,9 @@ public class SAMLTokenRenewerLifetimeTes
Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
// Create token.
Element samlToken =
- createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+ createSAMLAssertion(
+ WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50, true, true
+ );
// Sleep to expire the token
Thread.sleep(1000);
@@ -312,13 +342,16 @@ public class SAMLTokenRenewerLifetimeTes
parameters.setStsProperties(stsProperties);
parameters.setEncryptionProperties(new EncryptionProperties());
+
+ parameters.setTokenStore(tokenStore);
return parameters;
}
private Element createSAMLAssertion(
String tokenType, Crypto crypto, String signatureUsername,
- CallbackHandler callbackHandler, long ttlMs
+ CallbackHandler callbackHandler, long ttlMs, boolean allowRenewing,
+ boolean allowRenewingAfterExpiry
) throws WSSecurityException {
SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
@@ -329,6 +362,11 @@ public class SAMLTokenRenewerLifetimeTes
tokenType, STSConstants.BEARER_KEY_KEYTYPE, crypto, signatureUsername, callbackHandler
);
+ Renewing renewing = new Renewing();
+ renewing.setAllowRenewing(allowRenewing);
+ renewing.setAllowRenewingAfterExpiry(allowRenewingAfterExpiry);
+ providerParameters.getTokenRequirements().setRenewing(renewing);
+
if (ttlMs != 0) {
Lifetime lifetime = new Lifetime();
Date creationTime = new Date();
@@ -381,6 +419,7 @@ public class SAMLTokenRenewerLifetimeTes
parameters.setStsProperties(stsProperties);
parameters.setEncryptionProperties(new EncryptionProperties());
+ parameters.setTokenStore(tokenStore);
return parameters;
}
Modified: cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerRealmTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerRealmTest.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerRealmTest.java (original)
+++ cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerRealmTest.java Wed Apr 11 23:21:01 2012
@@ -33,11 +33,13 @@ import org.apache.cxf.jaxws.context.Wrap
import org.apache.cxf.message.MessageImpl;
import org.apache.cxf.sts.STSConstants;
import org.apache.cxf.sts.StaticSTSProperties;
+import org.apache.cxf.sts.cache.DefaultInMemoryTokenStore;
import org.apache.cxf.sts.common.PasswordCallbackHandler;
import org.apache.cxf.sts.request.KeyRequirements;
import org.apache.cxf.sts.request.Lifetime;
import org.apache.cxf.sts.request.ReceivedToken;
import org.apache.cxf.sts.request.ReceivedToken.STATE;
+import org.apache.cxf.sts.request.Renewing;
import org.apache.cxf.sts.request.TokenRequirements;
import org.apache.cxf.sts.service.EncryptionProperties;
import org.apache.cxf.sts.token.provider.DefaultConditionsProvider;
@@ -52,18 +54,27 @@ import org.apache.cxf.sts.token.validato
import org.apache.cxf.sts.token.validator.TokenValidator;
import org.apache.cxf.sts.token.validator.TokenValidatorParameters;
import org.apache.cxf.sts.token.validator.TokenValidatorResponse;
+import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.ws.security.CustomTokenPrincipal;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoFactory;
import org.apache.ws.security.util.XmlSchemaDateFormat;
+import org.junit.BeforeClass;
/**
* Some unit tests for renewing a SAML token in different realms.
*/
public class SAMLTokenRenewerRealmTest extends org.junit.Assert {
+ private static TokenStore tokenStore;
+
+ @BeforeClass
+ public static void init() {
+ tokenStore = new DefaultInMemoryTokenStore();
+ }
+
/**
* Test a SAML 1.1 Assertion created in realm "A".
*/
@@ -72,10 +83,14 @@ public class SAMLTokenRenewerRealmTest e
// Create a RenewTarget consisting of a SAML Assertion
Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
CallbackHandler callbackHandler = new PasswordCallbackHandler();
- Element samlToken =
- createSAMLAssertion(
- WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, "A", 50
+
+ TokenProviderParameters providerParameters =
+ createProviderParameters(
+ WSConstants.WSS_SAML_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE, crypto, "mystskey",
+ callbackHandler
);
+
+ Element samlToken = createSAMLAssertion(providerParameters, "A", 50, true, true);
// Sleep to expire the token
Thread.sleep(1000);
Document doc = samlToken.getOwnerDocument();
@@ -112,6 +127,7 @@ public class SAMLTokenRenewerRealmTest e
TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
samlTokenRenewer.setVerifyProofOfPossession(false);
+ samlTokenRenewer.setAllowRenewalAfterExpiry(true);
Map<String, SAMLRealm> samlRealms = getSamlRealms();
((SAMLTokenRenewer)samlTokenRenewer).setRealmMap(samlRealms);
String realm = validatorResponse.getTokenRealm();
@@ -140,10 +156,14 @@ public class SAMLTokenRenewerRealmTest e
// Create a RenewTarget consisting of a SAML Assertion
Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
CallbackHandler callbackHandler = new PasswordCallbackHandler();
- Element samlToken =
- createSAMLAssertion(
- WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, "B", 50
+
+ TokenProviderParameters providerParameters =
+ createProviderParameters(
+ WSConstants.WSS_SAML_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE, crypto, "mystskey",
+ callbackHandler
);
+
+ Element samlToken = createSAMLAssertion(providerParameters, "B", 50, true, true);
// Sleep to expire the token
Thread.sleep(1000);
Document doc = samlToken.getOwnerDocument();
@@ -180,6 +200,7 @@ public class SAMLTokenRenewerRealmTest e
TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
samlTokenRenewer.setVerifyProofOfPossession(false);
+ samlTokenRenewer.setAllowRenewalAfterExpiry(true);
Map<String, SAMLRealm> samlRealms = getSamlRealms();
((SAMLTokenRenewer)samlTokenRenewer).setRealmMap(samlRealms);
String realm = validatorResponse.getTokenRealm();
@@ -228,26 +249,30 @@ public class SAMLTokenRenewerRealmTest e
stsProperties.setIssuer("STS-2");
parameters.setStsProperties(stsProperties);
+ parameters.setTokenStore(tokenStore);
+
return parameters;
}
private Element createSAMLAssertion(
- String tokenType,
- Crypto crypto,
- String signatureUsername,
- CallbackHandler callbackHandler,
+ TokenProviderParameters providerParameters,
String realm,
- long ttlMs
+ long ttlMs,
+ boolean allowRenewing,
+ boolean allowRenewingAfterExpiry
) throws WSSecurityException {
TokenProvider samlTokenProvider = new SAMLTokenProvider();
DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
conditionsProvider.setAcceptClientLifetime(true);
((SAMLTokenProvider)samlTokenProvider).setConditionsProvider(conditionsProvider);
- TokenProviderParameters providerParameters =
- createProviderParameters(
- tokenType, STSConstants.BEARER_KEY_KEYTYPE, crypto, signatureUsername, callbackHandler
- );
+
providerParameters.setRealm(realm);
+
+ Renewing renewing = new Renewing();
+ renewing.setAllowRenewing(allowRenewing);
+ renewing.setAllowRenewingAfterExpiry(allowRenewingAfterExpiry);
+ providerParameters.getTokenRequirements().setRenewing(renewing);
+
if (ttlMs != 0) {
Lifetime lifetime = new Lifetime();
Date creationTime = new Date();
@@ -316,6 +341,8 @@ public class SAMLTokenRenewerRealmTest e
parameters.setStsProperties(stsProperties);
parameters.setEncryptionProperties(new EncryptionProperties());
+
+ parameters.setTokenStore(tokenStore);
return parameters;
}
Modified: cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java (original)
+++ cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java Wed Apr 11 23:21:01 2012
@@ -37,6 +37,7 @@ import org.apache.cxf.sts.request.KeyReq
import org.apache.cxf.sts.request.Lifetime;
import org.apache.cxf.sts.request.ReceivedToken;
import org.apache.cxf.sts.request.ReceivedToken.STATE;
+import org.apache.cxf.sts.request.Renewing;
import org.apache.cxf.sts.request.TokenRequirements;
import org.apache.cxf.sts.service.EncryptionProperties;
import org.apache.cxf.sts.token.provider.DefaultConditionsProvider;
@@ -71,19 +72,19 @@ public class SAMLTokenRenewerTest extend
}
/**
- * Renew an expired SAML1 Assertion
+ * Renew a valid SAML1 Assertion
*/
@org.junit.Test
- public void renewExpiredSAML1Assertion() throws Exception {
+ public void renewValidSAML1Assertion() throws Exception {
// Create the Assertion
Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
CallbackHandler callbackHandler = new PasswordCallbackHandler();
Element samlToken =
- createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+ createSAMLAssertion(
+ WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50000, true, false
+ );
Document doc = samlToken.getOwnerDocument();
samlToken = (Element)doc.appendChild(samlToken);
- // Sleep to expire the token
- Thread.sleep(1000);
// Validate the Assertion
TokenValidator samlTokenValidator = new SAMLTokenValidator();
@@ -99,7 +100,7 @@ public class SAMLTokenRenewerTest extend
samlTokenValidator.validateToken(validatorParameters);
assertTrue(validatorResponse != null);
assertTrue(validatorResponse.getToken() != null);
- assertTrue(validatorResponse.getToken().getState() == STATE.EXPIRED);
+ assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
// Renew the Assertion
TokenRenewerParameters renewerParameters = new TokenRenewerParameters();
@@ -137,24 +138,23 @@ public class SAMLTokenRenewerTest extend
}
/**
- * Renew an expired SAML1 Assertion without using the cache
+ * Renew a valid SAML1 Assertion. However, the issuer does not allow renewal
*/
@org.junit.Test
- public void renewExpiredSAML1AssertionNoCache() throws Exception {
+ public void renewNotAllowedOfValidSAML1Assertion() throws Exception {
// Create the Assertion
Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
CallbackHandler callbackHandler = new PasswordCallbackHandler();
Element samlToken =
- createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+ createSAMLAssertion(
+ WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50000, false, false
+ );
Document doc = samlToken.getOwnerDocument();
samlToken = (Element)doc.appendChild(samlToken);
- // Sleep to expire the token
- Thread.sleep(1000);
// Validate the Assertion
TokenValidator samlTokenValidator = new SAMLTokenValidator();
TokenValidatorParameters validatorParameters = createValidatorParameters();
- validatorParameters.setTokenStore(null);
TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
ReceivedToken validateTarget = new ReceivedToken(samlToken);
tokenRequirements.setValidateTarget(validateTarget);
@@ -166,7 +166,7 @@ public class SAMLTokenRenewerTest extend
samlTokenValidator.validateToken(validatorParameters);
assertTrue(validatorResponse != null);
assertTrue(validatorResponse.getToken() != null);
- assertTrue(validatorResponse.getToken().getState() == STATE.EXPIRED);
+ assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
// Renew the Assertion
TokenRenewerParameters renewerParameters = new TokenRenewerParameters();
@@ -183,36 +183,26 @@ public class SAMLTokenRenewerTest extend
samlTokenRenewer.setVerifyProofOfPossession(false);
assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
- TokenRenewerResponse renewerResponse =
- samlTokenRenewer.renewToken(renewerParameters);
- assertTrue(renewerResponse != null);
- assertTrue(renewerResponse.getToken() != null);
-
- String oldId = new AssertionWrapper(samlToken).getId();
- String newId = new AssertionWrapper((Element)renewerResponse.getToken()).getId();
- assertFalse(oldId.equals(newId));
-
- // Now validate it again
- validateTarget = new ReceivedToken(renewerResponse.getToken());
- tokenRequirements.setValidateTarget(validateTarget);
- validatorParameters.setToken(validateTarget);
-
- validatorResponse = samlTokenValidator.validateToken(validatorParameters);
- assertTrue(validatorResponse != null);
- assertTrue(validatorResponse.getToken() != null);
- assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
+ try {
+ samlTokenRenewer.renewToken(renewerParameters);
+ fail("Failure expected on attempting to renew a token that was not allowed to be renewed");
+ } catch (Exception ex) {
+ // expected
+ }
}
/**
- * Renew an expired SAML2 Assertion
+ * Renew an expired SAML1 Assertion
*/
@org.junit.Test
- public void renewExpiredSAML2Assertion() throws Exception {
+ public void renewExpiredSAML1Assertion() throws Exception {
// Create the Assertion
Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
CallbackHandler callbackHandler = new PasswordCallbackHandler();
Element samlToken =
- createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+ createSAMLAssertion(
+ WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50, true, true
+ );
Document doc = samlToken.getOwnerDocument();
samlToken = (Element)doc.appendChild(samlToken);
// Sleep to expire the token
@@ -249,6 +239,14 @@ public class SAMLTokenRenewerTest extend
samlTokenRenewer.setVerifyProofOfPossession(false);
assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
+ try {
+ samlTokenRenewer.renewToken(renewerParameters);
+ fail("Failure expected on an expired token, which is not allowed by default");
+ } catch (Exception ex) {
+ // expected
+ }
+
+ samlTokenRenewer.setAllowRenewalAfterExpiry(true);
TokenRenewerResponse renewerResponse =
samlTokenRenewer.renewToken(renewerParameters);
assertTrue(renewerResponse != null);
@@ -270,15 +268,17 @@ public class SAMLTokenRenewerTest extend
}
/**
- * Renew an expired SAML2 Assertion without using the cache
+ * Renew an expired SAML2 Assertion
*/
@org.junit.Test
- public void renewExpiredSAML2AssertionNoCache() throws Exception {
+ public void renewExpiredSAML2Assertion() throws Exception {
// Create the Assertion
Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
CallbackHandler callbackHandler = new PasswordCallbackHandler();
Element samlToken =
- createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+ createSAMLAssertion(
+ WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50, true, true
+ );
Document doc = samlToken.getOwnerDocument();
samlToken = (Element)doc.appendChild(samlToken);
// Sleep to expire the token
@@ -287,7 +287,6 @@ public class SAMLTokenRenewerTest extend
// Validate the Assertion
TokenValidator samlTokenValidator = new SAMLTokenValidator();
TokenValidatorParameters validatorParameters = createValidatorParameters();
- validatorParameters.setTokenStore(null);
TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
ReceivedToken validateTarget = new ReceivedToken(samlToken);
tokenRequirements.setValidateTarget(validateTarget);
@@ -315,7 +314,15 @@ public class SAMLTokenRenewerTest extend
TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
samlTokenRenewer.setVerifyProofOfPossession(false);
assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
+
+ try {
+ samlTokenRenewer.renewToken(renewerParameters);
+ fail("Failure expected on an expired token, which is not allowed by default");
+ } catch (Exception ex) {
+ // expected
+ }
+ samlTokenRenewer.setAllowRenewalAfterExpiry(true);
TokenRenewerResponse renewerResponse =
samlTokenRenewer.renewToken(renewerParameters);
assertTrue(renewerResponse != null);
@@ -337,17 +344,22 @@ public class SAMLTokenRenewerTest extend
}
/**
- * Renew a valid SAML1 Assertion
+ * Renew an expired SAML2 Assertion. However the issuer does not allow the renewal of expired
+ * tokens.
*/
@org.junit.Test
- public void renewValidSAML1Assertion() throws Exception {
+ public void renewExpiredNotAllowedSAML2Assertion() throws Exception {
// Create the Assertion
Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
CallbackHandler callbackHandler = new PasswordCallbackHandler();
Element samlToken =
- createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50000);
+ createSAMLAssertion(
+ WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50, true, false
+ );
Document doc = samlToken.getOwnerDocument();
samlToken = (Element)doc.appendChild(samlToken);
+ // Sleep to expire the token
+ Thread.sleep(1000);
// Validate the Assertion
TokenValidator samlTokenValidator = new SAMLTokenValidator();
@@ -363,7 +375,7 @@ public class SAMLTokenRenewerTest extend
samlTokenValidator.validateToken(validatorParameters);
assertTrue(validatorResponse != null);
assertTrue(validatorResponse.getToken() != null);
- assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
+ assertTrue(validatorResponse.getToken().getState() == STATE.EXPIRED);
// Renew the Assertion
TokenRenewerParameters renewerParameters = new TokenRenewerParameters();
@@ -378,26 +390,15 @@ public class SAMLTokenRenewerTest extend
TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
samlTokenRenewer.setVerifyProofOfPossession(false);
+ samlTokenRenewer.setAllowRenewalAfterExpiry(true);
assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
- TokenRenewerResponse renewerResponse =
- samlTokenRenewer.renewToken(renewerParameters);
- assertTrue(renewerResponse != null);
- assertTrue(renewerResponse.getToken() != null);
-
- String oldId = new AssertionWrapper(samlToken).getId();
- String newId = new AssertionWrapper((Element)renewerResponse.getToken()).getId();
- assertFalse(oldId.equals(newId));
-
- // Now validate it again
- validateTarget = new ReceivedToken(renewerResponse.getToken());
- tokenRequirements.setValidateTarget(validateTarget);
- validatorParameters.setToken(validateTarget);
-
- validatorResponse = samlTokenValidator.validateToken(validatorParameters);
- assertTrue(validatorResponse != null);
- assertTrue(validatorResponse.getToken() != null);
- assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
+ try {
+ samlTokenRenewer.renewToken(renewerParameters);
+ fail("Failure on attempting to renew an expired token, which is not allowed");
+ } catch (Exception ex) {
+ // expected
+ }
}
@@ -411,7 +412,9 @@ public class SAMLTokenRenewerTest extend
Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
CallbackHandler callbackHandler = new PasswordCallbackHandler();
Element samlToken =
- createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+ createSAMLAssertion(
+ WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50, true, true
+ );
Document doc = samlToken.getOwnerDocument();
samlToken = (Element)doc.appendChild(samlToken);
// Sleep to expire the token
@@ -446,6 +449,7 @@ public class SAMLTokenRenewerTest extend
TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
samlTokenRenewer.setVerifyProofOfPossession(false);
+ samlTokenRenewer.setAllowRenewalAfterExpiry(true);
((SAMLTokenRenewer)samlTokenRenewer).setMaxExpiry(1L);
assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
@@ -466,7 +470,9 @@ public class SAMLTokenRenewerTest extend
Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
CallbackHandler callbackHandler = new PasswordCallbackHandler();
Element samlToken =
- createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50000);
+ createSAMLAssertion(
+ WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50000, true, false
+ );
Document doc = samlToken.getOwnerDocument();
samlToken = (Element)doc.appendChild(samlToken);
@@ -509,6 +515,7 @@ public class SAMLTokenRenewerTest extend
}
}
+
private TokenValidatorParameters createValidatorParameters() throws WSSecurityException {
TokenValidatorParameters parameters = new TokenValidatorParameters();
@@ -542,7 +549,8 @@ public class SAMLTokenRenewerTest extend
private Element createSAMLAssertion(
String tokenType, Crypto crypto, String signatureUsername,
- CallbackHandler callbackHandler, long ttlMs
+ CallbackHandler callbackHandler, long ttlMs, boolean allowRenewing,
+ boolean allowRenewingAfterExpiry
) throws WSSecurityException {
SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
@@ -552,6 +560,11 @@ public class SAMLTokenRenewerTest extend
createProviderParameters(
tokenType, STSConstants.BEARER_KEY_KEYTYPE, crypto, signatureUsername, callbackHandler
);
+
+ Renewing renewing = new Renewing();
+ renewing.setAllowRenewing(allowRenewing);
+ renewing.setAllowRenewingAfterExpiry(allowRenewingAfterExpiry);
+ providerParameters.getTokenRequirements().setRenewing(renewing);
if (ttlMs != 0) {
Lifetime lifetime = new Lifetime();
Modified: cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/SAMLRenewUnitTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/SAMLRenewUnitTest.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/SAMLRenewUnitTest.java (original)
+++ cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/SAMLRenewUnitTest.java Wed Apr 11 23:21:01 2012
@@ -68,7 +68,8 @@ public class SAMLRenewUnitTest extends A
"https://localhost:" + STSPORT + "/SecurityTokenService/Transport?wsdl";
// Request the token
- SecurityToken token = requestSecurityToken(bus, wsdlLocation, WSConstants.WSS_SAML_TOKEN_TYPE, 5);
+ SecurityToken token =
+ requestSecurityToken(bus, wsdlLocation, WSConstants.WSS_SAML_TOKEN_TYPE, 5, true);
assertNotNull(token);
// Sleep to expire the token
Thread.sleep(5000);
@@ -102,7 +103,8 @@ public class SAMLRenewUnitTest extends A
"https://localhost:" + STSPORT + "/SecurityTokenService/Transport?wsdl";
// Request the token
- SecurityToken token = requestSecurityToken(bus, wsdlLocation, WSConstants.WSS_SAML2_TOKEN_TYPE, 5);
+ SecurityToken token =
+ requestSecurityToken(bus, wsdlLocation, WSConstants.WSS_SAML2_TOKEN_TYPE, 5, true);
assertNotNull(token);
// Sleep to expire the token
Thread.sleep(5000);
@@ -124,6 +126,34 @@ public class SAMLRenewUnitTest extends A
}
@org.junit.Test
+ public void testRenewSAML2TokenFail() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = SAMLRenewUnitTest.class.getResource("cxf-client-unit.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ String wsdlLocation =
+ "https://localhost:" + STSPORT + "/SecurityTokenService/Transport?wsdl";
+
+ // Request the token
+ SecurityToken token =
+ requestSecurityToken(bus, wsdlLocation, WSConstants.WSS_SAML2_TOKEN_TYPE, 5, false);
+ assertNotNull(token);
+ // Sleep to expire the token
+ Thread.sleep(5000);
+
+ // Renew the token - this will fail as we didn't send a Renewing @OK attribute
+ try {
+ renewSecurityToken(bus, wsdlLocation, token, false);
+ fail("Failure expected on a different AppliesTo address");
+ } catch (Exception ex) {
+ // expected
+ }
+ }
+
+ @org.junit.Test
public void testRenewValidSAML1Token() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
URL busFile = SAMLRenewUnitTest.class.getResource("cxf-client-unit.xml");
@@ -136,7 +166,8 @@ public class SAMLRenewUnitTest extends A
"https://localhost:" + STSPORT + "/SecurityTokenService/Transport?wsdl";
// Request the token
- SecurityToken token = requestSecurityToken(bus, wsdlLocation, WSConstants.WSS_SAML_TOKEN_TYPE, 300);
+ SecurityToken token =
+ requestSecurityToken(bus, wsdlLocation, WSConstants.WSS_SAML_TOKEN_TYPE, 300, false);
assertNotNull(token);
// Validate the token
@@ -144,14 +175,12 @@ public class SAMLRenewUnitTest extends A
assertFalse(validatedTokens.isEmpty());
assertTrue(validatedTokens.get(0).equals(token));
- // Renew the token - this should fail as the STS will reject an attempt to renew a valid token
- // unless it has been configured otherwise
- try {
- renewSecurityToken(bus, wsdlLocation, token, true);
- fail("Failure expected on trying to renew a valid token");
- } catch (Exception ex) {
- // expected
- }
+ // Renew the token
+ SecurityToken renewedToken = renewSecurityToken(bus, wsdlLocation, token, false);
+ assertFalse(token.equals(renewedToken));
+
+ // Validate the renewed token
+ validateSecurityToken(bus, wsdlLocation, renewedToken);
}
@org.junit.Test
@@ -167,7 +196,8 @@ public class SAMLRenewUnitTest extends A
"https://localhost:" + STSPORT + "/SecurityTokenService/Transport?wsdl";
// Request the token
- SecurityToken token = requestSecurityToken(bus, wsdlLocation, WSConstants.WSS_SAML2_TOKEN_TYPE, 5);
+ SecurityToken token =
+ requestSecurityToken(bus, wsdlLocation, WSConstants.WSS_SAML2_TOKEN_TYPE, 5, true);
assertNotNull(token);
// Sleep to expire the token
Thread.sleep(5000);
@@ -182,8 +212,9 @@ public class SAMLRenewUnitTest extends A
}
}
+
private SecurityToken requestSecurityToken(
- Bus bus, String wsdlLocation, String tokenType, int ttl
+ Bus bus, String wsdlLocation, String tokenType, int ttl, boolean allowExpired
) throws Exception {
STSClient stsClient = new STSClient(bus);
stsClient.setWsdlLocation(wsdlLocation);
@@ -201,6 +232,7 @@ public class SAMLRenewUnitTest extends A
properties.put(SecurityConstants.STS_TOKEN_PROPERTIES, "serviceKeystore.properties");
stsClient.setTtl(ttl);
+ stsClient.setAllowRenewingAfterExpiry(allowExpired);
stsClient.setEnableLifetime(true);
stsClient.setProperties(properties);
Modified: cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-client.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-client.xml?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-client.xml (original)
+++ cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-client.xml Wed Apr 11 23:21:01 2012
@@ -53,6 +53,7 @@ http://cxf.apache.org/configuration/secu
value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port"/>
<property name="ttl" value="8"/>
<property name="enableLifetime" value="true"/>
+ <property name="allowRenewingAfterExpiry" value="true"/>
<property name="properties">
<map>
<entry key="ws-security.sts.token.username" value="myclientkey"/>
Modified: cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-sts.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-sts.xml?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-sts.xml (original)
+++ cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-sts.xml Wed Apr 11 23:21:01 2012
@@ -130,6 +130,7 @@
<bean id="transportSamlTokenRenewer" class="org.apache.cxf.sts.token.renewer.SAMLTokenRenewer">
<property name="verifyProofOfPossession" value="false"/>
+ <property name="allowRenewalAfterExpiry" value="true"/>
<property name="conditionsProvider" ref="SAMLConditionsProvider"/>
</bean>