You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2014/06/26 16:38:10 UTC
[2/3] git commit: Adding support for a cross-domain STS test
Adding support for a cross-domain STS test
Conflicts:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/c5ede8a9
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/c5ede8a9
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/c5ede8a9
Branch: refs/heads/2.7.x-fixes
Commit: c5ede8a9f93bf96d056b6ec34462a8e8c42c1a89
Parents: aaf7e66
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Jun 26 13:48:07 2014 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Thu Jun 26 15:27:58 2014 +0100
----------------------------------------------------------------------
.../cxf/ws/security/SecurityConstants.java | 16 +++
.../apache/cxf/ws/security/trust/STSUtils.java | 113 +++++++++++++++++++
.../sts/cross_domain/CrossDomainTest.java | 3 +-
.../cxf/systest/sts/cross_domain/cxf-client.xml | 1 +
4 files changed, 131 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/c5ede8a9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
index 35d5698..e255d5a 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
@@ -435,6 +435,16 @@ public final class SecurityConstants {
"ws-security.sts.disable-wsmex-call-using-epr-address";
/**
+ * Whether to prefer to use WS-MEX over a STSClient's location/wsdlLocation properties
+ * when making an STS RequestSecurityToken call. This can be set to true for the scenario
+ * of making a WS-MEX call to an initial STS, and using the returned token to make another
+ * call to an STS (which is configured using the STSClient configuration). Default is
+ * "false".
+ */
+ public static final String PREFER_WSMEX_OVER_STS_CLIENT_CONFIG =
+ "ws-security.sts.prefer-wsmex";
+
+ /**
* Switch STS client to send Soap 1.2 messages
*/
public static final String STS_CLIENT_SOAP12_BINDING =
@@ -546,8 +556,14 @@ public final class SecurityConstants {
DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS, STS_TOKEN_CRYPTO,
STS_TOKEN_PROPERTIES, STS_TOKEN_USERNAME, STS_TOKEN_ACT_AS, STS_TOKEN_ON_BEHALF_OF,
TOKEN, TOKEN_ID, SUBJECT_ROLE_CLASSIFIER, SUBJECT_ROLE_CLASSIFIER_TYPE, MUST_UNDERSTAND,
+<<<<<<< HEAD
ASYMMETRIC_SIGNATURE_ALGORITHM, ENABLE_SAML_ONE_TIME_USE_CACHE, SAML_ONE_TIME_USE_CACHE_INSTANCE,
CACHE_IDENTIFIER, CACHE_ISSUED_TOKEN_IN_ENDPOINT
+=======
+ ASYMMETRIC_SIGNATURE_ALGORITHM, PASSWORD_ENCRYPTOR_INSTANCE, ENABLE_SAML_ONE_TIME_USE_CACHE,
+ SAML_ONE_TIME_USE_CACHE_INSTANCE, ENABLE_STREAMING_SECURITY, RETURN_SECURITY_ERROR,
+ CACHE_IDENTIFIER, CACHE_ISSUED_TOKEN_IN_ENDPOINT, PREFER_WSMEX_OVER_STS_CLIENT_CONFIG
+>>>>>>> 417d938... Adding support for a cross-domain STS test
}));
ALL_PROPERTIES = Collections.unmodifiableSet(s);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c5ede8a9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java
index 2f418b7..e54545f 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java
@@ -21,6 +21,8 @@ package org.apache.cxf.ws.security.trust;
import javax.xml.namespace.QName;
+import org.w3c.dom.Element;
+
import org.apache.cxf.Bus;
import org.apache.cxf.BusException;
import org.apache.cxf.binding.BindingFactory;
@@ -30,6 +32,7 @@ import org.apache.cxf.databinding.source.SourceDataBinding;
import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.endpoint.EndpointException;
import org.apache.cxf.endpoint.EndpointImpl;
+import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.service.Service;
@@ -88,6 +91,7 @@ public final class STSUtils {
}
public static STSClient getClient(Message message, String type, IssuedToken itok) {
+<<<<<<< HEAD
STSClient client = (STSClient)message
.getContextualProperty(SecurityConstants.STS_CLIENT);
if (client == null) {
@@ -113,9 +117,118 @@ public final class STSUtils {
!Boolean.valueOf((String)message.getContextualProperty(
SecurityConstants.DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS));
client.configureViaEPR(epr, useEPRWSAAddrAsMEXLocation);
+=======
+ // Find out first if we have an EPR to get the STS Address (possibly via WS-MEX)
+ if (itok != null && itok.getIssuer() != null && message != null) {
+ EndpointReferenceType epr = null;
+ try {
+ epr = VersionTransformer.parseEndpointReference(itok.getIssuer());
+ } catch (JAXBException e) {
+ throw new IllegalArgumentException(e);
+ }
+
+ String mexLocation = findMEXLocation(epr);
+ // Configure via WS-MEX
+ if (mexLocation != null
+ && MessageUtils.getContextualBoolean(message,
+ SecurityConstants.PREFER_WSMEX_OVER_STS_CLIENT_CONFIG,
+ false)) {
+ // WS-MEX call. So now either get the WS-MEX specific STSClient or else create one
+ STSClient client = (STSClient)message
+ .getContextualProperty(SecurityConstants.STS_CLIENT + ".wsmex");
+ if (client == null) {
+ client = createSTSClient(message, type);
+ }
+ client.configureViaEPR(epr, false);
+ return client;
+ } else if (configureViaEPR(message, type, epr)) {
+ // Only use WS-MEX here if the pre-configured STSClient has no location/wsdllocation
+ boolean useEPRWSAAddrAsMEXLocation =
+ !Boolean.valueOf((String)message.getContextualProperty(
+ SecurityConstants.DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS));
+
+ STSClient client = (STSClient)message
+ .getContextualProperty(SecurityConstants.STS_CLIENT);
+ if (client == null) {
+ client = createSTSClient(message, type);
+ }
+ client.configureViaEPR(epr, useEPRWSAAddrAsMEXLocation);
+ return client;
+ }
+ }
+
+ // Not a WS-MEX call
+ STSClient client = (STSClient)message
+ .getContextualProperty(SecurityConstants.STS_CLIENT);
+ if (client == null) {
+ client = createSTSClient(message, type);
}
+
return client;
}
+
+ public static boolean configureViaEPR(Message message, String type, EndpointReferenceType epr) {
+ STSClient client = (STSClient)message
+ .getContextualProperty(SecurityConstants.STS_CLIENT);
+ if (epr != null && client == null) {
+ return true;
+ } else if (epr != null && client != null && client.getLocation() == null && client.getWsdlLocation() == null) {
+ return true;
+ }
+
+ return false;
+ }
+
+ private static STSClient createSTSClient(Message message, String type) {
+ if (type == null) {
+ type = "";
+ } else {
+ type = "." + type + "-client";
+ }
+ STSClient client = new STSClient(message.getExchange().get(Bus.class));
+ Endpoint ep = message.getExchange().get(Endpoint.class);
+ client.setEndpointName(ep.getEndpointInfo().getName().toString() + type);
+ client.setBeanName(ep.getEndpointInfo().getName().toString() + type);
+ if (MessageUtils.getContextualBoolean(message, SecurityConstants.STS_CLIENT_SOAP12_BINDING, false)) {
+ client.setSoap12();
+>>>>>>> 417d938... Adding support for a cross-domain STS test
+ }
+
+ return client;
+ }
+
+ public static String findMEXLocation(EndpointReferenceType ref) {
+ if (ref.getMetadata() != null && ref.getMetadata().getAny() != null) {
+ for (Object any : ref.getMetadata().getAny()) {
+ if (any instanceof Element) {
+ String addr = findMEXLocation((Element)any);
+ if (addr != null) {
+ return addr;
+ }
+ }
+ }
+ }
+ return null;
+ }
+
+ public static String findMEXLocation(Element ref) {
+ Element el = DOMUtils.getFirstElement(ref);
+ while (el != null) {
+ if (el.getLocalName().equals("Address")
+ && VersionTransformer.isSupported(el.getNamespaceURI())
+ && "MetadataReference".equals(ref.getLocalName())) {
+ return DOMUtils.getContent(el);
+ } else {
+ String ad = findMEXLocation(el);
+ if (ad != null) {
+ return ad;
+ }
+ }
+ el = DOMUtils.getNextElement(el);
+ }
+ return null;
+ }
+
public static Endpoint createSTSEndpoint(Bus bus,
String namespace,
String transportId,
http://git-wip-us.apache.org/repos/asf/cxf/blob/c5ede8a9/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/cross_domain/CrossDomainTest.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/cross_domain/CrossDomainTest.java b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/cross_domain/CrossDomainTest.java
index 9b169fa..8f340f6 100644
--- a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/cross_domain/CrossDomainTest.java
+++ b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/cross_domain/CrossDomainTest.java
@@ -89,7 +89,7 @@ public class CrossDomainTest extends AbstractBusClientServerTestBase {
stopAllServers();
}
- // In this test, a CXF client checks to see that the location defined on its STSClient is different
+ // In this test, a CXF client checks to see that the location defined on its STSClient is different
// from that configured in the Issuer of the IssuedToken policy supplied in the WSDL of the
// service provider. It obtains a SAML Token from the configured STS first, and then sends it in
// the security header to the second STS. The returned token is then sent to the service provider.
@@ -123,7 +123,6 @@ public class CrossDomainTest extends AbstractBusClientServerTestBase {
// The client has a configured STSClient for this + uses it to get a token from "a", and in
// turn to use the returned token to get a token from "b", to access the service.
@org.junit.Test
- @org.junit.Ignore
public void testCrossDomainMEX() throws Exception {
if (!portFree) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/c5ede8a9/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/cross_domain/cxf-client.xml
----------------------------------------------------------------------
diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/cross_domain/cxf-client.xml b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/cross_domain/cxf-client.xml
index 838b818..9adba64 100644
--- a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/cross_domain/cxf-client.xml
+++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/cross_domain/cxf-client.xml
@@ -61,6 +61,7 @@ http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/confi
<jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItCrossDomainMEXPort" createdFromAPI="true">
<jaxws:properties>
+ <entry key="ws-security.sts.prefer-wsmex" value="true"/>
<entry key="ws-security.sts.client">
<bean class="org.apache.cxf.ws.security.trust.STSClient">
<constructor-arg ref="cxf"/>