You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/04/13 17:38:59 UTC
[1/4] cxf-fediz git commit: Added SSO test for IdP
Repository: cxf-fediz
Updated Branches:
refs/heads/master 139fb6bd4 -> cc8708e1b
Added SSO test for IdP
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/188e20c1
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/188e20c1
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/188e20c1
Branch: refs/heads/master
Commit: 188e20c16b4938f2fc40d32a90baba03db1838a2
Parents: 139fb6b
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Apr 13 15:09:33 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Apr 13 15:09:33 2016 +0100
----------------------------------------------------------------------
.../apache/cxf/fediz/systests/idp/IdpTest.java | 67 ++++++++++++++++++++
1 file changed, 67 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/188e20c1/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
----------------------------------------------------------------------
diff --git a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
index 1bc4791..04bc875 100644
--- a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
+++ b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
@@ -47,6 +47,7 @@ import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.signature.XMLSignature;
+import org.apache.xml.security.utils.Base64;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
@@ -191,6 +192,72 @@ public class IdpTest {
webClient.close();
}
+
+ @org.junit.Test
+ public void testSuccessfulSSOInvokeOnIdP() throws Exception {
+ String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?";
+ url += "wa=wsignin1.0";
+ url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A";
+ url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld";
+ String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
+ url += "&wreply=" + wreply;
+
+ String user = "alice";
+ String password = "ecila";
+
+ final WebClient webClient = new WebClient();
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.addRequestHeader("Authorization", "Basic " + Base64.encode((user + ":" + password).getBytes()));
+
+ //
+ // First invocation
+ //
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ HtmlPage idpPage = webClient.getPage(url);
+ webClient.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+ // Parse the form to get the token (wresult)
+ DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
+
+ String wresult = null;
+ for (DomElement result : results) {
+ if ("wresult".equals(result.getAttributeNS(null, "name"))) {
+ wresult = result.getAttributeNS(null, "value");
+ break;
+ }
+ }
+
+ Assert.assertNotNull(wresult);
+
+ //
+ // Second invocation - change the credentials to make sure the session is set up correctly
+ //
+
+ webClient.removeRequestHeader("Authorization");
+ webClient.addRequestHeader("Authorization", "Basic " + Base64.encode(("mallory" + ":" + password).getBytes()));
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ idpPage = webClient.getPage(url);
+ webClient.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+ // Parse the form to get the token (wresult)
+ results = idpPage.getElementsByTagName("input");
+
+ wresult = null;
+ for (DomElement result : results) {
+ if ("wresult".equals(result.getAttributeNS(null, "name"))) {
+ wresult = result.getAttributeNS(null, "value");
+ break;
+ }
+ }
+
+ Assert.assertNotNull(wresult);
+
+ webClient.close();
+ }
@Test
public void testIdPMetadata() throws Exception {
[4/4] cxf-fediz git commit: [FEDIZ-165] - Part II
Posted by co...@apache.org.
[FEDIZ-165] - Part II
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/cc8708e1
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/cc8708e1
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/cc8708e1
Branch: refs/heads/master
Commit: cc8708e1bac7bac8fdf1f1ac30c8a54272d2f004
Parents: a616dc6
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Apr 13 16:18:54 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Apr 13 16:18:54 2016 +0100
----------------------------------------------------------------------
.../idp/beans/samlsso/LocalRedirectCreator.java | 54 ++++++++++
.../WEB-INF/flows/saml-validate-request.xml | 9 +-
.../apache/cxf/fediz/systests/idp/IdpTest.java | 108 +++++++++++++++++++
3 files changed, 164 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cc8708e1/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/LocalRedirectCreator.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/LocalRedirectCreator.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/LocalRedirectCreator.java
new file mode 100644
index 0000000..9dfd626
--- /dev/null
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/LocalRedirectCreator.java
@@ -0,0 +1,54 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp.beans.samlsso;
+
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
+
+import org.apache.cxf.fediz.service.idp.domain.Idp;
+import org.apache.cxf.fediz.service.idp.util.WebUtils;
+import org.springframework.stereotype.Component;
+import org.springframework.webflow.execution.RequestContext;
+
+/**
+ * Parse the parameters to create the URL for local redirection
+ */
+@Component
+public class LocalRedirectCreator {
+
+ public String createRedirectURL(RequestContext context, Idp idp) throws UnsupportedEncodingException {
+ StringBuilder redirectURL = new StringBuilder();
+ redirectURL.append(idp.getIdpUrl().toString()).append("?");
+
+ String relayState = (String)WebUtils.getAttributeFromFlowScope(context, "RelayState");
+ redirectURL.append("RelayState=").append(relayState).append("&");
+ String samlRequest = (String)WebUtils.getAttributeFromFlowScope(context, "SAMLRequest");
+ redirectURL.append("SAMLRequest=").append(URLEncoder.encode(samlRequest, "UTF-8"));
+
+ String signature = (String)WebUtils.getAttributeFromFlowScope(context, "Signature");
+ if (signature != null) {
+ redirectURL.append("&");
+ redirectURL.append("Signature=").append(URLEncoder.encode(signature, "UTF-8"));
+ }
+
+ return redirectURL.toString();
+ }
+
+
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cc8708e1/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
index 6c156ac..6808554 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
@@ -147,13 +147,8 @@
<end-state id="redirectToLocalIDP" view="externalRedirect:${flowScope.localIdpUrl}">
<on-entry>
- <evaluate expression="@java.net.URLEncoder@encode(flowScope.SAMLRequest)"
- result="flowScope.encodedRequest"/>
- <set name="flowScope.localIdpUrl"
- value="flowScope.idpConfig.idpUrl
- +'?RelayState='+flowScope.RelayState
- +'&SAMLRequest='+flowScope.encodedRequest">
- </set>
+ <evaluate expression="localRedirectCreator.createRedirectURL(flowRequestContext, flowScope.idpConfig)"
+ result="flowScope.localIdpUrl"/>
</on-entry>
</end-state>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cc8708e1/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
----------------------------------------------------------------------
diff --git a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
index c8356ee..86e9628 100644
--- a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
+++ b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
@@ -566,6 +566,114 @@ public class IdpTest {
webClient.close();
}
+ @org.junit.Test
+ public void testSuccessfulSSOInvokeOnIdPWithForceAuthnSeparateSignature() throws Exception {
+ OpenSAMLUtil.initSamlEngine();
+
+ // Create SAML AuthnRequest
+ Document doc = DOMUtils.createDocument();
+ doc.appendChild(doc.createElement("root"));
+ // Create the AuthnRequest
+ String consumerURL = "https://localhost:" + getRpHttpsPort() + "/"
+ + getServletContextName() + "/secure/fedservlet";
+ AuthnRequest authnRequest =
+ new DefaultAuthnRequestBuilder().createAuthnRequest(
+ null, "urn:org:apache:cxf:fediz:fedizhelloworld", consumerURL
+ );
+ authnRequest.setForceAuthn(Boolean.TRUE);
+ authnRequest.setDestination("https://localhost:" + getIdpHttpsPort() + "/fediz-idp/saml");
+
+ Element authnRequestElement = OpenSAMLUtil.toDom(authnRequest, doc);
+ String authnRequestEncoded = encodeAuthnRequest(authnRequestElement);
+
+ String urlEncodedRequest = URLEncoder.encode(authnRequestEncoded, "UTF-8");
+
+ String relayState = UUID.randomUUID().toString();
+
+ // Sign request
+ Crypto crypto = CryptoFactory.getInstance("stsKeystoreA.properties");
+
+ CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+ cryptoType.setAlias("realma");
+
+ // Get the private key
+ PrivateKey privateKey = crypto.getPrivateKey("realma", "realma");
+
+ java.security.Signature signature = java.security.Signature.getInstance("SHA1withRSA");
+ signature.initSign(privateKey);
+
+ String requestToSign = SSOConstants.SAML_REQUEST + "=" + urlEncodedRequest;
+ requestToSign += "&" + SSOConstants.RELAY_STATE + "=" + relayState;
+ requestToSign += "&" + SSOConstants.SIG_ALG + "="
+ + URLEncoder.encode(SSOConstants.RSA_SHA1, StandardCharsets.UTF_8.name());
+
+ signature.update(requestToSign.getBytes(StandardCharsets.UTF_8));
+ byte[] signBytes = signature.sign();
+
+ String encodedSignature = Base64.encode(signBytes);
+
+ String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/saml/up?";
+ url += SSOConstants.RELAY_STATE + "=" + relayState;
+ url += "&" + SSOConstants.SAML_REQUEST + "=" + urlEncodedRequest;
+ url += "&" + SSOConstants.SIGNATURE + "=" + URLEncoder.encode(encodedSignature, StandardCharsets.UTF_8.name());
+
+ String user = "alice";
+ String password = "ecila";
+
+ final WebClient webClient = new WebClient();
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+ new UsernamePasswordCredentials(user, password));
+
+ //
+ // First invocation
+ //
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ HtmlPage idpPage = webClient.getPage(url);
+ webClient.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+ org.opensaml.saml.saml2.core.Response samlResponse =
+ parseSAMLResponse(idpPage, relayState, consumerURL, authnRequest.getID());
+ String expected = "urn:oasis:names:tc:SAML:2.0:status:Success";
+ Assert.assertEquals(expected, samlResponse.getStatus().getStatusCode().getValue());
+
+ // Check claims
+ String parsedResponse = DOM2Writer.nodeToString(samlResponse.getDOM().getOwnerDocument());
+ String claim = ClaimTypes.FIRSTNAME.toString();
+ Assert.assertTrue(parsedResponse.contains(claim));
+ claim = ClaimTypes.LASTNAME.toString();
+ Assert.assertTrue(parsedResponse.contains(claim));
+ claim = ClaimTypes.EMAILADDRESS.toString();
+ Assert.assertTrue(parsedResponse.contains(claim));
+
+ //
+ // Second invocation
+ //
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ idpPage = webClient.getPage(url);
+ webClient.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+ samlResponse = parseSAMLResponse(idpPage, relayState, consumerURL, authnRequest.getID());
+ expected = "urn:oasis:names:tc:SAML:2.0:status:Success";
+ Assert.assertEquals(expected, samlResponse.getStatus().getStatusCode().getValue());
+
+ // Check claims
+ parsedResponse = DOM2Writer.nodeToString(samlResponse.getDOM().getOwnerDocument());
+ claim = ClaimTypes.FIRSTNAME.toString();
+ Assert.assertTrue(parsedResponse.contains(claim));
+ claim = ClaimTypes.LASTNAME.toString();
+ Assert.assertTrue(parsedResponse.contains(claim));
+ claim = ClaimTypes.EMAILADDRESS.toString();
+ Assert.assertTrue(parsedResponse.contains(claim));
+
+ webClient.close();
+ }
+
//
// Negative tests
//
[3/4] cxf-fediz git commit: [FEDIZ-165] - SAML SSO redirection on
ForceAuthn or token expiry not working
Posted by co...@apache.org.
[FEDIZ-165] - SAML SSO redirection on ForceAuthn or token expiry not working
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/a616dc6c
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/a616dc6c
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/a616dc6c
Branch: refs/heads/master
Commit: a616dc6ca15d38c82d3939cf6eb754c0b2da34c2
Parents: ec486bf
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Apr 13 15:48:34 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Apr 13 15:48:34 2016 +0100
----------------------------------------------------------------------
.../WEB-INF/flows/saml-validate-request.xml | 4 +-
.../apache/cxf/fediz/systests/idp/IdpTest.java | 246 +++++++++++++++++++
2 files changed, 249 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a616dc6c/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
index 4479a5b..6c156ac 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
@@ -147,10 +147,12 @@
<end-state id="redirectToLocalIDP" view="externalRedirect:${flowScope.localIdpUrl}">
<on-entry>
+ <evaluate expression="@java.net.URLEncoder@encode(flowScope.SAMLRequest)"
+ result="flowScope.encodedRequest"/>
<set name="flowScope.localIdpUrl"
value="flowScope.idpConfig.idpUrl
+'?RelayState='+flowScope.RelayState
- +'&SAMLRequest='+flowScope.SAMLRequest">
+ +'&SAMLRequest='+flowScope.encodedRequest">
</set>
</on-entry>
</end-state>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a616dc6c/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
----------------------------------------------------------------------
diff --git a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
index 91a82d1..c8356ee 100644
--- a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
+++ b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
@@ -396,6 +396,176 @@ public class IdpTest {
webClient.close();
}
+ @org.junit.Test
+ public void testSuccessfulSSOInvokeOnIdP() throws Exception {
+ OpenSAMLUtil.initSamlEngine();
+
+ // Create SAML AuthnRequest
+ Document doc = DOMUtils.createDocument();
+ doc.appendChild(doc.createElement("root"));
+ // Create the AuthnRequest
+ String consumerURL = "https://localhost:" + getRpHttpsPort() + "/"
+ + getServletContextName() + "/secure/fedservlet";
+ AuthnRequest authnRequest =
+ new DefaultAuthnRequestBuilder().createAuthnRequest(
+ null, "urn:org:apache:cxf:fediz:fedizhelloworld", consumerURL
+ );
+ authnRequest.setDestination("https://localhost:" + getIdpHttpsPort() + "/fediz-idp/saml");
+ signAuthnRequest(authnRequest);
+
+ Element authnRequestElement = OpenSAMLUtil.toDom(authnRequest, doc);
+ String authnRequestEncoded = encodeAuthnRequest(authnRequestElement);
+
+ String urlEncodedRequest = URLEncoder.encode(authnRequestEncoded, "UTF-8");
+
+ String relayState = UUID.randomUUID().toString();
+ String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/saml?";
+ url += SSOConstants.RELAY_STATE + "=" + relayState;
+ url += "&" + SSOConstants.SAML_REQUEST + "=" + urlEncodedRequest;
+
+ String user = "alice";
+ String password = "ecila";
+
+ final WebClient webClient = new WebClient();
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.addRequestHeader("Authorization", "Basic " + Base64.encode((user + ":" + password).getBytes()));
+
+ //
+ // First invocation
+ //
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ HtmlPage idpPage = webClient.getPage(url);
+ webClient.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+ org.opensaml.saml.saml2.core.Response samlResponse =
+ parseSAMLResponse(idpPage, relayState, consumerURL, authnRequest.getID());
+ String expected = "urn:oasis:names:tc:SAML:2.0:status:Success";
+ Assert.assertEquals(expected, samlResponse.getStatus().getStatusCode().getValue());
+
+ // Check claims
+ String parsedResponse = DOM2Writer.nodeToString(samlResponse.getDOM().getOwnerDocument());
+ String claim = ClaimTypes.FIRSTNAME.toString();
+ Assert.assertTrue(parsedResponse.contains(claim));
+ claim = ClaimTypes.LASTNAME.toString();
+ Assert.assertTrue(parsedResponse.contains(claim));
+ claim = ClaimTypes.EMAILADDRESS.toString();
+ Assert.assertTrue(parsedResponse.contains(claim));
+
+ //
+ // Second invocation - change the credentials to make sure the session is set up correctly
+ //
+
+ webClient.removeRequestHeader("Authorization");
+ webClient.addRequestHeader("Authorization", "Basic " + Base64.encode(("mallory" + ":" + password).getBytes()));
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ idpPage = webClient.getPage(url);
+ webClient.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+ samlResponse = parseSAMLResponse(idpPage, relayState, consumerURL, authnRequest.getID());
+ expected = "urn:oasis:names:tc:SAML:2.0:status:Success";
+ Assert.assertEquals(expected, samlResponse.getStatus().getStatusCode().getValue());
+
+ // Check claims
+ parsedResponse = DOM2Writer.nodeToString(samlResponse.getDOM().getOwnerDocument());
+ claim = ClaimTypes.FIRSTNAME.toString();
+ Assert.assertTrue(parsedResponse.contains(claim));
+ claim = ClaimTypes.LASTNAME.toString();
+ Assert.assertTrue(parsedResponse.contains(claim));
+ claim = ClaimTypes.EMAILADDRESS.toString();
+ Assert.assertTrue(parsedResponse.contains(claim));
+
+ webClient.close();
+ }
+
+ @org.junit.Test
+ public void testSuccessfulSSOInvokeOnIdPWithForceAuthn() throws Exception {
+ OpenSAMLUtil.initSamlEngine();
+
+ // Create SAML AuthnRequest
+ Document doc = DOMUtils.createDocument();
+ doc.appendChild(doc.createElement("root"));
+ // Create the AuthnRequest
+ String consumerURL = "https://localhost:" + getRpHttpsPort() + "/"
+ + getServletContextName() + "/secure/fedservlet";
+ AuthnRequest authnRequest =
+ new DefaultAuthnRequestBuilder().createAuthnRequest(
+ null, "urn:org:apache:cxf:fediz:fedizhelloworld", consumerURL
+ );
+ authnRequest.setForceAuthn(Boolean.TRUE);
+ authnRequest.setDestination("https://localhost:" + getIdpHttpsPort() + "/fediz-idp/saml");
+ signAuthnRequest(authnRequest);
+
+ Element authnRequestElement = OpenSAMLUtil.toDom(authnRequest, doc);
+ String authnRequestEncoded = encodeAuthnRequest(authnRequestElement);
+
+ String urlEncodedRequest = URLEncoder.encode(authnRequestEncoded, "UTF-8");
+
+ String relayState = UUID.randomUUID().toString();
+ String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/saml?";
+ url += SSOConstants.RELAY_STATE + "=" + relayState;
+ url += "&" + SSOConstants.SAML_REQUEST + "=" + urlEncodedRequest;
+
+ String user = "alice";
+ String password = "ecila";
+
+ final WebClient webClient = new WebClient();
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+ new UsernamePasswordCredentials(user, password));
+
+ //
+ // First invocation
+ //
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ HtmlPage idpPage = webClient.getPage(url);
+ webClient.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+ org.opensaml.saml.saml2.core.Response samlResponse =
+ parseSAMLResponse(idpPage, relayState, consumerURL, authnRequest.getID());
+ String expected = "urn:oasis:names:tc:SAML:2.0:status:Success";
+ Assert.assertEquals(expected, samlResponse.getStatus().getStatusCode().getValue());
+
+ // Check claims
+ String parsedResponse = DOM2Writer.nodeToString(samlResponse.getDOM().getOwnerDocument());
+ String claim = ClaimTypes.FIRSTNAME.toString();
+ Assert.assertTrue(parsedResponse.contains(claim));
+ claim = ClaimTypes.LASTNAME.toString();
+ Assert.assertTrue(parsedResponse.contains(claim));
+ claim = ClaimTypes.EMAILADDRESS.toString();
+ Assert.assertTrue(parsedResponse.contains(claim));
+
+ //
+ // Second invocation
+ //
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ idpPage = webClient.getPage(url);
+ webClient.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+ samlResponse = parseSAMLResponse(idpPage, relayState, consumerURL, authnRequest.getID());
+ expected = "urn:oasis:names:tc:SAML:2.0:status:Success";
+ Assert.assertEquals(expected, samlResponse.getStatus().getStatusCode().getValue());
+
+ // Check claims
+ parsedResponse = DOM2Writer.nodeToString(samlResponse.getDOM().getOwnerDocument());
+ claim = ClaimTypes.FIRSTNAME.toString();
+ Assert.assertTrue(parsedResponse.contains(claim));
+ claim = ClaimTypes.LASTNAME.toString();
+ Assert.assertTrue(parsedResponse.contains(claim));
+ claim = ClaimTypes.EMAILADDRESS.toString();
+ Assert.assertTrue(parsedResponse.contains(claim));
+
+ webClient.close();
+ }
+
//
// Negative tests
//
@@ -1068,6 +1238,82 @@ public class IdpTest {
webClient.close();
}
+ @org.junit.Test
+ public void testForceAuthnWrongCredentials() throws Exception {
+ OpenSAMLUtil.initSamlEngine();
+
+ // Create SAML AuthnRequest
+ Document doc = DOMUtils.createDocument();
+ doc.appendChild(doc.createElement("root"));
+ // Create the AuthnRequest
+ String consumerURL = "https://localhost:" + getRpHttpsPort() + "/"
+ + getServletContextName() + "/secure/fedservlet";
+ AuthnRequest authnRequest =
+ new DefaultAuthnRequestBuilder().createAuthnRequest(
+ null, "urn:org:apache:cxf:fediz:fedizhelloworld", consumerURL
+ );
+ authnRequest.setForceAuthn(Boolean.TRUE);
+ authnRequest.setDestination("https://localhost:" + getIdpHttpsPort() + "/fediz-idp/saml");
+ signAuthnRequest(authnRequest);
+
+ Element authnRequestElement = OpenSAMLUtil.toDom(authnRequest, doc);
+ String authnRequestEncoded = encodeAuthnRequest(authnRequestElement);
+
+ String urlEncodedRequest = URLEncoder.encode(authnRequestEncoded, "UTF-8");
+
+ String relayState = UUID.randomUUID().toString();
+ String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/saml?";
+ url += SSOConstants.RELAY_STATE + "=" + relayState;
+ url += "&" + SSOConstants.SAML_REQUEST + "=" + urlEncodedRequest;
+
+ String user = "alice";
+ String password = "ecila";
+
+ final WebClient webClient = new WebClient();
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.addRequestHeader("Authorization", "Basic " + Base64.encode((user + ":" + password).getBytes()));
+
+ //
+ // First invocation
+ //
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ HtmlPage idpPage = webClient.getPage(url);
+ webClient.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+ org.opensaml.saml.saml2.core.Response samlResponse =
+ parseSAMLResponse(idpPage, relayState, consumerURL, authnRequest.getID());
+ String expected = "urn:oasis:names:tc:SAML:2.0:status:Success";
+ Assert.assertEquals(expected, samlResponse.getStatus().getStatusCode().getValue());
+
+ // Check claims
+ String parsedResponse = DOM2Writer.nodeToString(samlResponse.getDOM().getOwnerDocument());
+ String claim = ClaimTypes.FIRSTNAME.toString();
+ Assert.assertTrue(parsedResponse.contains(claim));
+ claim = ClaimTypes.LASTNAME.toString();
+ Assert.assertTrue(parsedResponse.contains(claim));
+ claim = ClaimTypes.EMAILADDRESS.toString();
+ Assert.assertTrue(parsedResponse.contains(claim));
+
+ //
+ // Second invocation - change the credentials, this should fail
+ //
+
+ webClient.removeRequestHeader("Authorization");
+ webClient.addRequestHeader("Authorization", "Basic " + Base64.encode(("mallory" + ":" + password).getBytes()));
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ try {
+ webClient.getPage(url);
+ Assert.fail("Authentication failure expected");
+ } catch (FailingHttpStatusCodeException ex) {
+ Assert.assertEquals(ex.getStatusCode(), 401);
+ }
+
+ webClient.close();
+ }
+
private String encodeAuthnRequest(Element authnRequest) throws IOException {
String requestMessage = DOM2Writer.nodeToString(authnRequest);
[2/4] cxf-fediz git commit: [FEDIZ-164] - IdP default flow doesn't
support multiple realms
Posted by co...@apache.org.
[FEDIZ-164] - IdP default flow doesn't support multiple realms
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/ec486bf6
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/ec486bf6
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/ec486bf6
Branch: refs/heads/master
Commit: ec486bf662ef504c177a80ec031dca48aedfe806
Parents: 188e20c
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Apr 13 15:32:54 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Apr 13 15:32:54 2016 +0100
----------------------------------------------------------------------
.../src/main/webapp/WEB-INF/flows/federation-validate-request.xml | 2 +-
.../idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ec486bf6/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
index a242c80..2964176 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
@@ -38,7 +38,7 @@
<set name="flowScope.code" value="requestParameters.code" />
<evaluate expression="requestScope.getString('wauth','default')"
result="flowScope.wauth" />
- <set name="flowScope.idpConfig" value="config.getIDP(null)" />
+ <set name="flowScope.idpConfig" value="config.getIDP(fedizEntryPoint.getRealm())" />
</on-entry>
<if test="requestParameters.wa == 'wsignout1.0' or requestParameters.wa == 'wsignoutcleanup1.0'"
then="selectSignOutProcess" />
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ec486bf6/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
index ae05ae2..4479a5b 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
@@ -28,7 +28,7 @@
<set name="flowScope.RelayState" value="requestParameters.RelayState" />
<set name="flowScope.SAMLRequest" value="requestParameters.SAMLRequest" />
<set name="flowScope.Signature" value="requestParameters.Signature" />
- <set name="flowScope.idpConfig" value="config.getIDP(null)" />
+ <set name="flowScope.idpConfig" value="config.getIDP(fedizEntryPoint.getRealm())" />
</on-entry>
<if test="requestParameters.RelayState == null or requestParameters.RelayState.length() == 0"
then="handleBadRequestError" />