You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/03/02 15:11:21 UTC
[cxf] 01/03: CXF-7665 - Provide an easy way to set the
TLSClientParameters on the STSClient client object
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 3.1.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit e8fbd046e6934f304c71a43a6ee6a72b78f9912a
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Mar 2 14:03:17 2018 +0000
CXF-7665 - Provide an easy way to set the TLSClientParameters on the STSClient client object
(cherry picked from commit e98c13a3d2be90061634a8dd6000918ec284f98b)
# Conflicts:
# rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
# services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
---
.../SecureConversationOutInterceptor.java | 3 +-
.../cxf/ws/security/trust/AbstractSTSClient.java | 14 ++++
.../sts/transport/TransportBindingTest.java | 77 +++++++++++++++++++++-
.../apache/cxf/systest/ws/wssc/WSSCUnitTest.java | 54 +++++++++++++++
4 files changed, 145 insertions(+), 3 deletions(-)
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java
index f8ac847..c80b8f2 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java
@@ -191,11 +191,10 @@ class SecureConversationOutInterceptor extends AbstractPhaseInterceptor<SoapMess
String s = SecureConversationTokenInterceptorProvider
.setupClient(client, message, aim, itok, false);
- SecurityToken tok = null;
if (maps != null) {
client.setAddressingNamespace(maps.getNamespaceURI());
}
- tok = client.requestSecurityToken(s);
+ SecurityToken tok = client.requestSecurityToken(s);
String tokenType = tok.getTokenType();
tok.setTokenType(tokenType);
if (tokenType == null || "".equals(tokenType)) {
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
index 6ac5a8b..bc7a55e 100755
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
@@ -60,6 +60,7 @@ import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.ModCountCopyOnWriteArrayList;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.configuration.Configurable;
+import org.apache.cxf.configuration.jsse.TLSClientParameters;
import org.apache.cxf.databinding.source.SourceDataBinding;
import org.apache.cxf.endpoint.Client;
import org.apache.cxf.endpoint.ClientImpl;
@@ -86,6 +87,7 @@ import org.apache.cxf.service.model.ServiceInfo;
import org.apache.cxf.staxutils.StaxUtils;
import org.apache.cxf.staxutils.W3CDOMStreamWriter;
import org.apache.cxf.transport.Conduit;
+import org.apache.cxf.transport.http.HTTPConduit;
import org.apache.cxf.ws.addressing.EndpointReferenceType;
import org.apache.cxf.ws.addressing.EndpointReferenceUtils;
import org.apache.cxf.ws.addressing.VersionTransformer;
@@ -201,6 +203,8 @@ public abstract class AbstractSTSClient implements Configurable, InterceptorProv
protected List<Interceptor<? extends Message>> inFault = new ModCountCopyOnWriteArrayList<>();
protected List<Feature> features;
+ protected TLSClientParameters tlsClientParameters;
+
public AbstractSTSClient(Bus b) {
bus = b;
}
@@ -237,6 +241,10 @@ public abstract class AbstractSTSClient implements Configurable, InterceptorProv
this.sendRenewing = sendRenewing;
}
+ public void setTlsClientParameters(TLSClientParameters tlsClientParameters) {
+ this.tlsClientParameters = tlsClientParameters;
+ }
+
/**
* Sets the WS-P policy that is applied to communications between this client and the remote server
* if no value is supplied for {@link #setWsdlLocation(String)}.
@@ -677,6 +685,12 @@ public abstract class AbstractSTSClient implements Configurable, InterceptorProv
client.getInInterceptors().addAll(in);
client.getOutInterceptors().addAll(out);
client.getOutFaultInterceptors().addAll(outFault);
+
+ if (tlsClientParameters != null) {
+ HTTPConduit http = (HTTPConduit) client.getConduit();
+ http.setTlsClientParameters(tlsClientParameters);
+ }
+
in = null;
out = null;
inFault = null;
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
index 92a170e..b364004 100644
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
@@ -18,12 +18,16 @@
*/
package org.apache.cxf.systest.sts.transport;
+import java.io.InputStream;
import java.net.URL;
+import java.security.KeyStore;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.TrustManagerFactory;
import javax.xml.namespace.QName;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
@@ -38,7 +42,10 @@ import org.w3c.dom.Element;
import org.apache.cxf.Bus;
import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.common.classloader.ClassLoaderUtils;
+import org.apache.cxf.configuration.jsse.TLSClientParameters;
import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.frontend.ClientProxy;
import org.apache.cxf.jaxws.DispatchImpl;
import org.apache.cxf.systest.sts.common.SecurityTestUtil;
import org.apache.cxf.systest.sts.common.TestParam;
@@ -46,6 +53,7 @@ import org.apache.cxf.systest.sts.common.TokenTestUtils;
import org.apache.cxf.systest.sts.deployment.STSServer;
import org.apache.cxf.systest.sts.deployment.StaxSTSServer;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.cxf.transport.http.HTTPConduit;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.trust.STSClient;
import org.apache.wss4j.dom.WSConstants;
@@ -180,7 +188,74 @@ public class TransportBindingTest extends AbstractBusClientServerTestBase {
((java.io.Closeable)transportSaml2Port).close();
bus.shutdown(true);
}
-
+
+ @org.junit.Test
+ public void testSAML2ViaCode() throws Exception {
+
+ URL wsdl = TransportBindingTest.class.getResource("DoubleIt.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML2Port");
+ DoubleItPortType transportSaml2Port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(transportSaml2Port, test.getPort());
+
+ if (test.isStreaming()) {
+ SecurityTestUtil.enableStreaming(transportSaml2Port);
+ }
+
+ // TLS configuration
+ TrustManagerFactory tmf =
+ TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+ KeyManagerFactory kmf =
+ KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+ final KeyStore ts = KeyStore.getInstance("JKS");
+ try (InputStream trustStore =
+ ClassLoaderUtils.getResourceAsStream("keys/clientstore.jks", TransportBindingTest.class)) {
+ ts.load(trustStore, "cspass".toCharArray());
+ }
+ tmf.init(ts);
+ kmf.init(ts, "ckpass".toCharArray());
+
+ TLSClientParameters tlsParams = new TLSClientParameters();
+ tlsParams.setTrustManagers(tmf.getTrustManagers());
+ tlsParams.setKeyManagers(kmf.getKeyManagers());
+ tlsParams.setDisableCNCheck(true);
+
+ Client client = ClientProxy.getClient(transportSaml2Port);
+ HTTPConduit http = (HTTPConduit) client.getConduit();
+ http.setTlsClientParameters(tlsParams);
+
+ // STSClient configuration
+ Bus clientBus = BusFactory.newInstance().createBus();
+ STSClient stsClient = new STSClient(clientBus);
+
+ // Use a local WSDL or else we run into problems retrieving the WSDL over HTTPS
+ // due to lack of TLS config when creating the client
+ URL stsWsdl = TransportBindingTest.class.getResource("../deployment/ws-trust-1.4-service.wsdl");
+ stsClient.setWsdlLocation(stsWsdl.toString());
+ stsClient.setServiceName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService");
+ stsClient.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port");
+
+ Map<String, Object> props = new HashMap<>();
+ props.put("security.username", "alice");
+ props.put("security.callback-handler", "org.apache.cxf.systest.sts.common.CommonCallbackHandler");
+ props.put("security.sts.token.username", "myclientkey");
+ props.put("security.sts.token.properties", "clientKeystore.properties");
+ props.put("security.sts.token.usecert", "false");
+ stsClient.setProperties(props);
+
+ ((BindingProvider)transportSaml2Port).getRequestContext().put("security.sts.client", stsClient);
+
+ // Update ports + HTTPS configuration for the STSClient
+ updateAddressPort(stsClient.getClient(), test.getStsPort());
+ ((HTTPConduit) stsClient.getClient().getConduit()).setTlsClientParameters(tlsParams);
+
+ doubleIt(transportSaml2Port, 25);
+
+ ((java.io.Closeable)transportSaml2Port).close();
+ clientBus.shutdown(true);
+ }
+
/**
* In this test-case, the client sends another cert to the STS for inclusion in the
* SAML Assertion and connects via 2-way TLS as normal to the service provider. The
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCUnitTest.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCUnitTest.java
index a7a8469..e737bb7 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCUnitTest.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCUnitTest.java
@@ -20,7 +20,9 @@
package org.apache.cxf.systest.ws.wssc;
import java.io.IOException;
+import java.io.InputStream;
import java.net.URL;
+import java.security.KeyStore;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
@@ -28,18 +30,25 @@ import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import javax.net.ssl.TrustManagerFactory;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.xml.namespace.QName;
+import javax.xml.ws.BindingProvider;
import javax.xml.ws.Service;
import org.apache.cxf.Bus;
import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.common.classloader.ClassLoaderUtils;
+import org.apache.cxf.configuration.jsse.TLSClientParameters;
+import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.frontend.ClientProxy;
import org.apache.cxf.rt.security.SecurityConstants;
import org.apache.cxf.systest.ws.common.SecurityTestUtil;
import org.apache.cxf.systest.ws.common.TestParam;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.cxf.transport.http.HTTPConduit;
import org.apache.cxf.ws.addressing.policy.MetadataConstants;
import org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertion;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
@@ -131,6 +140,50 @@ public class WSSCUnitTest extends AbstractBusClientServerTestBase {
}
@Test
+ public void testEndorsingSecureConverationViaCode() throws Exception {
+
+ URL wsdl = WSSCUnitTest.class.getResource("DoubleItWSSC.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItTransportPort");
+ DoubleItPortType port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(port, test.getPort());
+
+ if (test.isStreaming()) {
+ SecurityTestUtil.enableStreaming(port);
+ }
+
+ // TLS configuration
+ TrustManagerFactory tmf =
+ TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+ final KeyStore ts = KeyStore.getInstance("JKS");
+ try (InputStream trustStore =
+ ClassLoaderUtils.getResourceAsStream("keys/Truststore.jks", WSSCUnitTest.class)) {
+ ts.load(trustStore, "password".toCharArray());
+ }
+ tmf.init(ts);
+
+ TLSClientParameters tlsParams = new TLSClientParameters();
+ tlsParams.setTrustManagers(tmf.getTrustManagers());
+ tlsParams.setDisableCNCheck(true);
+
+ Client client = ClientProxy.getClient(port);
+ HTTPConduit http = (HTTPConduit) client.getConduit();
+ http.setTlsClientParameters(tlsParams);
+
+ // STSClient configuration
+ Bus clientBus = BusFactory.newInstance().createBus();
+ STSClient stsClient = new STSClient(clientBus);
+ stsClient.setTlsClientParameters(tlsParams);
+
+ ((BindingProvider)port).getRequestContext().put("security.sts.client", stsClient);
+
+ assertEquals(50, port.doubleIt(25));
+
+ ((java.io.Closeable)port).close();
+ }
+
+ @Test
public void testEndorsingSecureConverationSP12() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
@@ -347,4 +400,5 @@ public class WSSCUnitTest extends AbstractBusClientServerTestBase {
}
};
+
}
--
To stop receiving notification emails like this one, please contact
coheigea@apache.org.