You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/04/13 14:04:51 UTC
[2/4] cxf git commit: Adding a new cxf-rt-security-saml module to
remove OpenSAML dependencies from cxf-rt-security
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptor.java b/rt/security/src/main/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptor.java
deleted file mode 100644
index 22d61cf..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptor.java
+++ /dev/null
@@ -1,242 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rt.security.claims;
-
-import java.lang.reflect.Method;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.logging.Logger;
-
-import org.apache.cxf.common.logging.LogUtils;
-import org.apache.cxf.common.util.ClassHelper;
-import org.apache.cxf.interceptor.Fault;
-import org.apache.cxf.interceptor.security.AccessDeniedException;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.phase.AbstractPhaseInterceptor;
-import org.apache.cxf.phase.Phase;
-import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
-import org.apache.cxf.security.SecurityContext;
-import org.apache.cxf.security.claims.authorization.Claim;
-import org.apache.cxf.security.claims.authorization.ClaimMode;
-import org.apache.cxf.security.claims.authorization.Claims;
-import org.apache.cxf.service.Service;
-import org.apache.cxf.service.invoker.MethodDispatcher;
-import org.apache.cxf.service.model.BindingOperationInfo;
-
-
-public class ClaimsAuthorizingInterceptor extends AbstractPhaseInterceptor<Message> {
-
- private static final Logger LOG = LogUtils.getL7dLogger(ClaimsAuthorizingInterceptor.class);
-
- private static final Set<String> SKIP_METHODS;
- static {
- SKIP_METHODS = new HashSet<>();
- SKIP_METHODS.addAll(Arrays.asList(
- new String[] {"wait", "notify", "notifyAll",
- "equals", "toString", "hashCode"}));
- }
-
- private Map<String, List<ClaimBean>> claims = new HashMap<>();
- private Map<String, String> nameAliases = Collections.emptyMap();
- private Map<String, String> formatAliases = Collections.emptyMap();
-
- public ClaimsAuthorizingInterceptor() {
- super(Phase.PRE_INVOKE);
- }
-
- public void handleMessage(Message message) throws Fault {
- SecurityContext sc = message.get(SecurityContext.class);
- if (!(sc instanceof SAMLSecurityContext)) {
- throw new AccessDeniedException("Security Context is unavailable or unrecognized");
- }
-
- Method method = getTargetMethod(message);
-
- if (authorize((SAMLSecurityContext)sc, method)) {
- return;
- }
-
- throw new AccessDeniedException("Unauthorized");
- }
-
- public void setClaims(Map<String, List<ClaimBean>> claimsMap) {
- claims.putAll(claimsMap);
- }
-
- protected Method getTargetMethod(Message m) {
- BindingOperationInfo bop = m.getExchange().get(BindingOperationInfo.class);
- if (bop != null) {
- MethodDispatcher md = (MethodDispatcher)
- m.getExchange().get(Service.class).get(MethodDispatcher.class.getName());
- return md.getMethod(bop);
- }
- Method method = (Method)m.get("org.apache.cxf.resource.method");
- if (method != null) {
- return method;
- }
- throw new AccessDeniedException("Method is not available : Unauthorized");
- }
-
- protected boolean authorize(SAMLSecurityContext sc, Method method) {
- List<ClaimBean> list = claims.get(method.getName());
- org.apache.cxf.rt.security.claims.ClaimCollection actualClaims = sc.getClaims();
-
- for (ClaimBean claimBean : list) {
- org.apache.cxf.rt.security.claims.Claim claim = claimBean.getClaim();
- org.apache.cxf.rt.security.claims.Claim matchingClaim = null;
- for (org.apache.cxf.rt.security.claims.Claim cl : actualClaims) {
- if (cl instanceof SAMLClaim
- && ((SAMLClaim)cl).getName().equals(((SAMLClaim)claim).getName())
- && ((SAMLClaim)cl).getNameFormat().equals(((SAMLClaim)claim).getNameFormat())) {
- matchingClaim = cl;
- break;
- }
- }
- if (matchingClaim == null) {
- if (claimBean.getClaimMode() == ClaimMode.STRICT) {
- return false;
- } else {
- continue;
- }
- }
- List<Object> claimValues = claim.getValues();
- List<Object> matchingClaimValues = matchingClaim.getValues();
- if (claimBean.isMatchAll()
- && !matchingClaimValues.containsAll(claimValues)) {
- return false;
- } else {
- boolean matched = false;
- for (Object value : matchingClaimValues) {
- if (claimValues.contains(value)) {
- matched = true;
- break;
- }
- }
- if (!matched) {
- return false;
- }
- }
- }
- return true;
- }
-
- public void setSecuredObject(Object object) {
- Class<?> cls = ClassHelper.getRealClass(object);
- findClaims(cls);
- if (claims.isEmpty()) {
- LOG.warning("The claims list is empty, the service object is not protected");
- }
- }
-
- protected void findClaims(Class<?> cls) {
- if (cls == null || cls == Object.class) {
- return;
- }
- List<ClaimBean> clsClaims =
- getClaims(cls.getAnnotation(Claims.class), cls.getAnnotation(Claim.class));
- for (Method m : cls.getMethods()) {
- if (SKIP_METHODS.contains(m.getName())) {
- continue;
- }
- List<ClaimBean> methodClaims =
- getClaims(m.getAnnotation(Claims.class), m.getAnnotation(Claim.class));
-
- List<ClaimBean> allClaims = new ArrayList<>(methodClaims);
- for (ClaimBean bean : clsClaims) {
- if (isClaimOverridden(bean, methodClaims)) {
- continue;
- }
- allClaims.add(bean);
- }
-
- claims.put(m.getName(), allClaims);
- }
- if (!claims.isEmpty()) {
- return;
- }
-
- findClaims(cls.getSuperclass());
-
- if (!claims.isEmpty()) {
- return;
- }
-
- for (Class<?> interfaceCls : cls.getInterfaces()) {
- findClaims(interfaceCls);
- }
- }
-
- private static boolean isClaimOverridden(ClaimBean bean, List<ClaimBean> mClaims) {
- for (ClaimBean methodBean : mClaims) {
- if (bean.getClaim().getName().equals(methodBean.getClaim().getName())
- && bean.getClaim().getNameFormat().equals(methodBean.getClaim().getNameFormat())) {
- return true;
- }
- }
- return false;
- }
-
- private List<ClaimBean> getClaims(
- Claims claimsAnn, Claim claimAnn) {
- List<ClaimBean> claimsList = new ArrayList<>();
-
- List<Claim> annClaims = new ArrayList<>();
- if (claimsAnn != null) {
- annClaims.addAll(Arrays.asList(claimsAnn.value()));
- } else if (claimAnn != null) {
- annClaims.add(claimAnn);
- }
- for (Claim ann : annClaims) {
- SAMLClaim claim = new SAMLClaim();
-
- String claimName = ann.name();
- if (nameAliases.containsKey(claimName)) {
- claimName = nameAliases.get(claimName);
- }
- String claimFormat = ann.format();
- if (formatAliases.containsKey(claimFormat)) {
- claimFormat = formatAliases.get(claimFormat);
- }
-
- claim.setName(claimName);
- claim.setNameFormat(claimFormat);
- for (String value : ann.value()) {
- claim.addValue(value);
- }
-
- claimsList.add(new ClaimBean(claim, ann.mode(), ann.matchAll()));
- }
- return claimsList;
- }
-
- public void setNameAliases(Map<String, String> nameAliases) {
- this.nameAliases = nameAliases;
- }
-
- public void setFormatAliases(Map<String, String> formatAliases) {
- this.formatAliases = formatAliases;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/claims/SAMLClaim.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/claims/SAMLClaim.java b/rt/security/src/main/java/org/apache/cxf/rt/security/claims/SAMLClaim.java
deleted file mode 100644
index a76747c..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/claims/SAMLClaim.java
+++ /dev/null
@@ -1,66 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.claims;
-
-
-/**
- * This represents a Claim that is coupled to a SAML Assertion
- */
-public class SAMLClaim extends Claim {
-
- /**
- * This configuration tag specifies the default attribute name where the roles are present
- * The default is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role".
- */
- public static final String SAML_ROLE_ATTRIBUTENAME_DEFAULT =
- "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
-
- private static final long serialVersionUID = 5530712294179589442L;
-
- private String nameFormat;
- private String name;
- private String friendlyName;
-
- public String getNameFormat() {
- return nameFormat;
- }
-
- public void setNameFormat(String nameFormat) {
- this.nameFormat = nameFormat;
- }
-
- public String getName() {
- return name;
- }
-
- public void setName(String name) {
- this.name = name;
- }
-
- public String getFriendlyName() {
- return friendlyName;
- }
-
- public void setFriendlyName(String friendlyName) {
- this.friendlyName = friendlyName;
- }
-
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLSecurityContext.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLSecurityContext.java b/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLSecurityContext.java
deleted file mode 100644
index 4287eb2..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLSecurityContext.java
+++ /dev/null
@@ -1,104 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rt.security.saml;
-
-import java.security.Principal;
-import java.util.Set;
-
-import org.w3c.dom.Element;
-import org.apache.cxf.rt.security.claims.ClaimCollection;
-import org.apache.cxf.rt.security.claims.ClaimsSecurityContext;
-
-public class SAMLSecurityContext implements ClaimsSecurityContext {
-
- private final Principal principal;
- private Set<Principal> roles;
- private Element assertionElement;
- private String issuer;
- private ClaimCollection claims;
-
- public SAMLSecurityContext(Principal principal) {
- this(principal, null);
- }
-
- public SAMLSecurityContext(
- Principal principal,
- Set<Principal> roles
- ) {
- this(principal, roles, null);
- }
-
- public SAMLSecurityContext(
- Principal principal,
- Set<Principal> roles,
- ClaimCollection claims
- ) {
- this.principal = principal;
- this.roles = roles;
- this.claims = claims;
- }
-
- public ClaimCollection getClaims() {
- return claims;
- }
-
- public Principal getUserPrincipal() {
- return principal;
- }
-
- public boolean isUserInRole(String role) {
- if (roles == null) {
- return false;
- }
- for (Principal principalRole : roles) {
- if (principalRole.getName().equals(role)) {
- return true;
- }
- }
- return false;
- }
-
- public javax.security.auth.Subject getSubject() {
- return null;
- }
-
- public void setUserRoles(Set<Principal> userRoles) {
- this.roles = userRoles;
- }
-
- public Set<Principal> getUserRoles() {
- return roles;
- }
-
- public void setAssertionElement(Element assertionElement) {
- this.assertionElement = assertionElement;
- }
-
- public Element getAssertionElement() {
- return assertionElement;
- }
-
- public void setIssuer(String issuer) {
- this.issuer = issuer;
- }
-
- public String getIssuer() {
- return issuer;
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java b/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java
deleted file mode 100644
index 8229a07..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java
+++ /dev/null
@@ -1,141 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rt.security.saml;
-
-import java.net.URI;
-import java.security.Principal;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-
-import org.w3c.dom.Element;
-import org.apache.cxf.common.security.SimpleGroup;
-import org.apache.cxf.rt.security.claims.Claim;
-import org.apache.cxf.rt.security.claims.ClaimCollection;
-import org.apache.cxf.rt.security.claims.SAMLClaim;
-import org.apache.wss4j.common.saml.SamlAssertionWrapper;
-import org.opensaml.core.xml.XMLObject;
-import org.opensaml.saml.common.SAMLVersion;
-import org.opensaml.saml.saml2.core.Attribute;
-import org.opensaml.saml.saml2.core.AttributeStatement;
-
-public final class SAMLUtils {
-
- private SAMLUtils() {
-
- }
-
- /**
- * Extract Claims from a SAML Assertion
- */
- public static ClaimCollection getClaims(SamlAssertionWrapper assertion) {
- ClaimCollection claims = new ClaimCollection();
-
- if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
- List<AttributeStatement> statements = assertion.getSaml2().getAttributeStatements();
- for (AttributeStatement as : statements) {
- for (Attribute atr : as.getAttributes()) {
- SAMLClaim claim = new SAMLClaim();
- claim.setClaimType(URI.create(atr.getName()));
-
- claim.setName(atr.getName());
- claim.setNameFormat(atr.getNameFormat());
- claim.setFriendlyName(atr.getFriendlyName());
-
- for (XMLObject o : atr.getAttributeValues()) {
- String attrValue = o.getDOM().getTextContent();
- claim.getValues().add(attrValue);
- }
-
- claims.add(claim);
- }
- }
- } else {
- List<org.opensaml.saml.saml1.core.AttributeStatement> attributeStatements =
- assertion.getSaml1().getAttributeStatements();
-
- for (org.opensaml.saml.saml1.core.AttributeStatement statement : attributeStatements) {
- for (org.opensaml.saml.saml1.core.Attribute atr : statement.getAttributes()) {
- SAMLClaim claim = new SAMLClaim();
-
- String claimType = atr.getAttributeName();
- if (atr.getAttributeNamespace() != null) {
- claimType = atr.getAttributeNamespace() + "/" + claimType;
- }
- claim.setClaimType(URI.create(claimType));
-
- claim.setName(atr.getAttributeName());
- claim.setNameFormat(atr.getAttributeNamespace());
-
- for (XMLObject o : atr.getAttributeValues()) {
- String attrValue = o.getDOM().getTextContent();
- claim.getValues().add(attrValue);
- }
-
- claims.add(claim);
- }
- }
- }
-
- return claims;
- }
-
- /**
- * Extract roles from the given Claims
- */
- public static Set<Principal> parseRolesFromClaims(
- ClaimCollection claims,
- String name,
- String nameFormat
- ) {
- String roleAttributeName = name;
- if (roleAttributeName == null) {
- roleAttributeName = SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT;
- }
-
- Set<Principal> roles = new HashSet<>();
-
- for (Claim claim : claims) {
- if (claim instanceof SAMLClaim && ((SAMLClaim)claim).getName().equals(name)
- && (nameFormat == null
- || claim instanceof SAMLClaim && nameFormat.equals(((SAMLClaim)claim).getNameFormat()))) {
- for (Object claimValue : claim.getValues()) {
- if (claimValue instanceof String) {
- roles.add(new SimpleGroup((String)claimValue));
- }
- }
- if (claim.getValues().size() > 1) {
- // Don't search for other attributes with the same name if > 1 claim value
- break;
- }
- }
- }
-
- return roles;
- }
-
- public static String getIssuer(Object assertion) {
- return ((SamlAssertionWrapper)assertion).getIssuerString();
- }
-
- public static Element getAssertionElement(Object assertion) {
- return ((SamlAssertionWrapper)assertion).getElement();
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java
deleted file mode 100644
index fe109e5..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java
+++ /dev/null
@@ -1,170 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.xacml;
-
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Set;
-import java.util.logging.Level;
-import java.util.logging.Logger;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-
-import org.apache.cxf.common.logging.LogUtils;
-import org.apache.cxf.helpers.DOMUtils;
-import org.apache.cxf.interceptor.Fault;
-import org.apache.cxf.interceptor.security.AccessDeniedException;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.phase.AbstractPhaseInterceptor;
-import org.apache.cxf.phase.Phase;
-import org.apache.cxf.security.LoginSecurityContext;
-import org.apache.cxf.security.SecurityContext;
-import org.apache.wss4j.common.saml.OpenSAMLUtil;
-import org.apache.wss4j.common.util.DOM2Writer;
-import org.opensaml.xacml.ctx.DecisionType.DECISION;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.ctx.ResponseType;
-import org.opensaml.xacml.ctx.ResultType;
-import org.opensaml.xacml.ctx.StatusType;
-
-
-/**
- * An abstract interceptor to perform an XACML authorization request to a remote PDP,
- * and make an authorization decision based on the response. It takes the principal and roles
- * from the SecurityContext, and uses the XACMLRequestBuilder to construct an XACML Request
- * statement.
- *
- * This class must be subclassed to actually perform the request to the PDP.
- *
- * @deprecated: Use XACMLAuthorizingInterceptor instead
- */
-@Deprecated
-public abstract class AbstractXACMLAuthorizingInterceptor extends AbstractPhaseInterceptor<Message> {
-
- private static final Logger LOG = LogUtils.getL7dLogger(AbstractXACMLAuthorizingInterceptor.class);
-
- private XACMLRequestBuilder requestBuilder = new DefaultXACMLRequestBuilder();
-
- public AbstractXACMLAuthorizingInterceptor() {
- super(Phase.PRE_INVOKE);
- org.apache.wss4j.common.saml.OpenSAMLUtil.initSamlEngine();
- }
-
- public void handleMessage(Message message) throws Fault {
- SecurityContext sc = message.get(SecurityContext.class);
-
- if (sc instanceof LoginSecurityContext) {
- Principal principal = sc.getUserPrincipal();
-
- LoginSecurityContext loginSecurityContext = (LoginSecurityContext)sc;
- Set<Principal> principalRoles = loginSecurityContext.getUserRoles();
- List<String> roles = new ArrayList<>();
- if (principalRoles != null) {
- for (Principal p : principalRoles) {
- if (p != principal) {
- roles.add(p.getName());
- }
- }
- }
-
- try {
- if (authorize(principal, roles, message)) {
- return;
- }
- } catch (Exception e) {
- LOG.log(Level.FINE, "Unauthorized: " + e.getMessage(), e);
- throw new AccessDeniedException("Unauthorized");
- }
- } else {
- LOG.log(
- Level.FINE,
- "The SecurityContext was not an instance of LoginSecurityContext. No authorization "
- + "is possible as a result"
- );
- }
-
- throw new AccessDeniedException("Unauthorized");
- }
-
- public XACMLRequestBuilder getRequestBuilder() {
- return requestBuilder;
- }
-
- public void setRequestBuilder(XACMLRequestBuilder requestBuilder) {
- this.requestBuilder = requestBuilder;
- }
-
- /**
- * Perform a (remote) authorization decision and return a boolean depending on the result
- */
- protected boolean authorize(
- Principal principal, List<String> roles, Message message
- ) throws Exception {
- RequestType request = requestBuilder.createRequest(principal, roles, message);
- if (LOG.isLoggable(Level.FINE)) {
- Document doc = DOMUtils.createDocument();
- Element requestElement = OpenSAMLUtil.toDom(request, doc);
- LOG.log(Level.FINE, DOM2Writer.nodeToString(requestElement));
- }
-
- ResponseType response = performRequest(request, message);
-
- List<ResultType> results = response.getResults();
-
- if (results == null) {
- return false;
- }
-
- for (ResultType result : results) {
- // Handle any Obligations returned by the PDP
- handleObligations(request, principal, message, result);
-
- DECISION decision = result.getDecision() != null ? result.getDecision().getDecision() : DECISION.Deny;
- String code = "";
- String statusMessage = "";
- if (result.getStatus() != null) {
- StatusType status = result.getStatus();
- code = status.getStatusCode() != null ? status.getStatusCode().getValue() : "";
- statusMessage = status.getStatusMessage() != null ? status.getStatusMessage().getValue() : "";
- }
- LOG.fine("XACML authorization result: " + decision + ", code: " + code + ", message: " + statusMessage);
- return decision == DECISION.Permit;
- }
-
- return false;
- }
-
- public abstract ResponseType performRequest(RequestType request, Message message) throws Exception;
-
- /**
- * Handle any Obligations returned by the PDP
- */
- protected void handleObligations(
- RequestType request,
- Principal principal,
- Message message,
- ResultType result
- ) throws Exception {
- // Do nothing by default
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/CXFMessageParser.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/CXFMessageParser.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/CXFMessageParser.java
deleted file mode 100644
index 5da3359..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/CXFMessageParser.java
+++ /dev/null
@@ -1,97 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rt.security.xacml;
-
-import javax.xml.namespace.QName;
-
-import org.w3c.dom.Element;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
-import org.apache.cxf.security.SecurityContext;
-import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.saml.SamlAssertionWrapper;
-
-public class CXFMessageParser {
- private Message message;
-
- /**
- * @param message
- */
- public CXFMessageParser(Message message) {
- this.message = message;
- }
-
- public boolean isSOAPService() {
- return getWSDLOperation() != null;
- }
-
- public QName getWSDLOperation() {
- if (message != null && message.get(Message.WSDL_OPERATION) != null) {
- return (QName)message.get(Message.WSDL_OPERATION);
- }
- return null;
- }
-
- public QName getWSDLService() {
- if (message != null && message.get(Message.WSDL_SERVICE) != null) {
- return (QName)message.get(Message.WSDL_SERVICE);
- }
- return null;
- }
-
- /**
- * @param fullRequestURL Whether to send the full Request URL as the resource or not. If set to true, the
- * full Request URL will be sent for both a JAX-WS and JAX-RS service. If set to false (the
- * default), a JAX-WS service will send the "{namespace}operation" QName, and a JAX-RS service
- * will send the RequestURI (i.e. minus the initial https:<ip> prefix)
- */
- public String getResourceURI(boolean fullRequestURL) {
- String property = fullRequestURL ? Message.REQUEST_URL : Message.REQUEST_URI;
- if (message != null && message.get(property) != null) {
- return (String)message.get(property);
- }
- return null;
- }
-
- public String getAction(String defaultSOAPAction) {
- String actionToUse = defaultSOAPAction;
- // For REST use the HTTP Verb
- if (message.get(Message.WSDL_OPERATION) == null && message.get(Message.HTTP_REQUEST_METHOD) != null) {
- actionToUse = (String)message.get(Message.HTTP_REQUEST_METHOD);
- }
- return actionToUse;
- }
-
- /**
- * Get the Issuer of the SAML Assertion
- */
- public String getIssuer() throws WSSecurityException {
- SecurityContext sc = message.get(SecurityContext.class);
-
- if (sc instanceof SAMLSecurityContext) {
- Element assertionElement = ((SAMLSecurityContext)sc).getAssertionElement();
- if (assertionElement != null) {
- SamlAssertionWrapper wrapper = new SamlAssertionWrapper(assertionElement);
- return wrapper.getIssuerString();
- }
- }
-
- return null;
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java
deleted file mode 100644
index c2bb40b..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java
+++ /dev/null
@@ -1,217 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.xacml;
-
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-
-import javax.xml.namespace.QName;
-
-import org.apache.cxf.message.Message;
-import org.joda.time.DateTime;
-import org.opensaml.xacml.ctx.ActionType;
-import org.opensaml.xacml.ctx.AttributeType;
-import org.opensaml.xacml.ctx.AttributeValueType;
-import org.opensaml.xacml.ctx.EnvironmentType;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.ctx.ResourceType;
-import org.opensaml.xacml.ctx.SubjectType;
-
-/**
- * This class constructs an XACML Request given a Principal, list of roles and MessageContext,
- * following the SAML 2.0 profile of XACML 2.0. The principal name is inserted as the Subject ID,
- * and the list of roles associated with that principal are inserted as Subject roles. The action
- * to send defaults to "execute".
- *
- * For a SOAP Service, the resource-id Attribute refers to the
- * "{serviceNamespace}serviceName#{operationNamespace}operationName" String (shortened to
- * "{serviceNamespace}serviceName#operationName" if the namespaces are identical). The
- * "{serviceNamespace}serviceName", "{operationNamespace}operationName" and resource URI are also
- * sent to simplify processing at the PDP side.
- *
- * For a REST service the request URL is the resource. You can also configure the ability to
- * send the truncated request URI instead for a SOAP or REST service. The current DateTime is
- * also sent in an Environment, however this can be disabled via configuration.
- */
-public class DefaultXACMLRequestBuilder implements XACMLRequestBuilder {
-
- private boolean sendDateTime = true;
- private String action = "execute";
- private boolean sendFullRequestURL = true;
-
- /**
- * Create an XACML Request given a Principal, list of roles and Message.
- */
- public RequestType createRequest(Principal principal, List<String> roles, Message message)
- throws Exception {
- CXFMessageParser messageParser = new CXFMessageParser(message);
- String issuer = messageParser.getIssuer();
-
- String actionToUse = messageParser.getAction(action);
-
- SubjectType subjectType = createSubjectType(principal, roles, issuer);
- ResourceType resourceType = createResourceType(messageParser);
- AttributeType actionAttribute = createAttribute(XACMLConstants.ACTION_ID, XACMLConstants.XS_STRING,
- null, actionToUse);
- ActionType actionType = RequestComponentBuilder.createActionType(Collections.singletonList(actionAttribute));
-
- return RequestComponentBuilder.createRequestType(Collections.singletonList(subjectType),
- Collections.singletonList(resourceType),
- actionType,
- createEnvironmentType());
- }
-
- private ResourceType createResourceType(CXFMessageParser messageParser) {
- List<AttributeType> attributes = new ArrayList<>();
-
- // Resource-id
- String resourceId = null;
- boolean isSoapService = messageParser.isSOAPService();
- if (isSoapService) {
- QName serviceName = messageParser.getWSDLService();
- QName operationName = messageParser.getWSDLOperation();
-
- if (serviceName != null) {
- resourceId = serviceName.toString() + "#";
- if (serviceName.getNamespaceURI() != null
- && serviceName.getNamespaceURI().equals(operationName.getNamespaceURI())) {
- resourceId += operationName.getLocalPart();
- } else {
- resourceId += operationName.toString();
- }
- } else {
- resourceId = operationName.toString();
- }
- } else {
- resourceId = messageParser.getResourceURI(sendFullRequestURL);
- }
-
- attributes.add(createAttribute(XACMLConstants.RESOURCE_ID, XACMLConstants.XS_STRING, null,
- resourceId));
-
- if (isSoapService) {
- // WSDL Service
- QName wsdlService = messageParser.getWSDLService();
- if (wsdlService != null) {
- attributes.add(createAttribute(XACMLConstants.RESOURCE_WSDL_SERVICE_ID, XACMLConstants.XS_STRING, null,
- wsdlService.toString()));
- }
-
- // WSDL Operation
- QName wsdlOperation = messageParser.getWSDLOperation();
- attributes.add(createAttribute(XACMLConstants.RESOURCE_WSDL_OPERATION_ID, XACMLConstants.XS_STRING, null,
- wsdlOperation.toString()));
-
- // WSDL Endpoint
- String endpointURI = messageParser.getResourceURI(sendFullRequestURL);
- attributes.add(createAttribute(XACMLConstants.RESOURCE_WSDL_ENDPOINT, XACMLConstants.XS_STRING, null,
- endpointURI));
- }
-
- return RequestComponentBuilder.createResourceType(attributes, null);
- }
-
- private EnvironmentType createEnvironmentType() {
- if (sendDateTime) {
- List<AttributeType> attributes = new ArrayList<>();
- AttributeType environmentAttribute = createAttribute(XACMLConstants.CURRENT_DATETIME,
- XACMLConstants.XS_DATETIME, null,
- new DateTime().toString());
- attributes.add(environmentAttribute);
- return RequestComponentBuilder.createEnvironmentType(attributes);
- }
-
- List<AttributeType> attributes = Collections.emptyList();
- return RequestComponentBuilder.createEnvironmentType(attributes);
- }
-
- private SubjectType createSubjectType(Principal principal, List<String> roles, String issuer) {
- List<AttributeType> attributes = new ArrayList<>();
- attributes.add(createAttribute(XACMLConstants.SUBJECT_ID, XACMLConstants.XS_STRING, issuer,
- principal.getName()));
-
- if (roles != null) {
- List<AttributeValueType> roleAttributes = new ArrayList<>();
- for (String role : roles) {
- if (role != null) {
- AttributeValueType subjectRoleAttributeValue =
- RequestComponentBuilder.createAttributeValueType(role);
- roleAttributes.add(subjectRoleAttributeValue);
- }
- }
-
- if (!roleAttributes.isEmpty()) {
- AttributeType subjectRoleAttribute =
- createAttribute(
- XACMLConstants.SUBJECT_ROLE,
- XACMLConstants.XS_ANY_URI,
- issuer,
- roleAttributes
- );
- attributes.add(subjectRoleAttribute);
- }
- }
-
- return RequestComponentBuilder.createSubjectType(attributes, null);
- }
-
- private AttributeType createAttribute(String id, String type, String issuer, List<AttributeValueType> values) {
- return RequestComponentBuilder.createAttributeType(id, type, issuer, values);
- }
-
- private AttributeType createAttribute(String id, String type, String issuer, String value) {
- return createAttribute(id, type, issuer,
- Collections.singletonList(RequestComponentBuilder.createAttributeValueType(value)));
- }
-
- /**
- * Set a new Action String to use
- */
- public void setAction(String action) {
- this.action = action;
- }
-
- public void setSendDateTime(boolean sendDateTime) {
- this.sendDateTime = sendDateTime;
- }
-
- /**
- * Whether to send the full Request URL as the resource or not. If set to true,
- * the full Request URL will be sent for both a JAX-WS and JAX-RS service. If set
- * to false (the default), a JAX-WS service will send the "{namespace}operation" QName,
- * and a JAX-RS service will send the RequestURI (i.e. minus the initial https:<ip> prefix).
- */
- public void setSendFullRequestURL(boolean sendFullRequestURL) {
- this.sendFullRequestURL = sendFullRequestURL;
- }
-
- @Override
- public List<String> getResources(Message message) {
- throw new IllegalAccessError("Deprecated");
- }
-
- @Override
- public String getResource(Message message) {
- throw new IllegalAccessError("Deprecated");
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java
deleted file mode 100644
index 1086364..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java
+++ /dev/null
@@ -1,183 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.xacml;
-
-import java.util.List;
-
-import org.opensaml.core.xml.XMLObjectBuilderFactory;
-import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
-import org.opensaml.xacml.XACMLObjectBuilder;
-import org.opensaml.xacml.ctx.ActionType;
-import org.opensaml.xacml.ctx.AttributeType;
-import org.opensaml.xacml.ctx.AttributeValueType;
-import org.opensaml.xacml.ctx.EnvironmentType;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.ctx.ResourceContentType;
-import org.opensaml.xacml.ctx.ResourceType;
-import org.opensaml.xacml.ctx.SubjectType;
-
-/**
- * A set of utility methods to construct XACML 2.0 Request statements
- */
-public final class RequestComponentBuilder {
- private static volatile XACMLObjectBuilder<AttributeValueType> attributeValueTypeBuilder;
-
- private static volatile XACMLObjectBuilder<AttributeType> attributeTypeBuilder;
-
- private static volatile XACMLObjectBuilder<SubjectType> subjectTypeBuilder;
-
- private static volatile XACMLObjectBuilder<ResourceType> resourceTypeBuilder;
-
- private static volatile XACMLObjectBuilder<ActionType> actionTypeBuilder;
-
- private static volatile XACMLObjectBuilder<EnvironmentType> environmentTypeBuilder;
-
- private static volatile XACMLObjectBuilder<RequestType> requestTypeBuilder;
-
- private static volatile XMLObjectBuilderFactory builderFactory =
- XMLObjectProviderRegistrySupport.getBuilderFactory();
-
- private RequestComponentBuilder() {
- // complete
- }
-
- @SuppressWarnings("unchecked")
- public static AttributeValueType createAttributeValueType(
- String value
- ) {
- if (attributeValueTypeBuilder == null) {
- attributeValueTypeBuilder = (XACMLObjectBuilder<AttributeValueType>)
- builderFactory.getBuilder(AttributeValueType.DEFAULT_ELEMENT_NAME);
- }
- AttributeValueType attributeValue = attributeValueTypeBuilder.buildObject();
- attributeValue.setValue(value);
-
- return attributeValue;
- }
-
- @SuppressWarnings("unchecked")
- public static AttributeType createAttributeType(
- String attributeId,
- String dataType,
- String issuer,
- List<AttributeValueType> attributeValues
- ) {
- if (attributeTypeBuilder == null) {
- attributeTypeBuilder = (XACMLObjectBuilder<AttributeType>)
- builderFactory.getBuilder(AttributeType.DEFAULT_ELEMENT_NAME);
- }
- AttributeType attributeType = attributeTypeBuilder.buildObject();
- attributeType.setAttributeID(attributeId);
- attributeType.setDataType(dataType);
- attributeType.setIssuer(issuer);
- attributeType.getAttributeValues().addAll(attributeValues);
-
- return attributeType;
- }
-
- @SuppressWarnings("unchecked")
- public static SubjectType createSubjectType(
- List<AttributeType> attributes,
- String subjectCategory
- ) {
- if (subjectTypeBuilder == null) {
- subjectTypeBuilder = (XACMLObjectBuilder<SubjectType>)
- builderFactory.getBuilder(SubjectType.DEFAULT_ELEMENT_NAME);
- }
- SubjectType subject = subjectTypeBuilder.buildObject();
- if (attributes != null) {
- subject.getAttributes().addAll(attributes);
- }
- subject.setSubjectCategory(subjectCategory);
-
- return subject;
- }
-
- @SuppressWarnings("unchecked")
- public static ResourceType createResourceType(
- List<AttributeType> attributes,
- ResourceContentType resourceContent
- ) {
- if (resourceTypeBuilder == null) {
- resourceTypeBuilder = (XACMLObjectBuilder<ResourceType>)
- builderFactory.getBuilder(ResourceType.DEFAULT_ELEMENT_NAME);
- }
- ResourceType resource = resourceTypeBuilder.buildObject();
- if (attributes != null) {
- resource.getAttributes().addAll(attributes);
- }
- resource.setResourceContent(resourceContent);
-
- return resource;
- }
-
- @SuppressWarnings("unchecked")
- public static ActionType createActionType(
- List<AttributeType> attributes
- ) {
- if (actionTypeBuilder == null) {
- actionTypeBuilder = (XACMLObjectBuilder<ActionType>)
- builderFactory.getBuilder(ActionType.DEFAULT_ELEMENT_NAME);
- }
- ActionType action = actionTypeBuilder.buildObject();
- if (attributes != null) {
- action.getAttributes().addAll(attributes);
- }
-
- return action;
- }
-
- @SuppressWarnings("unchecked")
- public static EnvironmentType createEnvironmentType(
- List<AttributeType> attributes
- ) {
- if (environmentTypeBuilder == null) {
- environmentTypeBuilder = (XACMLObjectBuilder<EnvironmentType>)
- builderFactory.getBuilder(EnvironmentType.DEFAULT_ELEMENT_NAME);
- }
- EnvironmentType enviroment = environmentTypeBuilder.buildObject();
- if (attributes != null) {
- enviroment.getAttributes().addAll(attributes);
- }
-
- return enviroment;
- }
-
- @SuppressWarnings("unchecked")
- public static RequestType createRequestType(
- List<SubjectType> subjects,
- List<ResourceType> resources,
- ActionType action,
- EnvironmentType environment
- ) {
- if (requestTypeBuilder == null) {
- requestTypeBuilder = (XACMLObjectBuilder<RequestType>)
- builderFactory.getBuilder(RequestType.DEFAULT_ELEMENT_NAME);
- }
- RequestType request = requestTypeBuilder.buildObject();
- request.getSubjects().addAll(subjects);
- request.getResources().addAll(resources);
- request.setAction(action);
- request.setEnvironment(environment);
-
- return request;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java
deleted file mode 100644
index 353815c..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java
+++ /dev/null
@@ -1,118 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.xacml;
-
-import java.util.UUID;
-
-import org.joda.time.DateTime;
-import org.opensaml.core.xml.XMLObjectBuilderFactory;
-import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
-import org.opensaml.saml.common.SAMLObjectBuilder;
-import org.opensaml.saml.common.SAMLVersion;
-import org.opensaml.saml.saml2.core.Issuer;
-import org.opensaml.xacml.XACMLObjectBuilder;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.profile.saml.SAMLProfileConstants;
-import org.opensaml.xacml.profile.saml.XACMLAuthzDecisionQueryType;
-
-/**
- * A set of utility methods to construct XACML SAML Request statements, based on the
- * SAML 2.0 profile of XACML v2.0 specification.
- */
-public final class SamlRequestComponentBuilder {
- private static volatile XACMLObjectBuilder<XACMLAuthzDecisionQueryType> xacmlAuthzDecisionQueryTypeBuilder;
-
- private static volatile SAMLObjectBuilder<Issuer> issuerBuilder;
-
- private static volatile XMLObjectBuilderFactory builderFactory =
- XMLObjectProviderRegistrySupport.getBuilderFactory();
-
- private SamlRequestComponentBuilder() {
- // complete
- }
-
- /**
- * Create an AuthzDecisionQuery using the defaults
- */
- public static XACMLAuthzDecisionQueryType createAuthzDecisionQuery(
- String issuerValue,
- RequestType request,
- String namespace
- ) {
- return createAuthzDecisionQuery(false, false, issuerValue, request, namespace);
- }
-
- @SuppressWarnings("unchecked")
- public static XACMLAuthzDecisionQueryType createAuthzDecisionQuery(
- boolean inputContextOnly,
- boolean returnContext,
- String issuerValue,
- RequestType request,
- String namespace
- ) {
- if (xacmlAuthzDecisionQueryTypeBuilder == null) {
- xacmlAuthzDecisionQueryTypeBuilder = (XACMLObjectBuilder<XACMLAuthzDecisionQueryType>)
- builderFactory.getBuilder(XACMLAuthzDecisionQueryType.DEFAULT_ELEMENT_NAME_XACML20);
- }
- XACMLAuthzDecisionQueryType authzQuery =
- xacmlAuthzDecisionQueryTypeBuilder.buildObject(
- namespace,
- XACMLAuthzDecisionQueryType.DEFAULT_ELEMENT_LOCAL_NAME,
- SAMLProfileConstants.SAML20XACMLPROTOCOL_PREFIX
- );
- authzQuery.setID("_" + UUID.randomUUID().toString());
- authzQuery.setVersion(SAMLVersion.VERSION_20);
- authzQuery.setIssueInstant(new DateTime());
- authzQuery.setInputContextOnly(Boolean.valueOf(inputContextOnly));
- authzQuery.setReturnContext(Boolean.valueOf(returnContext));
-
- if (issuerValue != null) {
- Issuer issuer = createIssuer(issuerValue);
- authzQuery.setIssuer(issuer);
- }
-
- authzQuery.setRequest(request);
-
- return authzQuery;
- }
-
-
- /**
- * Create an Issuer object
- *
- * @param issuerValue of type String
- * @return an Issuer object
- */
- @SuppressWarnings("unchecked")
- public static Issuer createIssuer(String issuerValue) {
- if (issuerBuilder == null) {
- issuerBuilder = (SAMLObjectBuilder<Issuer>)
- builderFactory.getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
-
- }
- Issuer issuer = issuerBuilder.buildObject();
- //
- // The SAML authority that is making the claim(s) in the assertion. The issuer SHOULD
- // be unambiguous to the intended relying parties.
- issuer.setValue(issuerValue);
- return issuer;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java
deleted file mode 100644
index 2194908..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java
+++ /dev/null
@@ -1,87 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.xacml;
-
-import javax.xml.transform.Source;
-import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerFactory;
-import javax.xml.transform.dom.DOMResult;
-import javax.xml.transform.dom.DOMSource;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-import org.w3c.dom.Node;
-
-import org.apache.cxf.helpers.DOMUtils;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.rt.security.xacml.pdp.api.PolicyDecisionPoint;
-import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.saml.OpenSAMLUtil;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.ctx.ResponseType;
-
-/**
- * An interceptor to perform an XACML authorization request to a remote PDP,
- * and make an authorization decision based on the response. It takes the principal and roles
- * from the SecurityContext, and uses the XACMLRequestBuilder to construct an XACML Request
- * statement.
- */
-@SuppressWarnings("deprecation")
-public class XACMLAuthorizingInterceptor extends AbstractXACMLAuthorizingInterceptor {
- private PolicyDecisionPoint pdp;
-
- public XACMLAuthorizingInterceptor(PolicyDecisionPoint pdp) {
- super();
- this.pdp = pdp;
- }
-
- @Override
- public ResponseType performRequest(RequestType request, Message message) throws Exception {
- Source requestSource = requestType2Source(request);
- Source responseSource = this.pdp.evaluate(requestSource);
- return responseSourceToResponseType(responseSource);
- }
-
- private Source requestType2Source(RequestType request) {
- Document doc = DOMUtils.createDocument();
- Element requestElement;
- try {
- requestElement = OpenSAMLUtil.toDom(request, doc);
- } catch (WSSecurityException e) {
- throw new RuntimeException("Error converting PDP RequestType to Dom", e);
- }
- return new DOMSource(requestElement);
- }
-
- private ResponseType responseSourceToResponseType(Source responseSource) {
- try {
- Transformer trans = TransformerFactory.newInstance().newTransformer();
- DOMResult res = new DOMResult();
- trans.transform(responseSource, res);
- Node nd = res.getNode();
- if (nd instanceof Document) {
- nd = ((Document)nd).getDocumentElement();
- }
- return (ResponseType)OpenSAMLUtil.fromDom((Element)nd);
- } catch (Exception e) {
- throw new RuntimeException("Error converting pdp response to ResponseType", e);
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLConstants.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLConstants.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLConstants.java
deleted file mode 100644
index 3480d8b..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLConstants.java
+++ /dev/null
@@ -1,206 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.xacml;
-
-
-
-/**
- * XACML 1.x and 2.0 Constants.
- */
-public final class XACMLConstants {
-
- //
- // Attributes
- //
-
- public static final String CURRENT_TIME =
- "urn:oasis:names:tc:xacml:1.0:environment:current-time";
- public static final String CURRENT_DATE =
- "urn:oasis:names:tc:xacml:1.0:environment:current-date";
- public static final String CURRENT_DATETIME =
- "urn:oasis:names:tc:xacml:1.0:environment:current-dateTime";
-
- //
- // Identifiers
- //
-
- public static final String SUBJECT_DNS_NAME =
- "urn:oasis:names:tc:xacml:1.0:subject:authn-locality:dns-name";
- public static final String SUBJECT_IP_ADDR =
- "urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address";
- public static final String SUBJECT_AUTHN_METHOD =
- "urn:oasis:names:tc:xacml:1.0:subject:authentication-method";
- public static final String SUBJECT_AUTHN_TIME =
- "urn:oasis:names:tc:xacml:1.0:subject:authentication-time";
- public static final String SUBJECT_KEY_INFO =
- "urn:oasis:names:tc:xacml:1.0:subject:key-info";
- public static final String SUBJECT_REQ_TIME =
- "urn:oasis:names:tc:xacml:1.0:subject:request-time";
- public static final String SUBJECT_START_TIME =
- "urn:oasis:names:tc:xacml:1.0:subject:session-start-time";
- public static final String SUBJECT_ID =
- "urn:oasis:names:tc:xacml:1.0:subject:subject-id";
- public static final String SUBJECT_ID_QUALIFIER =
- "urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifier";
- public static final String SUBJECT_CAT_ACCESS_SUBJECT =
- "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject";
- public static final String SUBJECT_CAT_CODEBASE =
- "urn:oasis:names:tc:xacml:1.0:subject-category:codebase";
- public static final String SUBJECT_CAT_INTERMED_SUBJECT =
- "urn:oasis:names:tc:xacml:1.0:subject-category:intermediary-subject";
- public static final String SUBJECT_CAT_REC_SUBJECT =
- "urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject";
- public static final String SUBJECT_CAT_REQ_MACHINE =
- "urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine";
- public static final String RESOURCE_LOC =
- "urn:oasis:names:tc:xacml:1.0:resource:resource-location";
- public static final String RESOURCE_ID =
- "urn:oasis:names:tc:xacml:1.0:resource:resource-id";
-
- // Non-standard (CXF-specific) tags for sending information about SOAP services to the PDP
- public static final String RESOURCE_WSDL_OPERATION_ID =
- "urn:cxf:apache:org:wsdl:operation-id";
- public static final String RESOURCE_WSDL_SERVICE_ID =
- "urn:cxf:apache:org:wsdl:service-id";
- public static final String RESOURCE_WSDL_ENDPOINT =
- "urn:cxf:apache:org:wsdl:endpoint";
-
- public static final String RESOURCE_FILE_NAME =
- "urn:oasis:names:tc:xacml:1.0:resource:simple-file-name";
- public static final String ACTION_ID =
- "urn:oasis:names:tc:xacml:1.0:action:action-id";
- public static final String ACTION_IMPLIED =
- "urn:oasis:names:tc:xacml:1.0:action:implied-action";
- public static final String SUBJECT_ROLE =
- "urn:oasis:names:tc:xacml:2.0:subject:role";
-
-
- //
- // Datatypes
- //
-
- public static final String XS_STRING =
- "http://www.w3.org/2001/XMLSchema#string";
- public static final String XS_BOOLEAN =
- "http://www.w3.org/2001/XMLSchema#boolean";
- public static final String XS_INT =
- "http://www.w3.org/2001/XMLSchema#integer";
- public static final String XS_DOUBLE =
- "http://www.w3.org/2001/XMLSchema#double";
- public static final String XS_TIME =
- "http://www.w3.org/2001/XMLSchema#time";
- public static final String XS_DATE =
- "http://www.w3.org/2001/XMLSchema#date";
- public static final String XS_DATETIME =
- "http://www.w3.org/2001/XMLSchema#dateTime";
- public static final String XS_ANY_URI =
- "http://www.w3.org/2001/XMLSchema#anyURI";
- public static final String XS_HEX =
- "http://www.w3.org/2001/XMLSchema#hexBinary";
- public static final String XS_BASE64 =
- "http://www.w3.org/2001/XMLSchema#base64Binary";
- public static final String RFC_822_NAME =
- "urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name";
- public static final String X500_NAME =
- "urn:oasis:names:tc:xacml:1.0:data-type:x500Name";
-
- //
- // Functions
- //
- public static final String FUNC_STRING_EQUAL =
- "urn:oasis:names:tc:xacml:1.0:function:string-equal";
- public static final String FUNC_BOOL_EQUAL =
- "urn:oasis:names:tc:xacml:1.0:function:boolean-equal";
- public static final String FUNC_INT_EQUAL =
- "urn:oasis:names:tc:xacml:1.0:function:integer-equal";
- public static final String FUNC_DOUBLE_EQUAL =
- "urn:oasis:names:tc:xacml:1.0:function:double-equal";
- public static final String FUNC_DATE_EQUAL =
- "urn:oasis:names:tc:xacml:1.0:function:date-equal";
- public static final String FUNC_TIME_EQUAL =
- "urn:oasis:names:tc:xacml:1.0:function:time-equal";
- public static final String FUNC_DATETIME_EQUAL =
- "urn:oasis:names:tc:xacml:1.0:function:dateTime-equal";
- public static final String FUNC_ANY_URI_EQUAL =
- "urn:oasis:names:tc:xacml:1.0:function:anyURI-equal";
- public static final String FUNC_X500_NAME_EQUAL =
- "urn:oasis:names:tc:xacml:1.0:function:x500Name-equal";
- public static final String FUNC_RFC_822_NAME_EQUAL =
- "urn:oasis:names:tc:xacml:1.0:function:rfc822Name-equal";
- public static final String FUNC_HEX_EQUAL =
- "urn:oasis:names:tc:xacml:1.0:function:hexBinary-equal";
- public static final String FUNC_BASE64_EQUAL =
- "urn:oasis:names:tc:xacml:1.0:function:base64Binary-equal";
-
- public static final String FUNC_INT_GT =
- "urn:oasis:names:tc:xacml:1.0:function:integer-greater-than";
- public static final String FUNC_INT_GTE =
- "urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal";
- public static final String FUNC_INT_LT =
- "urn:oasis:names:tc:xacml:1.0:function:integer-less-than";
- public static final String FUNC_INT_LTE =
- "urn:oasis:names:tc:xacml:1.0:function:integer-less-than-or-equal";
- public static final String FUNC_DOUBLE_GT =
- "urn:oasis:names:tc:xacml:1.0:function:double-greater-than";
- public static final String FUNC_DOUBLE_GTE =
- "urn:oasis:names:tc:xacml:1.0:function:double-greater-than-or-equal";
- public static final String FUNC_DOUBLE_LT =
- "urn:oasis:names:tc:xacml:1.0:function:double-less-than";
- public static final String FUNC_DOUBLE_LTE =
- "urn:oasis:names:tc:xacml:1.0:function:double-less-than-or-equal";
-
- public static final String FUNC_STRING_GT =
- "urn:oasis:names:tc:xacml:1.0:function:string-greater-than";
- public static final String FUNC_STRING_GTE =
- "urn:oasis:names:tc:xacml:1.0:function:string-greater-than-or-equal";
- public static final String FUNC_STRING_LT =
- "urn:oasis:names:tc:xacml:1.0:function:string-less-than";
- public static final String FUNC_STRING_LTE =
- "urn:oasis:names:tc:xacml:1.0:function:string-less-than-or-equal";
- public static final String FUNC_TIME_GT =
- "urn:oasis:names:tc:xacml:1.0:function:time-greater-than";
- public static final String FUNC_TIME_GTE =
- "urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal";
- public static final String FUNC_TIME_LT =
- "urn:oasis:names:tc:xacml:1.0:function:time-less-than";
- public static final String FUNC_TIME_LTE =
- "urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal";
- public static final String FUNC_DATETIME_GT =
- "urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than";
- public static final String FUNC_DATETIME_GTE =
- "urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than-or-equal";
- public static final String FUNC_DATETIME_LT =
- "urn:oasis:names:tc:xacml:1.0:function:dateTime-less-than";
- public static final String FUNC_DATETIME_LTE =
- "urn:oasis:names:tc:xacml:1.0:function:dateTime-less-than-or-equal";
- public static final String FUNC_DATE_GT =
- "urn:oasis:names:tc:xacml:1.0:function:date-greater-than";
- public static final String FUNC_DATE_GTE =
- "urn:oasis:names:tc:xacml:1.0:function:date-greater-than-or-equal";
- public static final String FUNC_DATE_LT =
- "urn:oasis:names:tc:xacml:1.0:function:date-less-than";
- public static final String FUNC_DATE_LTE =
- "urn:oasis:names:tc:xacml:1.0:function:date-less-than-or-equal";
-
-
- private XACMLConstants() {
- // complete
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java
deleted file mode 100644
index f3a1e6e..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java
+++ /dev/null
@@ -1,62 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.xacml;
-
-import java.security.Principal;
-import java.util.List;
-
-import org.apache.cxf.message.Message;
-import org.opensaml.xacml.ctx.RequestType;
-
-
-/**
- * This interface defines a way to create an XACML Request.
- */
-public interface XACMLRequestBuilder {
-
- /**
- * Create an XACML Request given a Principal, list of roles and Message.
- *
- * @param principal The principal to insert into the Subject of the Request
- * @param roles The list of roles associated with the principal
- * @param message The Message from which to retrieve the resource
- * @return An OpenSAML RequestType object
- * @throws Exception
- */
- RequestType createRequest(Principal principal, List<String> roles, Message message) throws Exception;
-
- /**
- * Return the list of Resources that have been inserted into the Request.
- *
- * @param message The Message from which to retrieve the resource
- * @return the list of Resources that have been inserted into the Request
- */
- @Deprecated
- List<String> getResources(Message message);
-
- /**
- * Return the Resource that has been inserted into the Request.
- *
- * @param message The Message from which to retrieve the resource
- * @return the Resource that has been inserted into the Request
- */
- @Deprecated
- String getResource(Message message);
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PolicyDecisionPoint.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PolicyDecisionPoint.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PolicyDecisionPoint.java
deleted file mode 100644
index c23272f..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PolicyDecisionPoint.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rt.security.xacml.pdp.api;
-
-import javax.xml.transform.Source;
-
-/**
- * An interface that describes a PolicyDecisionPoint (PDP).
- */
-public interface PolicyDecisionPoint {
-
- /**
- * Evaluate an XACML Request and return a Response
- * @param request an XACML Request as a Source
- * @return the XACML Response as a Source
- */
- Source evaluate(Source request);
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/test/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptorTest.java
----------------------------------------------------------------------
diff --git a/rt/security/src/test/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptorTest.java b/rt/security/src/test/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptorTest.java
deleted file mode 100644
index 4d9e11d..0000000
--- a/rt/security/src/test/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptorTest.java
+++ /dev/null
@@ -1,295 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rt.security.claims;
-
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
-import java.security.Principal;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.Set;
-
-import org.apache.cxf.common.security.SimplePrincipal;
-import org.apache.cxf.interceptor.security.AccessDeniedException;
-import org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor;
-import org.apache.cxf.message.ExchangeImpl;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.message.MessageImpl;
-import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
-import org.apache.cxf.rt.security.saml.SAMLUtils;
-import org.apache.cxf.security.SecurityContext;
-import org.apache.cxf.security.claims.authorization.Claim;
-import org.apache.cxf.security.claims.authorization.ClaimMode;
-import org.apache.cxf.security.claims.authorization.Claims;
-import org.apache.wss4j.common.saml.builder.SAML2Constants;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.Test;
-
-
-public class ClaimsAuthorizingInterceptorTest extends Assert {
-
- private ClaimsAuthorizingInterceptor interceptor;
-
- @Before
- public void setUp() {
- interceptor = new ClaimsAuthorizingInterceptor();
- interceptor.setNameAliases(
- Collections.singletonMap("authentication", "http://authentication"));
- interceptor.setFormatAliases(
- Collections.singletonMap("claims", "http://claims"));
- interceptor.setSecuredObject(new TestService());
-
- }
-
- @Test
- public void testClaimDefaultNameAndFormat() throws Exception {
- doTestClaims("claimWithDefaultNameAndFormat",
- createDefaultClaim("admin", "user"),
- createClaim("http://authentication", "http://claims", "password"));
- try {
- doTestClaims("claimWithDefaultNameAndFormat",
- createDefaultClaim("user"),
- createClaim("http://authentication", "http://claims", "password"));
- fail("AccessDeniedException expected");
- } catch (AccessDeniedException ex) {
- // expected
- }
- }
-
- @Test
- public void testClaimMatchAll() throws Exception {
- doTestClaims("claimMatchAll",
- createDefaultClaim("admin", "manager"),
- createClaim("http://authentication", "http://claims", "password"));
- try {
- doTestClaims("claimMatchAll",
- createDefaultClaim("admin"),
- createClaim("http://authentication", "http://claims", "password"));
- doTestClaims("claimMatchAll",
- createDefaultClaim("manager"),
- createClaim("http://authentication", "http://claims", "password"));
- fail("AccessDeniedException expected");
- } catch (AccessDeniedException ex) {
- // expected
- }
- }
-
- @Test
- public void testMissingExpectedClaim() throws Exception {
- doTestClaims("claimWithDefaultNameAndFormat",
- createDefaultClaim("admin"),
- createClaim("http://authentication", "http://claims", "password"));
- try {
- doTestClaims("claimWithDefaultNameAndFormat",
- createDefaultClaim("admin"));
- fail("AccessDeniedException expected");
- } catch (AccessDeniedException ex) {
- // expected
- }
- }
-
- @Test
- public void testExtraNonExpectedClaim() throws Exception {
- doTestClaims("claimWithDefaultNameAndFormat",
- createDefaultClaim("admin", "user"),
- createClaim("http://authentication", "http://claims", "password"),
- createClaim("http://extra/claims", "http://claims", "claim"));
- }
-
- @Test
- public void testClaimSpecificNameAndFormat() throws Exception {
- doTestClaims("claimWithSpecificNameAndFormat",
- createClaim("http://cxf/roles", "http://claims", "admin", "user"),
- createClaim("http://authentication", "http://claims", "password"));
- try {
- doTestClaims("claimWithSpecificNameAndFormat",
- createDefaultClaim("admin", "user"),
- createClaim("http://authentication", "http://claims", "password"));
- fail("AccessDeniedException expected");
- } catch (AccessDeniedException ex) {
- // expected
- }
- }
-
- @Test
- public void testClaimLaxMode() throws Exception {
- doTestClaims("claimLaxMode",
- createClaim("http://authentication", "http://claims", "password"));
- doTestClaims("claimLaxMode");
- try {
- doTestClaims("claimLaxMode",
- createClaim("http://authentication", "http://claims", "smartcard"));
- fail("AccessDeniedException expected");
- } catch (AccessDeniedException ex) {
- // expected
- }
- }
-
- @Test
- public void testMultipleClaims() throws Exception {
- doTestClaims("multipleClaims",
- createDefaultClaim("admin"),
- createClaim("http://authentication", "http://claims", "smartcard"),
- createClaim("http://location", "http://claims", "UK"));
- doTestClaims("multipleClaims",
- createDefaultClaim("admin"),
- createClaim("http://authentication", "http://claims", "password"),
- createClaim("http://location", "http://claims", "USA"));
- try {
- doTestClaims("multipleClaims",
- createDefaultClaim("admin"),
- createClaim("http://authentication", "http://claims", "unsecuretransport"),
- createClaim("http://location", "http://claims", "UK"));
- fail("AccessDeniedException expected");
- } catch (AccessDeniedException ex) {
- // expected
- }
- }
-
- @Test
- public void testUserInRoleAndClaims() throws Exception {
- SecureAnnotationsInterceptor in = new SecureAnnotationsInterceptor();
- in.setAnnotationClassName(SecureRole.class.getName());
- in.setSecuredObject(new TestService2());
-
- Message m = prepareMessage(TestService2.class, "test",
- createDefaultClaim("admin"),
- createClaim("a", "b", "c"));
-
- in.handleMessage(m);
-
- ClaimsAuthorizingInterceptor in2 = new ClaimsAuthorizingInterceptor();
- org.apache.cxf.rt.security.claims.SAMLClaim claim =
- new org.apache.cxf.rt.security.claims.SAMLClaim();
- claim.setNameFormat("a");
- claim.setName("b");
- claim.addValue("c");
- in2.setClaims(Collections.singletonMap("test",
- Collections.singletonList(
- new ClaimBean(claim))));
- in2.handleMessage(m);
-
- try {
- in.handleMessage(prepareMessage(TestService2.class, "test",
- createDefaultClaim("user")));
- fail("AccessDeniedException expected");
- } catch (AccessDeniedException ex) {
- // expected
- }
- }
-
-
- private void doTestClaims(String methodName,
- org.apache.cxf.rt.security.claims.Claim... claim)
- throws Exception {
- Message m = prepareMessage(TestService.class, methodName, claim);
- interceptor.handleMessage(m);
- }
-
- private Message prepareMessage(Class<?> cls,
- String methodName,
- org.apache.cxf.rt.security.claims.Claim... claim)
- throws Exception {
- ClaimCollection claims = new ClaimCollection();
- claims.addAll(Arrays.asList(claim));
-
- Set<Principal> roles =
- SAMLUtils.parseRolesFromClaims(claims, SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT,
- SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
-
- SecurityContext sc = new SAMLSecurityContext(new SimplePrincipal("user"), roles, claims);
- Message m = new MessageImpl();
- m.setExchange(new ExchangeImpl());
- m.put(SecurityContext.class, sc);
- m.put("org.apache.cxf.resource.method",
- cls.getMethod(methodName, new Class[]{}));
- return m;
- }
-
- private org.apache.cxf.rt.security.claims.Claim createDefaultClaim(
- Object... values) {
- return createClaim(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT,
- SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED,
- values);
- }
-
- private org.apache.cxf.rt.security.claims.Claim createClaim(
- String name, String format, Object... values) {
- SAMLClaim claim = new SAMLClaim();
- claim.setName(name);
- claim.setNameFormat(format);
- claim.setValues(Arrays.asList(values));
- return claim;
- }
-
- @Claim(name = "authentication", format = "claims",
- value = "password")
- public static class TestService {
- // default name and format are used
- @Claim({"admin", "manager" })
- public void claimWithDefaultNameAndFormat() {
-
- }
-
- // explicit name and format
- @Claim(name = "http://cxf/roles", format = "http://claims",
- value = {"admin", "manager" })
- public void claimWithSpecificNameAndFormat() {
-
- }
-
- @Claim(name = "http://authentication", format = "http://claims",
- value = "password", mode = ClaimMode.LAX)
- public void claimLaxMode() {
-
- }
-
- @Claims({
- @Claim(name = "http://location", format = "http://claims",
- value = {"UK", "USA" }),
- @Claim(value = {"admin", "manager" }),
- @Claim(name = "authentication", format = "claims",
- value = {"password", "smartcard" })
- })
- public void multipleClaims() {
-
- }
-
- // user must have both admin and manager roles, default is 'or'
- @Claim(value = {"admin", "manager" },
- matchAll = true)
- public void claimMatchAll() {
-
- }
- }
- public static class TestService2 {
- @SecureRole("admin")
- public void test() {
-
- }
- }
- @Target(ElementType.METHOD)
- @Retention(RetentionPolicy.RUNTIME)
- public @interface SecureRole {
- String[] value();
- }
-}