You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by gi...@apache.org on 2012/11/09 10:00:40 UTC
svn commit: r1407389 - in /webservices/wss4j/trunk:
ws-security-common/src/main/java/org/apache/ws/security/common/saml/
ws-security-common/src/main/resources/messages/
ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/
ws...
Author: giger
Date: Fri Nov 9 09:00:39 2012
New Revision: 1407389
URL: http://svn.apache.org/viewvc?rev=1407389&view=rev
Log:
WSS-353 - tests and cleanups
Modified:
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/SAMLKeyInfo.java
webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/SAMLTokenInputHandler.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/SAMLTokenOutputProcessor.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SAMLTokenReferenceTest.java
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/SAMLKeyInfo.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/SAMLKeyInfo.java?rev=1407389&r1=1407388&r2=1407389&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/SAMLKeyInfo.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/SAMLKeyInfo.java Fri Nov 9 09:00:39 2012
@@ -47,7 +47,10 @@ public class SAMLKeyInfo {
* The private key
*/
private PrivateKey privateKey;
-
+
+ public SAMLKeyInfo() {
+ }
+
public SAMLKeyInfo(X509Certificate[] certs) {
this.certs = certs;
}
Modified: webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties?rev=1407389&r1=1407388&r2=1407389&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties Fri Nov 9 09:00:39 2012
@@ -67,7 +67,7 @@ noSigCryptoFile = No crypto property fil
noSignatureUser = Signature user is not set
noSKIHandling = Problem with SKI information: {0}
notASOAPMessage = Request is not a valid SOAP Message
-noToken = Reference \"{0}\"
+noToken = Referenced Token \"{0}\" not found
noTokenUser = Token user is not set
noUserCertsFound = No certificates for user {0} were found for {1}
noXMLSig = Cannot setup signature data structure
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/SAMLTokenInputHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/SAMLTokenInputHandler.java?rev=1407389&r1=1407388&r2=1407389&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/SAMLTokenInputHandler.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/SAMLTokenInputHandler.java Fri Nov 9 09:00:39 2012
@@ -209,8 +209,8 @@ public class SAMLTokenInputHandler exten
if (subjectKeyInfoIndex < 0) {
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "noKeyInSAMLToken");
}
- subjectSecurityToken = parseKeyInfo(inputProcessorChain, securityProperties, eventQueue, subjectKeyInfoIndex);
+ subjectSecurityToken = parseKeyInfo(inputProcessorChain, securityProperties, eventQueue, subjectKeyInfoIndex);
if (subjectSecurityToken == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "noKeyInSAMLToken");
}
@@ -372,7 +372,8 @@ public class SAMLTokenInputHandler exten
}
@Override
- protected Key getKey(String algorithmURI, XMLSecurityConstants.KeyUsage keyUsage, String correlationID) throws XMLSecurityException {
+ protected Key getKey(String algorithmURI, XMLSecurityConstants.KeyUsage keyUsage, String correlationID)
+ throws XMLSecurityException {
Key key = super.getKey(algorithmURI, keyUsage, correlationID);
if (key == null) {
String algoFamily = JCEAlgorithmMapper.getJCERequiredKeyFromURI(algorithmURI);
@@ -414,7 +415,8 @@ public class SAMLTokenInputHandler exten
keyInfoType = new KeyInfoType();
keyInfoType.getContent().add(securityTokenReferenceTypeJAXBElement);
} else if (object instanceof KeyValueType) {
- JAXBElement<KeyValueType> keyValueTypeJAXBElement = new org.apache.xml.security.binding.xmldsig.ObjectFactory().createKeyValue((KeyValueType) object);
+ JAXBElement<KeyValueType> keyValueTypeJAXBElement =
+ new org.apache.xml.security.binding.xmldsig.ObjectFactory().createKeyValue((KeyValueType) object);
keyInfoType = new KeyInfoType();
keyInfoType.getContent().add(keyValueTypeJAXBElement);
} else {
@@ -569,12 +571,14 @@ public class SAMLTokenInputHandler exten
DateTime currentTime = new DateTime();
currentTime = currentTime.plusSeconds(futureTTL);
if (validFrom.isAfter(currentTime)) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "empty", "SAML Token condition (Not Before) not met");
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
+ "empty", "SAML Token condition (Not Before) not met");
}
}
if (validTill != null && validTill.isBeforeNow()) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "empty", "SAML Token condition (Not On Or After) not met");
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
+ "empty", "SAML Token condition (Not On Or After) not met");
}
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/SAMLTokenOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/SAMLTokenOutputProcessor.java?rev=1407389&r1=1407388&r2=1407389&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/SAMLTokenOutputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/SAMLTokenOutputProcessor.java Fri Nov 9 09:00:39 2012
@@ -61,13 +61,12 @@ public class SAMLTokenOutputProcessor ex
}
@Override
- public void processEvent(XMLSecEvent xmlSecEvent, final OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
-
- //todo refactor/cleanup/simplify
+ public void processEvent(XMLSecEvent xmlSecEvent, final OutputProcessorChain outputProcessorChain)
+ throws XMLStreamException, XMLSecurityException {
try {
final SAMLCallback samlCallback = new SAMLCallback();
- SAMLUtil.doSAMLCallback(((WSSSecurityProperties)getSecurityProperties()).getCallbackHandler(), samlCallback);
+ SAMLUtil.doSAMLCallback(((WSSSecurityProperties) getSecurityProperties()).getCallbackHandler(), samlCallback);
AssertionWrapper samlAssertionWrapper = new AssertionWrapper(samlCallback);
// todo support setting signature and c14n algorithms
@@ -90,88 +89,41 @@ public class SAMLTokenOutputProcessor ex
}
final String securityTokenReferenceId = IDGenerator.generateID(null);
- final String binarySecurityTokenId = IDGenerator.generateID(null);
final String tokenId = samlAssertionWrapper.getId();
- PrivateKey privateKey = null;
- X509Certificate[] certificates = null;
- byte[] ephemeralKey = null;
+ final FinalSAMLTokenOutputProcessor finalSAMLTokenOutputProcessor;
if (senderVouches) {
- // prepare to sign the SAML token
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias(samlCallback.getIssuerKeyName());
- certificates = samlCallback.getIssuerCrypto().getX509Certificates(cryptoType);
+ X509Certificate[] certificates = samlCallback.getIssuerCrypto().getX509Certificates(cryptoType);
if (certificates == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
"empty", "No issuer certs were found to sign the SAML Assertion using issuer name: "
- + samlCallback.getIssuerKeyName()
+ + samlCallback.getIssuerKeyName()
);
}
+
+ PrivateKey privateKey;
try {
- privateKey = samlCallback.getIssuerCrypto().getPrivateKey(samlCallback.getIssuerKeyName(), samlCallback.getIssuerKeyPassword());
+ privateKey = samlCallback.getIssuerCrypto().getPrivateKey(
+ samlCallback.getIssuerKeyName(), samlCallback.getIssuerKeyPassword());
} catch (Exception ex) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
}
- } else {
- SubjectBean subjectBean = samlCallback.getSubject();
- if (subjectBean != null) {
- KeyInfoBean keyInfoBean = subjectBean.getKeyInfo();
- if (keyInfoBean != null) {
- X509Certificate x509Certificate = keyInfoBean.getCertificate();
- if (x509Certificate != null) {
- String alias = ((WSSSecurityProperties) getSecurityProperties()).getSignatureCrypto().getX509Identifier(x509Certificate);
- if (alias == null) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "aliasIsNull");
- }
- WSPasswordCallback wsPasswordCallback = new WSPasswordCallback(alias, WSPasswordCallback.Usage.SIGNATURE);
- WSSUtils.doPasswordCallback(((WSSSecurityProperties)getSecurityProperties()).getCallbackHandler(), wsPasswordCallback);
- CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
- cryptoType.setAlias(alias);
- certificates = ((WSSSecurityProperties) getSecurityProperties()).getSignatureCrypto().getX509Certificates(cryptoType);
- privateKey = ((WSSSecurityProperties) getSecurityProperties()).getSignatureCrypto().getPrivateKey(alias, wsPasswordCallback.getPassword());
- } else {
- ephemeralKey = keyInfoBean.getEphemeralKey();
- }
- }
- }
- }
-
- final SAMLKeyInfo samlKeyInfo = new SAMLKeyInfo(certificates);
- if (certificates != null && certificates.length > 0) {
- samlKeyInfo.setPublicKey(certificates[0].getPublicKey());
- }
- samlKeyInfo.setPrivateKey(privateKey);
- samlKeyInfo.setSecret(ephemeralKey);
-
- final X509Certificate[] x509Certificates;
- if (certificates != null && certificates.length > 0) {
- x509Certificates = certificates;
- } else {
- x509Certificates = null;
- }
- final PrivateKey secretKey = privateKey;
+ final String binarySecurityTokenId = IDGenerator.generateID(null);
- final GenericOutboundSecurityToken securityToken;
- SecurityTokenProvider securityTokenProvider;
- if (senderVouches) {
- securityToken = new GenericOutboundSecurityToken(binarySecurityTokenId,
- WSSConstants.X509V3Token, secretKey, x509Certificates);
- } else {
- securityToken = null;
- }
+ final GenericOutboundSecurityToken securityToken =
+ new GenericOutboundSecurityToken(binarySecurityTokenId, WSSConstants.X509V3Token,
+ privateKey, certificates);
- final FinalSAMLTokenOutputProcessor finalSAMLTokenOutputProcessor =
- new FinalSAMLTokenOutputProcessor(securityToken, samlAssertionWrapper,
- securityTokenReferenceId, binarySecurityTokenId, senderVouches);
- finalSAMLTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
- finalSAMLTokenOutputProcessor.setAction(getAction());
- finalSAMLTokenOutputProcessor.init(outputProcessorChain);
+ finalSAMLTokenOutputProcessor = new FinalSAMLTokenOutputProcessor(securityToken, samlAssertionWrapper,
+ securityTokenReferenceId, senderVouches);
- if (senderVouches) {
+ securityToken.setProcessor(finalSAMLTokenOutputProcessor);
- securityTokenProvider = new SecurityTokenProvider() {
+ SecurityTokenProvider securityTokenProvider = new SecurityTokenProvider() {
@SuppressWarnings("unchecked")
@Override
@@ -188,17 +140,52 @@ public class SAMLTokenOutputProcessor ex
outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(binarySecurityTokenId, securityTokenProvider);
outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, binarySecurityTokenId);
outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_APPEND_SIGNATURE_ON_THIS_ID, securityTokenReferenceId);
+
} else {
- securityTokenProvider = new SecurityTokenProvider() {
+ final SAMLKeyInfo samlKeyInfo = new SAMLKeyInfo();
+
+ SubjectBean subjectBean = samlCallback.getSubject();
+ if (subjectBean != null) {
+ KeyInfoBean keyInfoBean = subjectBean.getKeyInfo();
+ if (keyInfoBean != null) {
+ X509Certificate x509Certificate = keyInfoBean.getCertificate();
+ if (x509Certificate != null) {
+ String alias = ((WSSSecurityProperties) getSecurityProperties()).getSignatureCrypto().
+ getX509Identifier(x509Certificate);
+ if (alias == null) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "aliasIsNull");
+ }
+ WSPasswordCallback wsPasswordCallback = new WSPasswordCallback(alias, WSPasswordCallback.Usage.SIGNATURE);
+ WSSUtils.doPasswordCallback(
+ ((WSSSecurityProperties) getSecurityProperties()).getCallbackHandler(),
+ wsPasswordCallback);
+ CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+ cryptoType.setAlias(alias);
+ samlKeyInfo.setCerts(((WSSSecurityProperties) getSecurityProperties()).
+ getSignatureCrypto().getX509Certificates(cryptoType));
+ samlKeyInfo.setPrivateKey(((WSSSecurityProperties) getSecurityProperties()).
+ getSignatureCrypto().getPrivateKey(alias, wsPasswordCallback.getPassword()));
+ } else {
+ samlKeyInfo.setSecret(keyInfoBean.getEphemeralKey());
+ }
+ }
+ }
+
+ finalSAMLTokenOutputProcessor = new FinalSAMLTokenOutputProcessor(null, samlAssertionWrapper,
+ securityTokenReferenceId, senderVouches);
+
+ SecurityTokenProvider securityTokenProvider = new SecurityTokenProvider() {
private GenericOutboundSecurityToken samlSecurityToken;
@SuppressWarnings("unchecked")
@Override
public OutboundSecurityToken getSecurityToken() throws XMLSecurityException {
+
if (this.samlSecurityToken != null) {
return this.samlSecurityToken;
}
+
XMLSecurityConstants.TokenType tokenType;
if (samlCallback.getSamlVersion() == SAMLVersion.VERSION_10) {
tokenType = WSSConstants.Saml10Token;
@@ -217,7 +204,7 @@ public class SAMLTokenOutputProcessor ex
@Override
public Key getSecretKey(String algorithmURI) throws WSSecurityException {
- Key key = null;
+ Key key;
try {
key = super.getSecretKey(algorithmURI);
} catch (XMLSecurityException e) {
@@ -248,11 +235,19 @@ public class SAMLTokenOutputProcessor ex
outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_APPEND_SIGNATURE_ON_THIS_ID, tokenId);
}
+ finalSAMLTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
+ finalSAMLTokenOutputProcessor.setAction(getAction());
+ finalSAMLTokenOutputProcessor.init(outputProcessorChain);
+
XMLSecurityConstants.Action action = getAction();
if (action.equals(WSSConstants.SAML_TOKEN_SIGNED) && senderVouches) {
- SecurePart securePart = new SecurePart(new QName(WSSConstants.SOAPMESSAGE_NS10_STRTransform), tokenId, securityTokenReferenceId, SecurePart.Modifier.Element);
+ SecurePart securePart =
+ new SecurePart(
+ new QName(WSSConstants.SOAPMESSAGE_NS10_STRTransform),
+ tokenId, securityTokenReferenceId, SecurePart.Modifier.Element);
outputProcessorChain.getSecurityContext().putAsMap(WSSConstants.SIGNATURE_PARTS, tokenId, securePart);
}
+
} finally {
outputProcessorChain.removeProcessor(this);
}
@@ -264,36 +259,41 @@ public class SAMLTokenOutputProcessor ex
private final OutboundSecurityToken securityToken;
private final AssertionWrapper assertionWrapper;
private final String securityTokenReferenceId;
- private final String binarySecurityTokenReferenceId;
private boolean senderVouches = false;
FinalSAMLTokenOutputProcessor(OutboundSecurityToken securityToken, AssertionWrapper assertionWrapper,
- String securityTokenReferenceId, String binarySecurityTokenReferenceId,
- boolean senderVouches) throws XMLSecurityException {
+ String securityTokenReferenceId, boolean senderVouches) throws XMLSecurityException {
super();
this.addAfterProcessor(UsernameTokenOutputProcessor.class.getName());
this.addAfterProcessor(SAMLTokenOutputProcessor.class.getName());
this.assertionWrapper = assertionWrapper;
this.securityTokenReferenceId = securityTokenReferenceId;
this.senderVouches = senderVouches;
- this.binarySecurityTokenReferenceId = binarySecurityTokenReferenceId;
this.securityToken = securityToken;
}
@Override
- public void processEvent(XMLSecEvent xmlSecEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
+ public void processEvent(XMLSecEvent xmlSecEvent, OutputProcessorChain outputProcessorChain)
+ throws XMLStreamException, XMLSecurityException {
+
outputProcessorChain.processEvent(xmlSecEvent);
if (xmlSecEvent.getEventType() == XMLStreamConstants.START_ELEMENT) {
XMLSecStartElement xmlSecStartElement = xmlSecEvent.asStartElement();
if (xmlSecStartElement.getName().equals(WSSConstants.TAG_wsse_Security)
- && WSSUtils.isInSecurityHeader(xmlSecStartElement, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
+ && WSSUtils.isInSecurityHeader(xmlSecStartElement,
+ ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
+
OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
- if (senderVouches && getSecurityProperties().getSignatureKeyIdentifierType() == WSSConstants.WSSKeyIdentifierType.SECURITY_TOKEN_DIRECT_REFERENCE) {
- WSSUtils.createBinarySecurityTokenStructure(this, outputProcessorChain, binarySecurityTokenReferenceId, securityToken.getX509Certificates(), getSecurityProperties().isUseSingleCert());
+ if (senderVouches && getSecurityProperties().getSignatureKeyIdentifierType() ==
+ WSSConstants.WSSKeyIdentifierType.SECURITY_TOKEN_DIRECT_REFERENCE) {
+
+ WSSUtils.createBinarySecurityTokenStructure(this, outputProcessorChain, securityToken.getId(),
+ securityToken.getX509Certificates(), getSecurityProperties().isUseSingleCert());
}
outputSamlAssertion(assertionWrapper.toDOM(null), subOutputProcessorChain);
if (senderVouches) {
- outputSecurityTokenReference(subOutputProcessorChain, assertionWrapper, securityTokenReferenceId, assertionWrapper.getId());
+ outputSecurityTokenReference(subOutputProcessorChain, assertionWrapper,
+ securityTokenReferenceId, assertionWrapper.getId());
}
outputProcessorChain.removeProcessor(this);
}
@@ -301,7 +301,10 @@ public class SAMLTokenOutputProcessor ex
}
}
- private void outputSecurityTokenReference(OutputProcessorChain outputProcessorChain, AssertionWrapper assertionWrapper, String referenceId, String tokenId) throws XMLStreamException, XMLSecurityException {
+ private void outputSecurityTokenReference(
+ OutputProcessorChain outputProcessorChain, AssertionWrapper assertionWrapper,
+ String referenceId, String tokenId) throws XMLStreamException, XMLSecurityException {
+
List<XMLSecAttribute> attributes = new ArrayList<XMLSecAttribute>(2);
if (assertionWrapper.getSamlVersion() == SAMLVersion.VERSION_11) {
attributes.add(createAttribute(WSSConstants.ATT_wsse11_TokenType, WSSConstants.NS_SAML11_TOKEN_PROFILE_TYPE));
@@ -323,7 +326,8 @@ public class SAMLTokenOutputProcessor ex
}
//todo serialize directly from SAML XMLObject?
- private void outputSamlAssertion(Element element, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
+ private void outputSamlAssertion(Element element, OutputProcessorChain outputProcessorChain)
+ throws XMLStreamException, XMLSecurityException {
NamedNodeMap namedNodeMap = element.getAttributes();
List<XMLSecAttribute> attributes = new ArrayList<XMLSecAttribute>(namedNodeMap.getLength());
@@ -331,11 +335,16 @@ public class SAMLTokenOutputProcessor ex
for (int i = 0; i < namedNodeMap.getLength(); i++) {
Attr attribute = (Attr) namedNodeMap.item(i);
if (attribute.getPrefix() == null) {
- attributes.add(createAttribute(new QName(attribute.getNamespaceURI(), attribute.getLocalName()), attribute.getValue()));
+ attributes.add(
+ createAttribute(
+ new QName(attribute.getNamespaceURI(), attribute.getLocalName()), attribute.getValue()));
} else if ("xmlns".equals(attribute.getPrefix()) || "xmlns".equals(attribute.getLocalName())) {
namespaces.add(createNamespace(attribute.getLocalName(), attribute.getValue()));
} else {
- attributes.add(createAttribute(new QName(attribute.getNamespaceURI(), attribute.getLocalName(), attribute.getPrefix()), attribute.getValue()));
+ attributes.add(
+ createAttribute(
+ new QName(attribute.getNamespaceURI(), attribute.getLocalName(), attribute.getPrefix()),
+ attribute.getValue()));
}
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SAMLTokenReferenceTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SAMLTokenReferenceTest.java?rev=1407389&r1=1407388&r2=1407389&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SAMLTokenReferenceTest.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SAMLTokenReferenceTest.java Fri Nov 9 09:00:39 2012
@@ -28,7 +28,9 @@ import org.apache.ws.security.common.sam
import org.apache.ws.security.common.saml.builder.SAML1Constants;
import org.apache.ws.security.common.saml.builder.SAML2Constants;
import org.apache.ws.security.dom.WSConstants;
+import org.apache.ws.security.dom.WSEncryptionPart;
import org.apache.ws.security.dom.handler.WSHandlerConstants;
+import org.apache.ws.security.dom.message.WSSecEncrypt;
import org.apache.ws.security.dom.message.WSSecHeader;
import org.apache.ws.security.dom.saml.WSSecSignatureSAML;
import org.apache.ws.security.stax.WSSec;
@@ -47,6 +49,7 @@ import org.testng.Assert;
import org.testng.annotations.Test;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
+import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import javax.xml.stream.XMLStreamReader;
@@ -58,6 +61,7 @@ import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.security.KeyStore;
import java.util.ArrayList;
+import java.util.List;
import java.util.Properties;
/**
@@ -250,63 +254,65 @@ public class SAMLTokenReferenceTest exte
}
}
- /**
- * todo doesn't work atm
- *
- * @Test public void testAssertionBelowSTRInbound() throws Exception {
- * <p/>
- * ByteArrayOutputStream baos = new ByteArrayOutputStream();
- * {
- * SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
- * callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHN);
- * callbackHandler.setConfirmationMethod(SAML1Constants.CONF_HOLDER_KEY);
- * callbackHandler.setIssuer("www.example.com");
- * <p/>
- * InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
- * String action = WSHandlerConstants.SAML_TOKEN_SIGNED;
- * Properties properties = new Properties();
- * properties.setProperty(WSHandlerConstants.SAML_PROP_FILE, "saml/saml-signed.properties");
- * properties.put(WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler);
- * properties.setProperty(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
- * Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
- * <p/>
- * //some test that we can really sure we get what we want from WSS4J
- * NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
- * Assert.assertEquals(nodeList.getLength(), 2);
- * Element securityHeader = (Element)nodeList.item(1).getParentNode();
- * nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_saml_Assertion.getNamespaceURI(), WSSConstants.TAG_saml_Assertion.getLocalPart());
- * Node assertionNode = nodeList.item(0);
- * securityHeader.removeChild(assertionNode);
- * securityHeader.appendChild(assertionNode);
- * <p/>
- * javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
- * transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
- * transformer.transform(new DOMSource(securedDocument), new StreamResult(System.out));
- * }
- * <p/>
- * //done signature; now test sig-verification:
- * {
- * WSSSecurityProperties securityProperties = new WSSSecurityProperties();
- * securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
- * InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
- * XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
- * <p/>
- * Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
- * <p/>
- * //header element must still be there
- * NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
- * Assert.assertEquals(nodeList.getLength(), 2);
- * }
- * }
- */
+ /* todo doesn't work atm
+ @Test
+ public void testAssertionBelowSTRInbound() throws Exception {
-/*
- @Test
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ {
+ SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
+ callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHN);
+ callbackHandler.setConfirmationMethod(SAML1Constants.CONF_HOLDER_KEY);
+ callbackHandler.setIssuer("www.example.com");
+
+ InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+ String action = WSHandlerConstants.SAML_TOKEN_SIGNED;
+ Properties properties = new Properties();
+ properties.put(WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler);
+ properties.setProperty(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
+ Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+
+ //some test that we can really sure we get what we want from WSS4J
+ NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
+ Assert.assertEquals(nodeList.getLength(), 2);
+ Element securityHeader = (Element) nodeList.item(1).getParentNode();
+ nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_saml_Assertion.getNamespaceURI(), WSSConstants.TAG_saml_Assertion.getLocalPart());
+ Node assertionNode = nodeList.item(0);
+ securityHeader.removeChild(assertionNode);
+ securityHeader.appendChild(assertionNode);
+
+ javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+ transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+ transformer.transform(new DOMSource(securedDocument), new StreamResult(System.out));
+ }
+
+ //done signature; now test sig-verification:
+ {
+ WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+ securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
+
+ Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+
+ //header element must still be there
+ NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
+ Assert.assertEquals(nodeList.getLength(), 2);
+ }
+ }
+*/
+
+ @Test
public void testSAML1HOKEKKeyIdentifierInbound() throws Exception {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
{
SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
+ //we set here the receiver's certificate just to test EncryptedKey references.
+ //in real life this wont work that way.
+ CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+ cryptoType.setAlias("receiver");
+ callbackHandler.setCerts(CryptoFactory.getInstance("transmitter-crypto.properties").getX509Certificates(cryptoType));
callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHN);
callbackHandler.setConfirmationMethod(SAML1Constants.CONF_HOLDER_KEY);
callbackHandler.setIssuer("www.example.com");
@@ -332,7 +338,7 @@ public class SAMLTokenReferenceTest exte
builder.setCustomEKTokenValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
builder.setCustomEKTokenId(assertion.getId());
- Crypto userCrypto = CryptoFactory.getInstance("transmitter-crypto.properties");
+ Crypto userCrypto = CryptoFactory.getInstance("receiver-crypto.properties");
builder.prepare(doc, userCrypto);
List<WSEncryptionPart> parts = new ArrayList<WSEncryptionPart>();
@@ -348,16 +354,15 @@ public class SAMLTokenReferenceTest exte
javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
transformer.transform(new DOMSource(doc), new StreamResult(baos));
}
- System.out.println(baos.toString());
+
//done signature; now test sig-verification:
{
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
- Crypto crypto = CryptoFactory.getInstance("receiver-crypto.properties");
CallbackHandlerImpl callbackHandler = new CallbackHandlerImpl();
- callbackHandler.setSecret(crypto.getPrivateKey("receiver", "default").getEncoded());
securityProperties.setCallbackHandler(callbackHandler);
+
InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
@@ -365,52 +370,82 @@ public class SAMLTokenReferenceTest exte
//header element must still be there
NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
- Assert.assertEquals(nodeList.getLength(), 2);
+ Assert.assertEquals(nodeList.getLength(), 1);
}
}
- */
- /*
+
@Test
public void testSAML1HOKEKDirectReferenceInbound() throws Exception {
- ByteArrayOutputStream baos = new ByteArrayOutputStream();
- {
- SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
- callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHN);
- callbackHandler.setConfirmationMethod(SAML1Constants.CONF_HOLDER_KEY);
- callbackHandler.setIssuer("www.example.com");
-
- InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
- String action = WSHandlerConstants.SAML_TOKEN_SIGNED + " " + WSHandlerConstants.ENCRYPT;
- Properties properties = new Properties();
- properties.setProperty(WSHandlerConstants.SAML_PROP_FILE, "saml/saml-signed.properties");
- properties.put(WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler);
- Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
-
- //some test that we can really sure we get what we want from WSS4J
- NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
- Assert.assertEquals(nodeList.getLength(), 2);
-
- javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
- transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
- transformer.transform(new DOMSource(securedDocument), new StreamResult(System.out));
- }
-
- //done signature; now test sig-verification:
- {
- WSSSecurityProperties securityProperties = new WSSSecurityProperties();
- securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
- InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
- XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
-
- Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
-
- //header element must still be there
- NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
- Assert.assertEquals(nodeList.getLength(), 2);
- }
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ {
+ SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
+ //we set here the receiver's certificate just to test EncryptedKey references.
+ //in real life this wont work that way.
+ CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+ cryptoType.setAlias("receiver");
+ callbackHandler.setCerts(CryptoFactory.getInstance("transmitter-crypto.properties").getX509Certificates(cryptoType));
+ callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHN);
+ callbackHandler.setConfirmationMethod(SAML1Constants.CONF_HOLDER_KEY);
+ callbackHandler.setIssuer("www.example.com");
+
+ SAMLCallback samlCallback = new SAMLCallback();
+ SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+ AssertionWrapper assertion = new AssertionWrapper(samlCallback);
+
+ Crypto issuerCrypto = CryptoFactory.getInstance("saml/samlissuer.properties");
+ assertion.signAssertion("samlissuer", "default", issuerCrypto, false);
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ WSSecHeader secHeader = new WSSecHeader();
+ Node assertionNode = assertion.toDOM(doc);
+ secHeader.insertSecurityHeader(doc);
+ secHeader.getSecurityHeader().appendChild(assertionNode);
+
+ // Encrypt the SOAP body
+ WSSecEncrypt builder = new WSSecEncrypt();
+ builder.setUserInfo("receiver");
+ builder.setSymmetricEncAlgorithm(WSConstants.TRIPLE_DES);
+ builder.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
+ builder.setCustomEKTokenValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
+ builder.setCustomEKTokenId(assertion.getId());
+
+ Crypto userCrypto = CryptoFactory.getInstance("receiver-crypto.properties");
+ builder.prepare(doc, userCrypto);
+
+ List<WSEncryptionPart> parts = new ArrayList<WSEncryptionPart>();
+ WSEncryptionPart encP =
+ new WSEncryptionPart(
+ "add", "http://ws.apache.org/counter/counter_port_type", "Element"
+ );
+ parts.add(encP);
+ Element refElement = builder.encryptForRef(null, parts);
+ builder.addInternalRefElement(refElement);
+ builder.appendToHeader(secHeader);
+
+ javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+ transformer.transform(new DOMSource(doc), new StreamResult(baos));
+ }
+
+ //done signature; now test sig-verification:
+ {
+ WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+ securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ CallbackHandlerImpl callbackHandler = new CallbackHandlerImpl();
+ securityProperties.setCallbackHandler(callbackHandler);
+
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
+
+ Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+
+ //header element must still be there
+ NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
+ Assert.assertEquals(nodeList.getLength(), 1);
+ }
}
- */
+
@Test
public void testSAML2SVKeyIdentifierOutbound() throws Exception {