You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2014/10/17 17:39:22 UTC
[1/2] git commit: Added an initial test-case for JAAS support in the
STS
Repository: cxf
Updated Branches:
refs/heads/master 3f35e9997 -> ea512e887
Added an initial test-case for JAAS support in the STS
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/ea512e88
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/ea512e88
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/ea512e88
Branch: refs/heads/master
Commit: ea512e8872de2568089d526c77263b1fe5de1713
Parents: 093bb31
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Oct 17 16:33:39 2014 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Oct 17 16:36:29 2014 +0100
----------------------------------------------------------------------
.../sts/deployment/CustomClaimsHandler.java | 76 +++++++++++++
.../systest/sts/jaas/ClaimsCallbackHandler.java | 68 ++++++++++++
.../apache/cxf/systest/sts/jaas/JAASTest.java | 106 +++++++++++++++++++
.../org/apache/cxf/systest/sts/jaas/Server.java | 46 ++++++++
.../systest/sts/deployment/cxf-transport.xml | 21 +++-
.../apache/cxf/systest/sts/jaas/DoubleIt.wsdl | 53 ++++++++++
.../apache/cxf/systest/sts/jaas/cxf-client.xml | 37 +++++++
.../apache/cxf/systest/sts/jaas/cxf-service.xml | 100 +++++++++++++++++
8 files changed, 506 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/ea512e88/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/deployment/CustomClaimsHandler.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/deployment/CustomClaimsHandler.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/deployment/CustomClaimsHandler.java
new file mode 100644
index 0000000..d77b355
--- /dev/null
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/deployment/CustomClaimsHandler.java
@@ -0,0 +1,76 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.deployment;
+
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.cxf.rt.security.claims.Claim;
+import org.apache.cxf.rt.security.claims.ClaimCollection;
+import org.apache.cxf.sts.claims.ClaimsHandler;
+import org.apache.cxf.sts.claims.ClaimsParameters;
+import org.apache.cxf.sts.claims.ProcessedClaim;
+import org.apache.cxf.sts.claims.ProcessedClaimCollection;
+
+/**
+ * A custom ClaimsHandler implementation for use in the tests.
+ */
+public class CustomClaimsHandler implements ClaimsHandler {
+
+ public static final URI ROLE =
+ URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role");
+ public static final URI GIVEN_NAME =
+ URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname");
+ public static final URI LANGUAGE =
+ URI.create("http://schemas.mycompany.com/claims/language");
+
+ public ProcessedClaimCollection retrieveClaimValues(
+ ClaimCollection claims, ClaimsParameters parameters) {
+
+ if (claims != null && claims.size() > 0) {
+ ProcessedClaimCollection claimCollection = new ProcessedClaimCollection();
+ for (Claim requestClaim : claims) {
+ ProcessedClaim claim = new ProcessedClaim();
+ claim.setClaimType(requestClaim.getClaimType());
+ claim.setIssuer("Test Issuer");
+ claim.setOriginalIssuer("Original Issuer");
+ if (ROLE.equals(requestClaim.getClaimType())) {
+ claim.addValue("admin-user");
+ } else if (GIVEN_NAME.equals(requestClaim.getClaimType())) {
+ claim.addValue(parameters.getPrincipal().getName());
+ } else if (LANGUAGE.equals(requestClaim.getClaimType())) {
+ claim.addValue(parameters.getPrincipal().getName());
+ }
+ claimCollection.add(claim);
+ }
+ return claimCollection;
+ }
+ return null;
+ }
+
+ public List<URI> getSupportedClaimTypes() {
+ List<URI> list = new ArrayList<URI>();
+ list.add(ROLE);
+ list.add(GIVEN_NAME);
+ list.add(LANGUAGE);
+ return list;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/ea512e88/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/ClaimsCallbackHandler.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/ClaimsCallbackHandler.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/ClaimsCallbackHandler.java
new file mode 100644
index 0000000..cb0b701
--- /dev/null
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/ClaimsCallbackHandler.java
@@ -0,0 +1,68 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.sts.jaas;
+
+import java.io.IOException;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.ws.security.trust.claims.ClaimsCallback;
+
+/**
+ * This CallbackHandler implementation creates a Claims Element for a "role" ClaimType and
+ * stores it on the ClaimsCallback object.
+ */
+public class ClaimsCallbackHandler implements CallbackHandler {
+
+ public void handle(Callback[] callbacks)
+ throws IOException, UnsupportedCallbackException {
+ for (int i = 0; i < callbacks.length; i++) {
+ if (callbacks[i] instanceof ClaimsCallback) {
+ ClaimsCallback callback = (ClaimsCallback) callbacks[i];
+ callback.setClaims(createClaims());
+
+ } else {
+ throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
+ }
+ }
+ }
+
+ /**
+ * Create a Claims Element for a "role"
+ */
+ private Element createClaims() {
+ Document doc = DOMUtils.createDocument();
+ Element claimsElement =
+ doc.createElementNS("http://docs.oasis-open.org/ws-sx/ws-trust/200512", "Claims");
+ claimsElement.setAttributeNS(null, "Dialect", "http://schemas.xmlsoap.org/ws/2005/05/identity");
+ Element claimType =
+ doc.createElementNS("http://schemas.xmlsoap.org/ws/2005/05/identity", "ClaimType");
+ claimType.setAttributeNS(null, "Uri", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role");
+ claimsElement.appendChild(claimType);
+ return claimsElement;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/ea512e88/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/JAASTest.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/JAASTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/JAASTest.java
new file mode 100644
index 0000000..348b5e8
--- /dev/null
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/JAASTest.java
@@ -0,0 +1,106 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.jaas;
+
+import java.net.URL;
+
+import javax.xml.namespace.QName;
+import javax.xml.ws.BindingProvider;
+import javax.xml.ws.Service;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.systest.sts.common.SecurityTestUtil;
+import org.apache.cxf.systest.sts.deployment.STSServer;
+import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.example.contract.doubleit.DoubleItPortType;
+import org.junit.BeforeClass;
+
+/**
+ * This tests JAAS authentication to the STS. The service has a UsernameToken policy.
+ * The client sends a WS-Security UsernameToken, and it is dispatches to the STS for
+ * validation via JAAS. The service also asks for a SAML Token with roles enabled in it,
+ * and these roles are stored in the security context for authorization.
+ */
+public class JAASTest extends AbstractBusClientServerTestBase {
+
+ static final String STSPORT = allocatePort(STSServer.class);
+ static final String STSPORT2 = allocatePort(STSServer.class, 2);
+
+ private static final String NAMESPACE = "http://www.example.org/contract/DoubleIt";
+ private static final QName SERVICE_QNAME = new QName(NAMESPACE, "DoubleItService");
+
+ private static final String PORT = allocatePort(Server.class);
+
+ @BeforeClass
+ public static void startServers() throws Exception {
+ assertTrue(
+ "Server failed to launch",
+ // run the server in the same process
+ // set this to false to fork
+ launchServer(Server.class, true)
+ );
+ assertTrue(
+ "Server failed to launch",
+ // run the server in the same process
+ // set this to false to fork
+ launchServer(STSServer.class, true)
+ );
+ }
+
+ @org.junit.AfterClass
+ public static void cleanup() throws Exception {
+ SecurityTestUtil.cleanup();
+ stopAllServers();
+ }
+
+ @org.junit.Test
+ public void testSuccessfulAuthentication() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = JAASTest.class.getResource("cxf-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = JAASTest.class.getResource("DoubleIt.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItUTPort");
+ DoubleItPortType utPort =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(utPort, PORT);
+
+ ((BindingProvider)utPort).getRequestContext().put(
+ SecurityConstants.USERNAME, "alice");
+ ((BindingProvider)utPort).getRequestContext().put(
+ SecurityConstants.PASSWORD, "clarinet");
+
+ doubleIt(utPort, 25);
+
+ ((java.io.Closeable)utPort).close();
+ bus.shutdown(true);
+ }
+
+ private static void doubleIt(DoubleItPortType port, int numToDouble) {
+ int resp = port.doubleIt(numToDouble);
+ assertEquals(numToDouble * 2 , resp);
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/ea512e88/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/Server.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/Server.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/Server.java
new file mode 100644
index 0000000..1e69ebb
--- /dev/null
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/Server.java
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.jaas;
+
+import java.net.URL;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
+
+public class Server extends AbstractBusTestServerBase {
+
+ public Server() {
+
+ }
+
+ protected void run() {
+ URL busFile = Server.class.getResource("cxf-service.xml");
+ Bus busLocal = new SpringBusFactory().createBus(busFile);
+ BusFactory.setDefaultBus(busLocal);
+ setBus(busLocal);
+
+ try {
+ new Server();
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/ea512e88/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-transport.xml
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-transport.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-transport.xml
index c01a44d..d1a055a 100644
--- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-transport.xml
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-transport.xml
@@ -25,6 +25,13 @@
</cxf:features>
</cxf:bus>
<bean id="hokDelegationHandler" class="org.apache.cxf.sts.token.delegation.HOKDelegationHandler"/>
+ <bean id="utDelegationHandler" class="org.apache.cxf.sts.token.delegation.UsernameTokenDelegationHandler"/>
+
+ <util:list id="delegationHandlers">
+ <ref bean="hokDelegationHandler"/>
+ <ref bean="utDelegationHandler"/>
+ </util:list>
+
<bean id="transportSTSProviderBean2" class="org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider">
<property name="issueOperation" ref="transportIssueDelegate2"/>
<property name="validateOperation" ref="transportValidateDelegate2"/>
@@ -35,6 +42,7 @@
<property name="services" ref="transportService"/>
<property name="stsProperties" ref="transportSTSProperties"/>
<property name="delegationHandlers" ref="hokDelegationHandler"/>
+ <property name="claimsManager" ref="claimsManager"/>
</bean>
<bean id="transportValidateDelegate2" class="org.apache.cxf.sts.operation.TokenValidateOperation">
<property name="tokenValidators" ref="transportTokenValidators2"/>
@@ -57,14 +65,18 @@
<property name="tokenValidators" ref="transportTokenValidators"/>
<property name="services" ref="transportService"/>
<property name="stsProperties" ref="transportSTSProperties"/>
- <property name="delegationHandlers" ref="hokDelegationHandler"/>
+ <property name="delegationHandlers" ref="delegationHandlers"/>
+ <property name="claimsManager" ref="claimsManager"/>
</bean>
<bean id="transportValidateDelegate" class="org.apache.cxf.sts.operation.TokenValidateOperation">
<property name="tokenValidators" ref="transportTokenValidators"/>
<property name="stsProperties" ref="transportSTSProperties"/>
</bean>
+ <bean id="transportUTTokenValidator" class="org.apache.cxf.sts.token.validator.UsernameTokenValidator">
+ </bean>
<util:list id="transportTokenValidators">
<ref bean="transportSamlTokenValidator"/>
+ <ref bean="transportUTTokenValidator"/>
</util:list>
<util:list id="transportTokenProviders">
<ref bean="transportSamlTokenProvider"/>
@@ -116,6 +128,13 @@
<property name="relationships" ref="relationships"/>
<property name="samlRealmCodec" ref="samlRealmCodec"/>
</bean>
+
+ <bean id="claimsManager" class="org.apache.cxf.sts.claims.ClaimsManager">
+ <property name="claimHandlers" ref="customClaimsHandler"/>
+ </bean>
+ <bean id="customClaimsHandler" class="org.apache.cxf.systest.sts.deployment.CustomClaimsHandler">
+ </bean>
+
<jaxws:endpoint xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/" id="transportSTS" implementor="#transportSTSProviderBean" address="https://localhost:${testutil.ports.STSServer}/SecurityTokenService/Transport" wsdlLocation="src/test/resources/org/apache/cxf/systest/sts/deployment/ws-trust-1.4-service.wsdl" serviceName="ns1:SecurityTokenService" endpointName="ns1:Transport_Port" depends-on="ClientAuthHttpsSettings">
<jaxws:properties>
<entry key="ws-security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
http://git-wip-us.apache.org/repos/asf/cxf/blob/ea512e88/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/DoubleIt.wsdl
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/DoubleIt.wsdl b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/DoubleIt.wsdl
new file mode 100644
index 0000000..27a483a
--- /dev/null
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/DoubleIt.wsdl
@@ -0,0 +1,53 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<wsdl:definitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:di="http://www.example.org/schema/DoubleIt" xmlns:tns="http://www.example.org/contract/DoubleIt" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wsaw="http://www.w3.org/2005/08/addressing" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" name="DoubleIt" targetNamespace="http://www.example.org/contract/DoubleIt">
+ <wsdl:import location="src/test/resources/DoubleItLogical.wsdl" namespace="http://www.example.org/contract/DoubleIt"/>
+ <wsdl:binding name="DoubleItUTBinding" type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItUTPolicy"/>
+ <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction=""/>
+ <wsdl:input>
+ <soap:body use="literal"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal"/>
+ </wsdl:output>
+ </wsdl:operation>
+ </wsdl:binding>
+ <wsdl:service name="DoubleItService">
+ <wsdl:port name="DoubleItUTPort" binding="tns:DoubleItUTBinding">
+ <soap:address location="https://localhost:8081/doubleit/services/doubleitut"/>
+ </wsdl:port>
+ </wsdl:service>
+ <wsp:Policy wsu:Id="DoubleItUTPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:SignedSupportingTokens>
+ <wsp:Policy>
+ <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy/>
+ </sp:UsernameToken>
+ </wsp:Policy>
+ </sp:SignedSupportingTokens>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+</wsdl:definitions>
http://git-wip-us.apache.org/repos/asf/cxf/blob/ea512e88/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/cxf-client.xml
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/cxf-client.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/cxf-client.xml
new file mode 100644
index 0000000..bed086d
--- /dev/null
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/cxf-client.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:cxf="http://cxf.apache.org/core" xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:sec="http://cxf.apache.org/configuration/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd">
+ <cxf:bus>
+ <cxf:features>
+ <cxf:logging/>
+ </cxf:features>
+ </cxf:bus>
+
+ <http:conduit name="https://localhost.*">
+ <http:tlsClientParameters disableCNCheck="true">
+ <sec:keyManagers keyPassword="ckpass">
+ <sec:keyStore type="jks" password="cspass" resource="clientstore.jks"/>
+ </sec:keyManagers>
+ <sec:trustManagers>
+ <sec:keyStore type="jks" password="cspass" resource="clientstore.jks"/>
+ </sec:trustManagers>
+ </http:tlsClientParameters>
+ </http:conduit>
+</beans>
http://git-wip-us.apache.org/repos/asf/cxf/blob/ea512e88/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/cxf-service.xml
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/cxf-service.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/cxf-service.xml
new file mode 100644
index 0000000..b72469c
--- /dev/null
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/cxf-service.xml
@@ -0,0 +1,100 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:cxf="http://cxf.apache.org/core" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://cxf.apache.org/configuration/security" xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" xmlns:jaxws="http://cxf.apache.org/jaxws" xsi:schemaLocation=" http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
+ <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+
+ <bean id="roleClaimsCallbackHandler"
+ class="org.apache.cxf.systest.sts.jaas.ClaimsCallbackHandler" />
+
+ <bean id="stsClient" class="org.apache.cxf.ws.security.trust.STSClient">
+ <constructor-arg ref="cxf"/>
+ <property name="wsdlLocation" value="https://localhost:${testutil.ports.STSServer}/SecurityTokenService/Transport?wsdl"/>
+ <property name="serviceName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"/>
+ <property name="endpointName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port"/>
+ <property name="properties">
+ <map>
+ <entry key="ws-security.username" value="bob"/>
+ <entry key="ws-security.password" value="trombone"/>
+ </map>
+ </property>
+ <property name="claimsCallbackHandler" ref="roleClaimsCallbackHandler"/>
+ <property name="tokenType"
+ value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
+ </bean>
+
+ <bean id="authorizationInterceptor"
+ class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor">
+ <property name="methodRolesMap">
+ <map>
+ <entry key="doubleIt" value="admin-user"/>
+ </map>
+ </property>
+ </bean>
+
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="doubleitut" implementor="org.apache.cxf.systest.sts.common.DoubleItPortTypeImpl" endpointName="s:DoubleItUTPort" serviceName="s:DoubleItService" depends-on="ClientAuthHttpsSettings" address="https://localhost:${testutil.ports.Server}/doubleit/services/doubleitut" wsdlLocation="org/apache/cxf/systest/sts/jaas/DoubleIt.wsdl">
+ <jaxws:properties>
+ <entry key="ws-security.ut.validator">
+ <bean class="org.apache.cxf.ws.security.trust.STSTokenValidator">
+ <constructor-arg value="true"/>
+ <property name="useIssueBinding" value="true"/>
+ </bean>
+ </entry>
+ <entry key="ws-security.sts.client">
+ <ref bean="stsClient"/>
+ </entry>
+ </jaxws:properties>
+ <jaxws:inInterceptors>
+ <ref bean="authorizationInterceptor"/>
+ </jaxws:inInterceptors>
+ </jaxws:endpoint>
+
+ <httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf">
+ <httpj:engine port="${testutil.ports.Server}">
+ <httpj:tlsServerParameters>
+ <sec:keyManagers keyPassword="skpass">
+ <sec:keyStore type="jks" password="sspass" resource="servicestore.jks"/>
+ </sec:keyManagers>
+ <sec:trustManagers>
+ <sec:keyStore type="jks" password="stsspass" resource="stsstore.jks"/>
+ </sec:trustManagers>
+ <sec:cipherSuitesFilter>
+ <sec:include>.*_EXPORT_.*</sec:include>
+ <sec:include>.*_EXPORT1024_.*</sec:include>
+ <sec:include>.*_WITH_DES_.*</sec:include>
+ <sec:include>.*_WITH_AES_.*</sec:include>
+ <sec:include>.*_WITH_NULL_.*</sec:include>
+ <sec:exclude>.*_DH_anon_.*</sec:exclude>
+ </sec:cipherSuitesFilter>
+ <sec:clientAuthentication want="true" required="true"/>
+ </httpj:tlsServerParameters>
+ </httpj:engine>
+ </httpj:engine-factory>
+
+ <http:conduit name="https://localhost.*">
+ <http:tlsClientParameters disableCNCheck="true">
+ <sec:keyManagers keyPassword="skpass">
+ <sec:keyStore type="jks" password="sspass" resource="servicestore.jks"/>
+ </sec:keyManagers>
+ <sec:trustManagers>
+ <sec:keyStore type="jks" password="sspass" resource="servicestore.jks"/>
+ </sec:trustManagers>
+ </http:tlsClientParameters>
+ </http:conduit>
+</beans>
[2/2] git commit: Added support for token transformation in the
UsernameTokenInterceptor
Posted by co...@apache.org.
Added support for token transformation in the UsernameTokenInterceptor
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/093bb317
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/093bb317
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/093bb317
Branch: refs/heads/master
Commit: 093bb3172ec8f2c4e12ac4f35334f22225d80c13
Parents: 3f35e99
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Oct 17 16:33:13 2014 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Oct 17 16:36:29 2014 +0100
----------------------------------------------------------------------
.../wss4j/UsernameTokenInterceptor.java | 45 +++++++++++++++++---
1 file changed, 39 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/093bb317/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
index 0c3196e..4325ad9 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
@@ -23,13 +23,13 @@ import java.security.Principal;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
+import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.namespace.QName;
import org.w3c.dom.Element;
-
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.headers.Header;
@@ -37,7 +37,11 @@ import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.interceptor.security.DefaultSecurityContext;
+import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.rt.security.claims.ClaimCollection;
+import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
+import org.apache.cxf.rt.security.saml.SAMLUtils;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
@@ -45,8 +49,10 @@ import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.wss4j.common.cache.ReplayCache;
import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl;
import org.apache.wss4j.common.principal.UsernameTokenPrincipal;
import org.apache.wss4j.common.principal.WSUsernameTokenPrincipalImpl;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSDocInfo;
import org.apache.wss4j.dom.WSSConfig;
@@ -89,24 +95,30 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
if (SPConstants.USERNAME_TOKEN.equals(child.getLocalName())
&& WSConstants.WSSE_NS.equals(child.getNamespaceURI())) {
try {
- Principal principal = null;
+ boolean bspCompliant = isWsiBSPCompliant(message);
+ Principal principal = parseTokenAndCreatePrincipal(child, bspCompliant);
Subject subject = null;
+ Object transformedToken = null;
+
if (utWithCallbacks) {
final WSSecurityEngineResult result = validateToken(child, message);
- principal = (Principal)result.get(WSSecurityEngineResult.TAG_PRINCIPAL);
subject = (Subject)result.get(WSSecurityEngineResult.TAG_SUBJECT);
+ transformedToken = result.get(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN);
} else {
- boolean bspCompliant = isWsiBSPCompliant(message);
principal = parseTokenAndCreatePrincipal(child, bspCompliant);
WSS4JTokenConverter.convertToken(message, principal);
}
SecurityContext sc = message.get(SecurityContext.class);
if (sc == null || sc.getUserPrincipal() == null) {
- if (subject != null && principal != null) {
+ if (transformedToken instanceof SamlAssertionWrapper) {
+ message.put(SecurityContext.class,
+ createSecurityContext(message,
+ (SamlAssertionWrapper)transformedToken));
+ } else if (subject != null && principal != null) {
message.put(SecurityContext.class,
createSecurityContext(principal, subject));
- } else if (principal instanceof UsernameTokenPrincipal) {
+ } else {
UsernameTokenPrincipal utPrincipal = (UsernameTokenPrincipal)principal;
String nonce = null;
if (utPrincipal.getNonce() != null) {
@@ -132,6 +144,26 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
}
}
+ private SecurityContext createSecurityContext(Message msg,
+ SamlAssertionWrapper samlAssertion) {
+ String roleAttributeName =
+ (String)msg.getContextualProperty(SecurityConstants.SAML_ROLE_ATTRIBUTENAME);
+ if (roleAttributeName == null || roleAttributeName.length() == 0) {
+ roleAttributeName = WSS4JInInterceptor.SAML_ROLE_ATTRIBUTENAME_DEFAULT;
+ }
+
+ ClaimCollection claims =
+ SAMLUtils.getClaims((SamlAssertionWrapper)samlAssertion);
+ Set<Principal> roles =
+ SAMLUtils.parseRolesFromClaims(claims, roleAttributeName, null);
+
+ SAMLSecurityContext context =
+ new SAMLSecurityContext(new SAMLTokenPrincipalImpl(samlAssertion), roles, claims);
+ context.setIssuer(SAMLUtils.getIssuer(samlAssertion));
+ context.setAssertionElement(SAMLUtils.getAssertionElement(samlAssertion));
+ return context;
+ }
+
@Deprecated
protected UsernameTokenPrincipal getPrincipal(Element tokenElement, final SoapMessage message) {
return null;
@@ -191,6 +223,7 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
if (!bspCompliant) {
data.setDisableBSPEnforcement(true);
}
+ data.setMsgContext(message);
List<WSSecurityEngineResult> results = p.handleToken(tokenElement, data, wsDocInfo);
return results.get(0);
}