You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2011/03/16 19:09:28 UTC
svn commit: r1082240 - in
/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j:
CustomSamlValidator.java SamlTokenTest.java
Author: coheigea
Date: Wed Mar 16 18:09:27 2011
New Revision: 1082240
URL: http://svn.apache.org/viewvc?rev=1082240&view=rev
Log:
Added a custom validator to the SAML unit tests.
Added:
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomSamlValidator.java
Modified:
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SamlTokenTest.java
Added: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomSamlValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomSamlValidator.java?rev=1082240&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomSamlValidator.java (added)
+++ cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomSamlValidator.java Wed Mar 16 18:09:27 2011
@@ -0,0 +1,79 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j;
+
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.handler.RequestData;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+import org.apache.ws.security.validate.Credential;
+import org.apache.ws.security.validate.SamlAssertionValidator;
+
+/**
+ * A trivial custom Validator for a SAML Assertion. It makes sure that the issuer is
+ * "www.example.com", checks the version of the assertion, and checks the subject confirmation
+ * method.
+ */
+public class CustomSamlValidator extends SamlAssertionValidator {
+
+ private boolean requireSAML1Assertion = true;
+ private boolean requireSenderVouches = true;
+
+ public void setRequireSAML1Assertion(boolean requireSAML1Assertion) {
+ this.requireSAML1Assertion = requireSAML1Assertion;
+ }
+
+ public void setRequireSenderVouches(boolean requireSenderVouches) {
+ this.requireSenderVouches = requireSenderVouches;
+ }
+
+ @Override
+ public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
+ Credential returnedCredential = super.validate(credential, data);
+
+ //
+ // Do some custom validation on the assertion
+ //
+ AssertionWrapper assertion = credential.getAssertion();
+ if (!"www.example.com".equals(assertion.getIssuerString())) {
+ throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
+ }
+
+ if (requireSAML1Assertion && assertion.getSaml1() == null) {
+ throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
+ } else if (!requireSAML1Assertion && assertion.getSaml2() == null) {
+ throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
+ }
+
+ String confirmationMethod = assertion.getConfirmationMethods().get(0);
+ if (confirmationMethod == null) {
+ throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
+ }
+ if (requireSenderVouches && !OpenSAMLUtil.isMethodSenderVouches(confirmationMethod)) {
+ throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
+ } else if (!requireSenderVouches
+ && !OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) {
+ throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
+ }
+
+ return returnedCredential;
+ }
+
+}
\ No newline at end of file
Modified: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SamlTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SamlTokenTest.java?rev=1082240&r1=1082239&r2=1082240&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SamlTokenTest.java (original)
+++ cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SamlTokenTest.java Wed Mar 16 18:09:27 2011
@@ -25,6 +25,7 @@ import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import javax.xml.namespace.QName;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.soap.MessageFactory;
@@ -40,12 +41,14 @@ import org.apache.cxf.binding.soap.SoapM
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.helpers.DOMUtils.NullResolver;
import org.apache.cxf.helpers.XMLUtils;
+import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.Exchange;
import org.apache.cxf.message.ExchangeImpl;
import org.apache.cxf.message.MessageImpl;
import org.apache.cxf.phase.PhaseInterceptor;
import org.apache.cxf.staxutils.StaxUtils;
import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.handler.WSHandlerResult;
@@ -77,8 +80,13 @@ public class SamlTokenTest extends Abstr
"org.apache.cxf.ws.security.wss4j.SAML1CallbackHandler"
);
- Map<String, String> inProperties = new HashMap<String, String>();
+ Map<String, Object> inProperties = new HashMap<String, Object>();
inProperties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_UNSIGNED);
+ final Map<QName, Object> customMap = new HashMap<QName, Object>();
+ CustomSamlValidator validator = new CustomSamlValidator();
+ customMap.put(WSSecurityEngine.SAML_TOKEN, validator);
+ customMap.put(WSSecurityEngine.SAML2_TOKEN, validator);
+ inProperties.put(WSS4JInInterceptor.VALIDATOR_MAP, customMap);
List<String> xpaths = new ArrayList<String>();
xpaths.add("//wsse:Security");
@@ -108,8 +116,14 @@ public class SamlTokenTest extends Abstr
"org.apache.cxf.ws.security.wss4j.SAML2CallbackHandler"
);
- Map<String, String> inProperties = new HashMap<String, String>();
+ Map<String, Object> inProperties = new HashMap<String, Object>();
inProperties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_UNSIGNED);
+ final Map<QName, Object> customMap = new HashMap<QName, Object>();
+ CustomSamlValidator validator = new CustomSamlValidator();
+ validator.setRequireSAML1Assertion(false);
+ customMap.put(WSSecurityEngine.SAML_TOKEN, validator);
+ customMap.put(WSSecurityEngine.SAML2_TOKEN, validator);
+ inProperties.put(WSS4JInInterceptor.VALIDATOR_MAP, customMap);
List<String> xpaths = new ArrayList<String>();
xpaths.add("//wsse:Security");
@@ -142,12 +156,17 @@ public class SamlTokenTest extends Abstr
WSHandlerConstants.SAML_CALLBACK_REF, new SAML1CallbackHandler()
);
- Map<String, String> inProperties = new HashMap<String, String>();
+ Map<String, Object> inProperties = new HashMap<String, Object>();
inProperties.put(
WSHandlerConstants.ACTION,
WSHandlerConstants.SAML_TOKEN_UNSIGNED + " " + WSHandlerConstants.SIGNATURE
);
inProperties.put(WSHandlerConstants.SIG_PROP_FILE, "insecurity.properties");
+ final Map<QName, Object> customMap = new HashMap<QName, Object>();
+ CustomSamlValidator validator = new CustomSamlValidator();
+ customMap.put(WSSecurityEngine.SAML_TOKEN, validator);
+ customMap.put(WSSecurityEngine.SAML2_TOKEN, validator);
+ inProperties.put(WSS4JInInterceptor.VALIDATOR_MAP, customMap);
List<String> xpaths = new ArrayList<String>();
xpaths.add("//wsse:Security");
@@ -184,12 +203,18 @@ public class SamlTokenTest extends Abstr
WSHandlerConstants.SAML_CALLBACK_REF, new SAML2CallbackHandler()
);
- Map<String, String> inProperties = new HashMap<String, String>();
+ Map<String, Object> inProperties = new HashMap<String, Object>();
inProperties.put(
WSHandlerConstants.ACTION,
WSHandlerConstants.SAML_TOKEN_UNSIGNED + " " + WSHandlerConstants.SIGNATURE
);
inProperties.put(WSHandlerConstants.SIG_PROP_FILE, "insecurity.properties");
+ final Map<QName, Object> customMap = new HashMap<QName, Object>();
+ CustomSamlValidator validator = new CustomSamlValidator();
+ validator.setRequireSAML1Assertion(false);
+ customMap.put(WSSecurityEngine.SAML_TOKEN, validator);
+ customMap.put(WSSecurityEngine.SAML2_TOKEN, validator);
+ inProperties.put(WSS4JInInterceptor.VALIDATOR_MAP, customMap);
List<String> xpaths = new ArrayList<String>();
xpaths.add("//wsse:Security");
@@ -230,16 +255,29 @@ public class SamlTokenTest extends Abstr
WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler
);
- Map<String, String> inProperties = new HashMap<String, String>();
+ Map<String, Object> inProperties = new HashMap<String, Object>();
inProperties.put(
WSHandlerConstants.ACTION,
WSHandlerConstants.SAML_TOKEN_SIGNED + " " + WSHandlerConstants.SIGNATURE
);
inProperties.put(WSHandlerConstants.SIG_PROP_FILE, "insecurity.properties");
+ final Map<QName, Object> customMap = new HashMap<QName, Object>();
+ CustomSamlValidator validator = new CustomSamlValidator();
+ customMap.put(WSSecurityEngine.SAML_TOKEN, validator);
+ customMap.put(WSSecurityEngine.SAML2_TOKEN, validator);
+ inProperties.put(WSS4JInInterceptor.VALIDATOR_MAP, customMap);
List<String> xpaths = new ArrayList<String>();
xpaths.add("//wsse:Security");
xpaths.add("//wsse:Security/saml1:Assertion");
+
+ try {
+ makeInvocation(outProperties, xpaths, inProperties);
+ fail("Failure expected in SAML Validator");
+ } catch (Fault ex) {
+ // expected
+ }
+ validator.setRequireSenderVouches(false);
List<WSHandlerResult> handlerResults =
makeInvocation(outProperties, xpaths, inProperties);
@@ -275,16 +313,37 @@ public class SamlTokenTest extends Abstr
WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler
);
- Map<String, String> inProperties = new HashMap<String, String>();
+ Map<String, Object> inProperties = new HashMap<String, Object>();
inProperties.put(
WSHandlerConstants.ACTION,
WSHandlerConstants.SAML_TOKEN_SIGNED + " " + WSHandlerConstants.SIGNATURE
);
inProperties.put(WSHandlerConstants.SIG_PROP_FILE, "insecurity.properties");
+ final Map<QName, Object> customMap = new HashMap<QName, Object>();
+ CustomSamlValidator validator = new CustomSamlValidator();
+ customMap.put(WSSecurityEngine.SAML_TOKEN, validator);
+ customMap.put(WSSecurityEngine.SAML2_TOKEN, validator);
+ inProperties.put(WSS4JInInterceptor.VALIDATOR_MAP, customMap);
List<String> xpaths = new ArrayList<String>();
xpaths.add("//wsse:Security");
xpaths.add("//wsse:Security/saml2:Assertion");
+
+ try {
+ makeInvocation(outProperties, xpaths, inProperties);
+ fail("Failure expected in SAML Validator");
+ } catch (Fault ex) {
+ // expected
+ }
+ validator.setRequireSenderVouches(false);
+
+ try {
+ makeInvocation(outProperties, xpaths, inProperties);
+ fail("Failure expected in SAML Validator");
+ } catch (Fault ex) {
+ // expected
+ }
+ validator.setRequireSAML1Assertion(false);
List<WSHandlerResult> handlerResults =
makeInvocation(outProperties, xpaths, inProperties);
@@ -304,7 +363,7 @@ public class SamlTokenTest extends Abstr
private List<WSHandlerResult> makeInvocation(
Map<String, Object> outProperties,
List<String> xpaths,
- Map<String, String> inProperties
+ Map<String, Object> inProperties
) throws Exception {
Document doc = readDocument("wsse-request-clean.xml");
@@ -348,16 +407,12 @@ public class SamlTokenTest extends Abstr
db.setEntityResolver(new NullResolver());
doc = StaxUtils.read(db, reader, false);
- WSS4JInInterceptor inHandler = new WSS4JInInterceptor();
+ WSS4JInInterceptor inHandler = new WSS4JInInterceptor(inProperties);
SoapMessage inmsg = new SoapMessage(new MessageImpl());
ex.setInMessage(inmsg);
inmsg.setContent(SOAPMessage.class, saajMsg);
- for (String key : inProperties.keySet()) {
- inHandler.setProperty(key, inProperties.get(key));
- }
-
inHandler.handleMessage(inmsg);
final List<WSHandlerResult> handlerResults =