You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/07/04 15:10:05 UTC
svn commit: r1499740 - in /cxf/trunk:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/
services/sts/systests/basic/src/test/java/org/apache/cxf/sy...
Author: coheigea
Date: Thu Jul 4 13:10:04 2013
New Revision: 1499740
URL: http://svn.apache.org/r1499740
Log:
Some initial work on streaming WS-Trust integration
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/bearer/BearerTest.java
cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java
cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java?rev=1499740&r1=1499739&r2=1499740&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java Thu Jul 4 13:10:04 2013
@@ -49,6 +49,8 @@ import org.apache.cxf.ws.security.trust.
import org.apache.cxf.ws.security.trust.STSUtils;
import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor;
+import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxInInterceptor;
+import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxOutInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.policyvalidators.IssuedTokenPolicyValidator;
import org.apache.wss4j.common.saml.SAMLKeyInfo;
@@ -89,6 +91,11 @@ public class IssuedTokenInterceptorProvi
this.getOutFaultInterceptors().add(new IssuedTokenOutInterceptor());
this.getInInterceptors().add(new IssuedTokenInInterceptor());
this.getInFaultInterceptors().add(new IssuedTokenInInterceptor());
+
+ this.getOutInterceptors().add(PolicyBasedWSS4JStaxOutInterceptor.INSTANCE);
+ this.getOutFaultInterceptors().add(PolicyBasedWSS4JStaxOutInterceptor.INSTANCE);
+ this.getInInterceptors().add(PolicyBasedWSS4JStaxInInterceptor.INSTANCE);
+ this.getInFaultInterceptors().add(PolicyBasedWSS4JStaxInInterceptor.INSTANCE);
}
static final TokenStore createTokenStore(Message message) {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java?rev=1499740&r1=1499739&r2=1499740&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java Thu Jul 4 13:10:04 2013
@@ -37,6 +37,8 @@ import javax.security.auth.callback.Unsu
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
+import org.w3c.dom.Element;
+
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.common.classloader.ClassLoaderUtils;
import org.apache.cxf.common.i18n.Message;
@@ -55,6 +57,7 @@ import org.apache.neethi.Assertion;
import org.apache.wss4j.common.ConfigurationConstants;
import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SAMLCallback;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
@@ -66,6 +69,7 @@ import org.apache.wss4j.policy.model.Abs
import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
import org.apache.wss4j.policy.model.EncryptedParts;
import org.apache.wss4j.policy.model.Header;
+import org.apache.wss4j.policy.model.IssuedToken;
import org.apache.wss4j.policy.model.KerberosToken;
import org.apache.wss4j.policy.model.KeyValueToken;
import org.apache.wss4j.policy.model.Layout;
@@ -305,6 +309,40 @@ public abstract class AbstractStaxBindin
return new SecurePart(qname, Modifier.Element);
}
+ protected void addIssuedToken(IssuedToken token, SecurityToken secToken,
+ boolean signed, boolean endorsing) {
+ if (isTokenRequired(token.getIncludeTokenType())) {
+ final Element el = secToken.getToken();
+
+ String samlAction = ConfigurationConstants.SAML_TOKEN_UNSIGNED;
+ if (signed || endorsing) {
+ samlAction = ConfigurationConstants.SAML_TOKEN_SIGNED;
+ }
+ Map<String, Object> config = getProperties();
+ if (config.containsKey(ConfigurationConstants.ACTION)) {
+ String action = (String)config.get(ConfigurationConstants.ACTION);
+ config.put(ConfigurationConstants.ACTION, action + " " + samlAction);
+ } else {
+ config.put(ConfigurationConstants.ACTION, samlAction);
+ }
+
+ CallbackHandler callbackHandler = new CallbackHandler() {
+
+ @Override
+ public void handle(Callback[] callbacks) {
+ for (Callback callback : callbacks) {
+ if (callback instanceof SAMLCallback) {
+ SAMLCallback samlCallback = (SAMLCallback)callback;
+ samlCallback.setAssertionElement(el);
+ }
+ }
+ }
+
+ };
+ config.put(ConfigurationConstants.SAML_CALLBACK_REF, callbackHandler);
+ }
+ }
+
protected void policyNotAsserted(Assertion assertion, String reason) {
if (assertion == null) {
return;
@@ -428,60 +466,11 @@ public abstract class AbstractStaxBindin
}
}
- // boolean alsoIncludeToken = false;
- /* TODO if (token instanceof IssuedToken || token instanceof SamlToken) {
- SecurityToken securityToken = getSecurityToken();
- String tokenType = securityToken.getTokenType();
-
- Element ref;
- if (attached) {
- ref = securityToken.getAttachedReference();
- } else {
- ref = securityToken.getUnattachedReference();
- }
-
- if (ref != null) {
- SecurityTokenReference secRef =
- new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
- sig.setSecurityTokenReference(secRef);
- sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
- } else {
- int type = attached ? WSConstants.CUSTOM_SYMM_SIGNING
- : WSConstants.CUSTOM_SYMM_SIGNING_DIRECT;
- if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
- || WSConstants.SAML_NS.equals(tokenType)) {
- sig.setCustomTokenValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
- sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
- } else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
- || WSConstants.SAML2_NS.equals(tokenType)) {
- sig.setCustomTokenValueType(WSConstants.WSS_SAML2_KI_VALUE_TYPE);
- sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
- } else {
- sig.setCustomTokenValueType(tokenType);
- sig.setKeyIdentifierType(type);
- }
- }
-
- String sigTokId;
- if (attached) {
- sigTokId = securityToken.getWsuId();
- if (sigTokId == null) {
- sigTokId = securityToken.getId();
- }
- if (sigTokId.startsWith("#")) {
- sigTokId = sigTokId.substring(1);
- }
- } else {
- sigTokId = securityToken.getId();
- }
-
- sig.setCustomTokenId(sigTokId);
- } else {
- */
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
AbstractBinding binding = getBinding(aim);
- config.put(ConfigurationConstants.SIG_KEY_ID, getKeyIdentifierType(wrapper, token));
+ config.put(ConfigurationConstants.SIG_KEY_ID, getKeyIdentifierType(wrapper, token));
+
// Find out do we also need to include the token as per the Inclusion requirement
if (token instanceof X509Token
&& token.getIncludeTokenType() != IncludeTokenType.INCLUDE_TOKEN_NEVER
@@ -510,9 +499,6 @@ public abstract class AbstractStaxBindin
config.put(ConfigurationConstants.SIG_DIGEST_ALGO, algType.getDigest());
// sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
- //if (alsoIncludeToken) {
- // includeToken(user, crypto, sig);
- //}
}
protected final TokenStore getTokenStore() {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java?rev=1499740&r1=1499739&r2=1499740&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java Thu Jul 4 13:10:04 2013
@@ -31,6 +31,7 @@ import org.apache.cxf.common.logging.Log
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.wss4j.common.ConfigurationConstants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractToken;
@@ -78,7 +79,12 @@ public class StaxTransportBindingHandler
if (tbinding != null) {
TransportToken token = tbinding.getTransportToken();
if (token.getToken() instanceof IssuedToken) {
- // TODO
+ SecurityToken secToken = getSecurityToken();
+ if (secToken == null) {
+ policyNotAsserted(token.getToken(), "No transport token id");
+ return;
+ }
+ addIssuedToken((IssuedToken)token.getToken(), secToken, false, false);
}
}
@@ -164,15 +170,8 @@ public class StaxTransportBindingHandler
for (AbstractToken token : sgndSuppTokens.getTokens()) {
if (token instanceof UsernameToken) {
addUsernameToken((UsernameToken)token);
- /*TODO
- else if (token instanceof IssuedToken) {
- SecurityToken secTok = getSecurityToken();
-
- if (includeToken(token.getIncludeTokenType())) {
- //Add the token
- addEncryptedKeyElement(cloneElement(secTok.getToken()));
- }
- } */
+ } else if (token instanceof IssuedToken) {
+ addIssuedToken((IssuedToken)token, getSecurityToken(), false, false);
} else if (token instanceof KerberosToken) {
addKerberosToken((KerberosToken)token, false, false);
} else if (token instanceof SamlToken) {
@@ -181,7 +180,6 @@ public class StaxTransportBindingHandler
throw new Exception(token.getName() + " is not supported in the streaming code");
}
}
-
}
/**
@@ -251,15 +249,17 @@ public class StaxTransportBindingHandler
private void handleEndorsingToken(
AbstractToken token, SupportingTokens wrapper
) throws Exception {
- /* TODO if (token instanceof IssuedToken
- || token instanceof SecureConversationToken
+ if (token instanceof IssuedToken) {
+ addIssuedToken((IssuedToken)token, getSecurityToken(), false, true);
+ doSignature(token, wrapper);
+ /* TODO if (token instanceof SecureConversationToken
|| token instanceof SecurityContextToken
|| token instanceof SpnegoContextToken) {
addSig(doIssuedTokenSignature(token, wrapper));
- } else */
- if (token instanceof X509Token
+ */
+ } else if (token instanceof X509Token
|| token instanceof KeyValueToken) {
- doX509TokenSignature(token, wrapper);
+ doSignature(token, wrapper);
} else if (token instanceof SamlToken) {
addSamlToken((SamlToken)token, false, true);
signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
@@ -283,7 +283,7 @@ public class StaxTransportBindingHandler
}
}
- private void doX509TokenSignature(AbstractToken token, SupportingTokens wrapper)
+ private void doSignature(AbstractToken token, SupportingTokens wrapper)
throws Exception {
signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
Modified: cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/bearer/BearerTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/bearer/BearerTest.java?rev=1499740&r1=1499739&r2=1499740&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/bearer/BearerTest.java (original)
+++ cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/bearer/BearerTest.java Thu Jul 4 13:10:04 2013
@@ -109,6 +109,17 @@ public class BearerTest extends Abstract
TokenTestUtils.updateSTSPort((BindingProvider)transportSaml2Port, STSPORT);
}
+ // DOM
+ doubleIt(transportSaml2Port, 45);
+
+ // Streaming
+ transportSaml2Port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(transportSaml2Port, PORT);
+ if (standalone) {
+ TokenTestUtils.updateSTSPort((BindingProvider)transportSaml2Port, STSPORT);
+ }
+ SecurityTestUtil.enableStreaming(transportSaml2Port);
doubleIt(transportSaml2Port, 45);
((java.io.Closeable)transportSaml2Port).close();
@@ -185,8 +196,19 @@ public class BearerTest extends Abstract
TokenTestUtils.updateSTSPort((BindingProvider)transportSaml2Port, STSPORT);
}
+ // DOM
doubleIt(transportSaml2Port, 45);
+ // Streaming
+ transportSaml2Port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(transportSaml2Port, PORT);
+ if (standalone) {
+ TokenTestUtils.updateSTSPort((BindingProvider)transportSaml2Port, STSPORT);
+ }
+ SecurityTestUtil.enableStreaming(transportSaml2Port);
+ // TODO See WSS-358 doubleIt(transportSaml2Port, 45);
+
((java.io.Closeable)transportSaml2Port).close();
bus.shutdown(true);
}
Modified: cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java?rev=1499740&r1=1499739&r2=1499740&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java (original)
+++ cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java Thu Jul 4 13:10:04 2013
@@ -20,6 +20,11 @@ package org.apache.cxf.systest.sts.commo
import java.io.File;
+import javax.xml.ws.BindingProvider;
+
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.example.contract.doubleit.DoubleItPortType;
+
/**
* A utility class for security tests
*/
@@ -46,4 +51,13 @@ public final class SecurityTestUtil {
}
}
+ public static void enableStreaming(DoubleItPortType port) {
+ ((BindingProvider)port).getRequestContext().put(
+ SecurityConstants.ENABLE_STREAMING_SECURITY, "true"
+ );
+ ((BindingProvider)port).getResponseContext().put(
+ SecurityConstants.ENABLE_STREAMING_SECURITY, "true"
+ );
+ }
+
}
Modified: cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java?rev=1499740&r1=1499739&r2=1499740&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java (original)
+++ cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java Thu Jul 4 13:10:04 2013
@@ -95,7 +95,17 @@ public class TransportBindingTest extend
if (standalone) {
TokenTestUtils.updateSTSPort((BindingProvider)transportSaml1Port, STSPORT);
}
+
+ // DOM
+ doubleIt(transportSaml1Port, 25);
+ // Streaming
+ transportSaml1Port = service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(transportSaml1Port, PORT);
+ if (standalone) {
+ TokenTestUtils.updateSTSPort((BindingProvider)transportSaml1Port, STSPORT);
+ }
+ SecurityTestUtil.enableStreaming(transportSaml1Port);
doubleIt(transportSaml1Port, 25);
((java.io.Closeable)transportSaml1Port).close();
@@ -122,8 +132,19 @@ public class TransportBindingTest extend
TokenTestUtils.updateSTSPort((BindingProvider)transportSaml2Port, STSPORT);
}
+ // DOM
doubleIt(transportSaml2Port, 30);
+ // Streaming
+ transportSaml2Port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(transportSaml2Port, PORT);
+ if (standalone) {
+ TokenTestUtils.updateSTSPort((BindingProvider)transportSaml2Port, STSPORT);
+ }
+ SecurityTestUtil.enableStreaming(transportSaml2Port);
+ doubleIt(transportSaml2Port, 25);
+
((java.io.Closeable)transportSaml2Port).close();
bus.shutdown(true);
}
@@ -154,6 +175,22 @@ public class TransportBindingTest extend
TokenTestUtils.updateSTSPort((BindingProvider)transportSaml1Port, STSPORT);
}
+ // DOM
+ try {
+ doubleIt(transportSaml1Port, 35);
+ fail("Expected failure on an unknown client");
+ } catch (javax.xml.ws.soap.SOAPFaultException fault) {
+ // expected
+ }
+
+ // Streaming
+ transportSaml1Port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(transportSaml1Port, PORT);
+ if (standalone) {
+ TokenTestUtils.updateSTSPort((BindingProvider)transportSaml1Port, STSPORT);
+ }
+ SecurityTestUtil.enableStreaming(transportSaml1Port);
try {
doubleIt(transportSaml1Port, 35);
fail("Expected failure on an unknown client");
@@ -164,7 +201,7 @@ public class TransportBindingTest extend
((java.io.Closeable)transportSaml1Port).close();
bus.shutdown(true);
}
-
+
@org.junit.Test
public void testSAML1Endorsing() throws Exception {
@@ -185,8 +222,19 @@ public class TransportBindingTest extend
TokenTestUtils.updateSTSPort((BindingProvider)transportSaml1Port, STSPORT);
}
+ // DOM
doubleIt(transportSaml1Port, 40);
+ // Streaming
+ transportSaml1Port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(transportSaml1Port, PORT);
+ if (standalone) {
+ TokenTestUtils.updateSTSPort((BindingProvider)transportSaml1Port, STSPORT);
+ }
+ SecurityTestUtil.enableStreaming(transportSaml1Port);
+ // TODO doubleIt(transportSaml1Port, 25);
+
((java.io.Closeable)transportSaml1Port).close();
bus.shutdown(true);
}
@@ -226,7 +274,6 @@ public class TransportBindingTest extend
((java.io.Closeable)transportSaml1Port).close();
bus.shutdown(true);
}
-
private static void doubleIt(DoubleItPortType port, int numToDouble) {
int resp = port.doubleIt(numToDouble);