You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/09/20 17:24:50 UTC
svn commit: r1525033 - in /cxf/trunk:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/
Author: coheigea
Date: Fri Sep 20 15:24:49 2013
New Revision: 1525033
URL: http://svn.apache.org/r1525033
Log:
[CXF-4442] - StAX support
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSamlTokenTest.java
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java?rev=1525033&r1=1525032&r2=1525033&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java Fri Sep 20 15:24:49 2013
@@ -444,6 +444,24 @@ public class PolicyBasedWSS4JStaxInInter
return false;
}
+ /**
+ * Is a SAML Cache required, i.e. are we expecting a SAML Token
+ */
+ @Override
+ protected boolean isSamlCacheRequired(SoapMessage msg) {
+ AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
+ if (aim != null) {
+ Collection<AssertionInfo> ais =
+ getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
+
+ if (!ais.isEmpty()) {
+ return true;
+ }
+ }
+
+ return false;
+ }
+
@Override
protected List<SecurityEventListener> configureSecurityEventListeners(
SoapMessage msg, WSSSecurityProperties securityProperties
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java?rev=1525033&r1=1525032&r2=1525033&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java Fri Sep 20 15:24:49 2013
@@ -235,6 +235,31 @@ public class WSS4JStaxInInterceptor exte
}
}
+ ReplayCache samlCache = null;
+ if (isSamlCacheRequired(msg)) {
+ samlCache = WSS4JUtils.getReplayCache(
+ msg, SecurityConstants.ENABLE_SAML_ONE_TIME_USE_CACHE,
+ SecurityConstants.SAML_ONE_TIME_USE_CACHE_INSTANCE
+ );
+ }
+ if (samlCache == null) {
+ if (config != null) {
+ config.put(ConfigurationConstants.ENABLE_SAML_ONE_TIME_USE_CACHE, "false");
+ config.remove(ConfigurationConstants.SAML_ONE_TIME_USE_CACHE_INSTANCE);
+ } else {
+ securityProperties.setEnableSamlOneTimeUseReplayCache(false);
+ securityProperties.setSamlOneTimeUseReplayCache(null);
+ }
+ } else {
+ if (config != null) {
+ config.put(ConfigurationConstants.ENABLE_SAML_ONE_TIME_USE_CACHE, "true");
+ config.put(ConfigurationConstants.SAML_ONE_TIME_USE_CACHE_INSTANCE, samlCache);
+ } else {
+ securityProperties.setEnableSamlOneTimeUseReplayCache(true);
+ securityProperties.setSamlOneTimeUseReplayCache(samlCache);
+ }
+ }
+
boolean enableRevocation =
MessageUtils.isTrue(msg.getContextualProperty(SecurityConstants.ENABLE_REVOCATION));
if (securityProperties != null) {
@@ -319,6 +344,27 @@ public class WSS4JStaxInInterceptor exte
}
/**
+ * Is a SAML Cache required, i.e. are we expecting a SAML Token
+ */
+ protected boolean isSamlCacheRequired(SoapMessage msg) {
+ WSSSecurityProperties securityProperties = getSecurityProperties();
+
+ if (securityProperties != null && securityProperties.getOutAction() != null) {
+ for (WSSConstants.Action action : securityProperties.getOutAction()) {
+ if (action == WSSConstants.SAML_TOKEN_UNSIGNED
+ || action == WSSConstants.SAML_TOKEN_SIGNED) {
+ return true;
+ }
+ }
+ } else if (actions != null && (actions.contains(ConfigurationConstants.SAML_TOKEN_UNSIGNED)
+ || actions.contains(ConfigurationConstants.SAML_TOKEN_SIGNED))) {
+ return true;
+ }
+
+ return false;
+ }
+
+ /**
* Create a SoapFault from a WSSecurityException, following the SOAP Message Security
* 1.1 specification, chapter 12 "Error Handling".
*
Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSamlTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSamlTokenTest.java?rev=1525033&r1=1525032&r2=1525033&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSamlTokenTest.java (original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSamlTokenTest.java Fri Sep 20 15:24:49 2013
@@ -27,12 +27,16 @@ import javax.xml.ws.Service;
import org.apache.cxf.Bus;
import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.frontend.ClientProxy;
import org.apache.cxf.systest.ws.common.SecurityTestUtil;
import org.apache.cxf.systest.ws.saml.client.SamlCallbackHandler;
import org.apache.cxf.systest.ws.saml.client.SamlElementCallbackHandler;
import org.apache.cxf.systest.ws.saml.client.SamlRoleCallbackHandler;
+import org.apache.cxf.systest.ws.ut.SecurityHeaderCacheInterceptor;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.wss4j.common.saml.bean.ConditionsBean;
import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER;
import org.apache.wss4j.common.saml.builder.SAML1Constants;
import org.apache.wss4j.common.saml.builder.SAML2Constants;
@@ -1156,4 +1160,67 @@ public class StaxSamlTokenTest extends A
((java.io.Closeable)saml2Port).close();
bus.shutdown(true);
}
+
+ @org.junit.Test
+ public void testSaml2Replay() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = SamlTokenTest.class.getResource("client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort");
+ DoubleItPortType saml2Port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(saml2Port, PORT2);
+
+ // Create a SAML Token with no "OneTimeUse" Condition
+ ((BindingProvider)saml2Port).getRequestContext().put(
+ "ws-security.saml-callback-handler", new SamlCallbackHandler()
+ );
+
+ Client cxfClient = ClientProxy.getClient(saml2Port);
+ SecurityHeaderCacheInterceptor cacheInterceptor =
+ new SecurityHeaderCacheInterceptor();
+ cxfClient.getOutInterceptors().add(cacheInterceptor);
+
+ // Make two invocations...should succeed
+ saml2Port.doubleIt(25);
+ saml2Port.doubleIt(25);
+
+ // Now create a SAML Token with a "OneTimeUse" Condition
+ ConditionsBean conditions = new ConditionsBean();
+ conditions.setTokenPeriodMinutes(5);
+ conditions.setOneTimeUse(true);
+
+ SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
+ callbackHandler.setConditions(conditions);
+
+ ((BindingProvider)saml2Port).getRequestContext().put(
+ "ws-security.saml-callback-handler", callbackHandler
+ );
+
+ cxfClient.getOutInterceptors().remove(cacheInterceptor);
+ cacheInterceptor = new SecurityHeaderCacheInterceptor();
+ cxfClient.getOutInterceptors().add(cacheInterceptor);
+
+ // Make two invocations...should fail on the second one
+ saml2Port.doubleIt(25);
+
+ try {
+ saml2Port.doubleIt(25);
+ fail("Failure expected on a replayed SAML Assertion");
+ } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+ String error = "A replay attack has been detected";
+ assertTrue(ex.getMessage().contains(error));
+ }
+
+ ((java.io.Closeable)saml2Port).close();
+ bus.shutdown(true);
+ }
+
}
Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml?rev=1525033&r1=1525032&r2=1525033&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml Fri Sep 20 15:24:49 2013
@@ -482,4 +482,24 @@
</jaxws:inInterceptors>
</jaxws:endpoint>
+ <jaxws:endpoint
+ id="Saml2TransportToken"
+ address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2Transport"
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItSaml2TransportPort"
+ xmlns:s="http://www.example.org/contract/DoubleIt"
+ implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
+ wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
+ depends-on="tls-settings">
+
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties" value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+
+ </jaxws:endpoint>
+
</beans>