You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/04/19 16:04:07 UTC
svn commit: r1469835 - in /cxf/branches/wss4j2.0-port:
rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/
Author: coheigea
Date: Fri Apr 19 14:04:07 2013
New Revision: 1469835
URL: http://svn.apache.org/r1469835
Log:
Adding DOM -> StaX SAML HOK interop tests
Added:
cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/CustomStaxSamlValidator.java
Modified:
cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/DOMToStaxSamlTest.java
cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/StaxToDOMSamlTest.java
cxf/branches/wss4j2.0-port/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
Added: cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/CustomStaxSamlValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/CustomStaxSamlValidator.java?rev=1469835&view=auto
==============================================================================
--- cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/CustomStaxSamlValidator.java (added)
+++ cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/CustomStaxSamlValidator.java Fri Apr 19 14:04:07 2013
@@ -0,0 +1,93 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.saml;
+
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.stax.impl.securityToken.SamlSecurityTokenImpl;
+import org.apache.wss4j.stax.securityToken.SamlSecurityToken;
+import org.apache.wss4j.stax.validate.SamlTokenValidatorImpl;
+import org.apache.wss4j.stax.validate.TokenContext;
+import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
+
+/**
+ * A trivial custom Validator for a SAML Assertion. It makes sure that the issuer is
+ * "www.example.com", checks the version of the assertion, and checks the subject confirmation
+ * method.
+ */
+public class CustomStaxSamlValidator extends SamlTokenValidatorImpl {
+
+ private boolean requireSAML1Assertion = true;
+ private boolean requireSenderVouches = true;
+
+ public void setRequireSAML1Assertion(boolean requireSAML1Assertion) {
+ this.requireSAML1Assertion = requireSAML1Assertion;
+ }
+
+ public void setRequireSenderVouches(boolean requireSenderVouches) {
+ this.requireSenderVouches = requireSenderVouches;
+ }
+
+ @SuppressWarnings("unchecked")
+ @Override
+ public <T extends SamlSecurityToken & InboundSecurityToken> T validate(
+ final SamlAssertionWrapper samlAssertionWrapper,
+ final InboundSecurityToken subjectSecurityToken,
+ final TokenContext tokenContext
+ ) throws WSSecurityException {
+ //jdk 1.6 compiler bug? http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6302954
+ //type parameters of <T>T cannot be determined; no unique maximal instance exists for type variable T with
+ // upper bounds org.apache.wss4j.stax.securityToken.SamlSecurityToken,
+ // org.apache.wss4j.stax.securityToken.SamlSecurityToken,
+ // org.apache.xml.security.stax.ext.securityToken.InboundSecurityToken
+ //works fine on jdk 1.7
+ final SamlSecurityToken token =
+ super.</*fake @see above*/SamlSecurityTokenImpl>
+ validate(samlAssertionWrapper, subjectSecurityToken, tokenContext);
+
+ //
+ // Do some custom validation on the assertion
+ //
+ if (!"www.example.com".equals(samlAssertionWrapper.getIssuerString())) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+ }
+
+ if (requireSAML1Assertion && samlAssertionWrapper.getSaml1() == null) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+ } else if (!requireSAML1Assertion && samlAssertionWrapper.getSaml2() == null) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+ }
+
+ String confirmationMethod = samlAssertionWrapper.getConfirmationMethods().get(0);
+ if (confirmationMethod == null) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+ }
+ if (requireSenderVouches && !OpenSAMLUtil.isMethodSenderVouches(confirmationMethod)) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+ } else if (!requireSenderVouches
+ && !OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+ }
+
+ return (T)token;
+ }
+
+}
\ No newline at end of file
Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/DOMToStaxSamlTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/DOMToStaxSamlTest.java?rev=1469835&r1=1469834&r2=1469835&view=diff
==============================================================================
--- cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/DOMToStaxSamlTest.java (original)
+++ cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/DOMToStaxSamlTest.java Fri Apr 19 14:04:07 2013
@@ -37,6 +37,9 @@ import org.apache.cxf.ws.security.wss4j.
import org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor;
import org.apache.wss4j.common.crypto.CryptoFactory;
+import org.apache.wss4j.common.saml.builder.SAML1Constants;
+import org.apache.wss4j.common.saml.builder.SAML2Constants;
+import org.apache.wss4j.dom.WSSecurityEngine;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.stax.ext.WSSSecurityProperties;
import org.junit.Test;
@@ -177,6 +180,119 @@ public class DOMToStaxSamlTest extends A
assertEquals("test", echo.echo("test"));
}
+ @Test
+ public void testSaml1TokenHOK() throws Exception {
+ // Create + configure service
+ Service service = createService();
+
+ WSSSecurityProperties inProperties = new WSSSecurityProperties();
+ Properties cryptoProperties =
+ CryptoFactory.getProperties("insecurity.properties", this.getClass().getClassLoader());
+ inProperties.setSignatureVerificationCryptoProperties(cryptoProperties);
+
+ CustomStaxSamlValidator validator = new CustomStaxSamlValidator();
+ inProperties.addValidator(WSSecurityEngine.SAML_TOKEN, validator);
+ inProperties.addValidator(WSSecurityEngine.SAML2_TOKEN, validator);
+
+ WSS4JStaxInInterceptor inhandler = new WSS4JStaxInInterceptor(inProperties);
+ service.getInInterceptors().add(inhandler);
+
+ // Create + configure client
+ Echo echo = createClientProxy();
+
+ Client client = ClientProxy.getClient(echo);
+ client.getInInterceptors().add(new LoggingInInterceptor());
+ client.getOutInterceptors().add(new LoggingOutInterceptor());
+
+ Map<String, Object> properties = new HashMap<String, Object>();
+ properties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_SIGNED);
+ SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
+ callbackHandler.setConfirmationMethod(SAML1Constants.CONF_HOLDER_KEY);
+ callbackHandler.setSignAssertion(true);
+ properties.put(
+ WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler
+ );
+
+ properties.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
+ properties.put(WSHandlerConstants.USER, "alice");
+ properties.put(WSHandlerConstants.PW_CALLBACK_REF, new PasswordCallbackHandler());
+ properties.put(WSHandlerConstants.SIG_PROP_FILE, "alice.properties");
+
+ WSS4JOutInterceptor ohandler = new WSS4JOutInterceptor(properties);
+ client.getOutInterceptors().add(ohandler);
+
+ try {
+ echo.echo("test");
+ fail("Failure expected on receiving sender vouches instead of HOK");
+ } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+ // expected
+ }
+
+ validator.setRequireSenderVouches(false);
+ assertEquals("test", echo.echo("test"));
+ }
+
+ @Test
+ public void testSaml2TokenHOK() throws Exception {
+ // Create + configure service
+ Service service = createService();
+
+ WSSSecurityProperties inProperties = new WSSSecurityProperties();
+ Properties cryptoProperties =
+ CryptoFactory.getProperties("insecurity.properties", this.getClass().getClassLoader());
+ inProperties.setSignatureVerificationCryptoProperties(cryptoProperties);
+
+ CustomStaxSamlValidator validator = new CustomStaxSamlValidator();
+ inProperties.addValidator(WSSecurityEngine.SAML_TOKEN, validator);
+ inProperties.addValidator(WSSecurityEngine.SAML2_TOKEN, validator);
+
+ WSS4JStaxInInterceptor inhandler = new WSS4JStaxInInterceptor(inProperties);
+ service.getInInterceptors().add(inhandler);
+
+ // Create + configure client
+ Echo echo = createClientProxy();
+
+ Client client = ClientProxy.getClient(echo);
+ client.getInInterceptors().add(new LoggingInInterceptor());
+ client.getOutInterceptors().add(new LoggingOutInterceptor());
+
+ Map<String, Object> properties = new HashMap<String, Object>();
+ properties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_SIGNED);
+ SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+ callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY);
+ callbackHandler.setSignAssertion(true);
+ properties.put(
+ WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler
+ );
+
+ properties.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
+ properties.put(WSHandlerConstants.USER, "alice");
+ properties.put(WSHandlerConstants.PW_CALLBACK_REF, new PasswordCallbackHandler());
+ properties.put(WSHandlerConstants.SIG_PROP_FILE, "alice.properties");
+
+ WSS4JOutInterceptor ohandler = new WSS4JOutInterceptor(properties);
+ client.getOutInterceptors().add(ohandler);
+
+ try {
+ echo.echo("test");
+ fail("Failure expected on receiving sender vouches instead of HOK");
+ } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+ // expected
+ }
+ validator.setRequireSenderVouches(false);
+
+ try {
+ echo.echo("test");
+ fail("Failure expected on receiving a SAML 1.1 Token instead of SAML 2.0");
+ } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+ // expected
+ }
+ validator.setRequireSAML1Assertion(false);
+
+ assertEquals("test", echo.echo("test"));
+ }
+
+
private Service createService() {
// Create the Service
JaxWsServerFactoryBean factory = new JaxWsServerFactoryBean();
Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/StaxToDOMSamlTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/StaxToDOMSamlTest.java?rev=1469835&r1=1469834&r2=1469835&view=diff
==============================================================================
--- cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/StaxToDOMSamlTest.java (original)
+++ cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/StaxToDOMSamlTest.java Fri Apr 19 14:04:07 2013
@@ -266,8 +266,6 @@ public class StaxToDOMSamlTest extends A
);
properties.setCallbackHandler(new PasswordCallbackHandler());
- // outProperties.put("password", "password");
-
WSS4JStaxOutInterceptor ohandler = new WSS4JStaxOutInterceptor(properties);
client.getOutInterceptors().add(ohandler);
@@ -326,8 +324,6 @@ public class StaxToDOMSamlTest extends A
WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference
);
- // outProperties.put("password", "password");
-
WSS4JStaxOutInterceptor ohandler = new WSS4JStaxOutInterceptor(properties);
client.getOutInterceptors().add(ohandler);
Modified: cxf/branches/wss4j2.0-port/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java?rev=1469835&r1=1469834&r2=1469835&view=diff
==============================================================================
--- cxf/branches/wss4j2.0-port/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java (original)
+++ cxf/branches/wss4j2.0-port/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java Fri Apr 19 14:04:07 2013
@@ -246,7 +246,7 @@ public class SamlTokenTest extends Abstr
saml2Port.doubleIt(25);
fail("Expected failure on an invocation with an unsigned SAML SV Assertion");
} catch (javax.xml.ws.soap.SOAPFaultException ex) {
- assertTrue(ex.getMessage().contains("Assertion fails sender-vouches requirements"));
+ assertTrue(ex.getMessage().contains("An error was discovered processing"));
}
((java.io.Closeable)saml2Port).close();