You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/07/17 16:17:09 UTC
[1/5] cxf git commit: Revert PEP merge from yesterday
Repository: cxf
Updated Branches:
refs/heads/master b52efaeba -> 2302aa582
Revert PEP merge from yesterday
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/28048751
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/28048751
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/28048751
Branch: refs/heads/master
Commit: 280487512eb1c34a6c05bcfe3e2e182388359a25
Parents: b52efae
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jul 17 12:26:16 2015 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 17 15:17:00 2015 +0100
----------------------------------------------------------------------
.../AbstractXACMLAuthorizingInterceptor.java | 3 -
.../saml/xacml/DefaultXACMLRequestBuilder.java | 2 -
.../saml/xacml/XACMLAuthorizingInterceptor.java | 3 -
.../saml/xacml/XACMLRequestBuilder.java | 3 -
.../AbstractXACMLAuthorizingInterceptor.java | 112 -------
.../OpenSAMLXACMLAuthorizingInterceptor.java | 158 ----------
.../xacml/pep/OpenSAMLXACMLRequestBuilder.java | 209 -------------
.../saml/xacml/pep/XACMLRequestBuilder.java | 44 ---
.../saml/xacml/OldXACMLRequestBuilderTest.java | 308 -------------------
.../saml/xacml/XACMLRequestBuilderTest.java | 40 ++-
.../cxf/systest/ws/saml/SamlTokenTest.java | 48 ---
.../cxf/systest/ws/saml/DoubleItSaml.wsdl | 3 -
.../org/apache/cxf/systest/ws/saml/client.xml | 6 -
.../org/apache/cxf/systest/ws/saml/server.xml | 13 -
.../apache/cxf/systest/ws/saml/stax-server.xml | 15 -
15 files changed, 19 insertions(+), 948 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/28048751/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/AbstractXACMLAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/AbstractXACMLAuthorizingInterceptor.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/AbstractXACMLAuthorizingInterceptor.java
index 3ece64a..69ca071 100644
--- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/AbstractXACMLAuthorizingInterceptor.java
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/AbstractXACMLAuthorizingInterceptor.java
@@ -54,10 +54,7 @@ import org.opensaml.xacml.ctx.StatusType;
* statement.
*
* This class must be subclassed to actually perform the request to the PDP.
- *
- * @deprecated: Use pep.AbstractXACMLAuthorizingInterceptor instead
*/
-@Deprecated
public abstract class AbstractXACMLAuthorizingInterceptor extends AbstractPhaseInterceptor<Message> {
private static final Logger LOG = LogUtils.getL7dLogger(AbstractXACMLAuthorizingInterceptor.class);
http://git-wip-us.apache.org/repos/asf/cxf/blob/28048751/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/DefaultXACMLRequestBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/DefaultXACMLRequestBuilder.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/DefaultXACMLRequestBuilder.java
index ded3025..1040a56 100644
--- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/DefaultXACMLRequestBuilder.java
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/DefaultXACMLRequestBuilder.java
@@ -52,9 +52,7 @@ import org.opensaml.xacml.ctx.SubjectType;
* send the truncated request URI instead for a SOAP or REST service. The current DateTime is
* also sent in an Environment, however this can be disabled via configuration.
*
- * @deprecated: Use pep.OpenSAMLXACMLRequestBuilder instead
*/
-@Deprecated
public class DefaultXACMLRequestBuilder implements XACMLRequestBuilder {
private boolean sendDateTime = true;
http://git-wip-us.apache.org/repos/asf/cxf/blob/28048751/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLAuthorizingInterceptor.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLAuthorizingInterceptor.java
index d198c43..78875a3 100644
--- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLAuthorizingInterceptor.java
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLAuthorizingInterceptor.java
@@ -42,10 +42,7 @@ import org.opensaml.xacml.ctx.ResponseType;
* and make an authorization decision based on the response. It takes the principal and roles
* from the SecurityContext, and uses the XACMLRequestBuilder to construct an XACML Request
* statement.
- *
- * @deprecated: Use pep.OpenSAMLXACMLAuthorizingInterceptor instead
*/
-@Deprecated
public class XACMLAuthorizingInterceptor extends AbstractXACMLAuthorizingInterceptor {
private PolicyDecisionPoint pdp;
http://git-wip-us.apache.org/repos/asf/cxf/blob/28048751/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLRequestBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLRequestBuilder.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLRequestBuilder.java
index f41c447..d3bd32c 100644
--- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLRequestBuilder.java
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLRequestBuilder.java
@@ -28,10 +28,7 @@ import org.opensaml.xacml.ctx.RequestType;
/**
* This interface defines a way to create an XACML Request.
- *
- * @deprecated use pep.XACMLRequestBuilder instead
*/
-@Deprecated
public interface XACMLRequestBuilder {
/**
http://git-wip-us.apache.org/repos/asf/cxf/blob/28048751/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/pep/AbstractXACMLAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/pep/AbstractXACMLAuthorizingInterceptor.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/pep/AbstractXACMLAuthorizingInterceptor.java
deleted file mode 100644
index 5337a5c..0000000
--- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/pep/AbstractXACMLAuthorizingInterceptor.java
+++ /dev/null
@@ -1,112 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.saml.xacml.pep;
-
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Set;
-import java.util.logging.Level;
-import java.util.logging.Logger;
-
-import org.apache.cxf.common.logging.LogUtils;
-import org.apache.cxf.interceptor.Fault;
-import org.apache.cxf.interceptor.security.AccessDeniedException;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.phase.AbstractPhaseInterceptor;
-import org.apache.cxf.phase.Phase;
-import org.apache.cxf.security.LoginSecurityContext;
-import org.apache.cxf.security.SecurityContext;
-
-
-/**
- * An abstract interceptor to perform an XACML authorization request to a remote PDP,
- * and make an authorization decision based on the response. It takes the principal and roles
- * from the SecurityContext, and uses the XACMLRequestBuilder to construct an XACML Request
- * statement.
- *
- * This class must be subclassed to actually perform the request to the PDP and to parse
- * the response.
- */
-public abstract class AbstractXACMLAuthorizingInterceptor extends AbstractPhaseInterceptor<Message> {
-
- private static final Logger LOG = LogUtils.getL7dLogger(AbstractXACMLAuthorizingInterceptor.class);
-
- private XACMLRequestBuilder requestBuilder = new OpenSAMLXACMLRequestBuilder();
-
- public AbstractXACMLAuthorizingInterceptor() {
- super(Phase.PRE_INVOKE);
- org.apache.wss4j.common.saml.OpenSAMLUtil.initSamlEngine();
- }
-
- public void handleMessage(Message message) throws Fault {
- SecurityContext sc = message.get(SecurityContext.class);
-
- if (sc instanceof LoginSecurityContext) {
- Principal principal = sc.getUserPrincipal();
-
- LoginSecurityContext loginSecurityContext = (LoginSecurityContext)sc;
- Set<Principal> principalRoles = loginSecurityContext.getUserRoles();
- List<String> roles = new ArrayList<>();
- if (principalRoles != null) {
- for (Principal p : principalRoles) {
- if (p != principal) {
- roles.add(p.getName());
- }
- }
- }
-
- try {
- Object request = requestBuilder.createRequest(principal, roles, message);
-
- if (authorize(request, principal, message)) {
- return;
- }
- } catch (Exception e) {
- LOG.log(Level.FINE, "Unauthorized: " + e.getMessage(), e);
- throw new AccessDeniedException("Unauthorized");
- }
- } else {
- LOG.log(
- Level.FINE,
- "The SecurityContext was not an instance of LoginSecurityContext. No authorization "
- + "is possible as a result"
- );
- }
-
- throw new AccessDeniedException("Unauthorized");
- }
-
- public XACMLRequestBuilder getRequestBuilder() {
- return requestBuilder;
- }
-
- public void setRequestBuilder(XACMLRequestBuilder requestBuilder) {
- this.requestBuilder = requestBuilder;
- }
-
- /**
- * Perform a (remote) authorization decision and return a boolean depending on the result
- */
- protected abstract boolean authorize(
- Object xacmlRequest, Principal principal, Message message
- ) throws Exception;
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/28048751/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/pep/OpenSAMLXACMLAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/pep/OpenSAMLXACMLAuthorizingInterceptor.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/pep/OpenSAMLXACMLAuthorizingInterceptor.java
deleted file mode 100644
index 9b8b3d7..0000000
--- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/pep/OpenSAMLXACMLAuthorizingInterceptor.java
+++ /dev/null
@@ -1,158 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.saml.xacml.pep;
-
-import java.security.Principal;
-import java.util.List;
-import java.util.logging.Level;
-import java.util.logging.Logger;
-
-import javax.xml.XMLConstants;
-import javax.xml.transform.Source;
-import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerFactory;
-import javax.xml.transform.dom.DOMResult;
-import javax.xml.transform.dom.DOMSource;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-import org.w3c.dom.Node;
-
-import org.apache.cxf.common.logging.LogUtils;
-import org.apache.cxf.helpers.DOMUtils;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.rt.security.saml.xacml.pdp.api.PolicyDecisionPoint;
-import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.saml.OpenSAMLUtil;
-import org.apache.wss4j.common.util.DOM2Writer;
-import org.opensaml.xacml.ctx.DecisionType.DECISION;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.ctx.ResponseType;
-import org.opensaml.xacml.ctx.ResultType;
-import org.opensaml.xacml.ctx.StatusType;
-
-/**
- * An interceptor to perform an XACML 2.0 authorization request to a remote PDP using OpenSAML,
- * and make an authorization decision based on the response. It takes the principal and roles
- * from the SecurityContext, and uses the XACMLRequestBuilder to construct an XACML Request
- * statement.
- */
-public class OpenSAMLXACMLAuthorizingInterceptor extends AbstractXACMLAuthorizingInterceptor {
- private static final Logger LOG = LogUtils.getL7dLogger(OpenSAMLXACMLAuthorizingInterceptor.class);
-
- private PolicyDecisionPoint pdp;
-
- public OpenSAMLXACMLAuthorizingInterceptor(PolicyDecisionPoint pdp) {
- super();
- this.pdp = pdp;
- }
-
- /**
- * Perform a (remote) authorization decision and return a boolean depending on the result
- */
- @Override
- protected boolean authorize(
- Object xacmlRequest, Principal principal, Message message
- ) throws Exception {
- if (!(xacmlRequest instanceof RequestType)) {
- String error = "XACMLRequest parameter is not an instance of OpenSAML RequestType!";
- LOG.warning(error);
- throw new Exception(error);
- }
-
- RequestType request = (RequestType)xacmlRequest;
- if (LOG.isLoggable(Level.FINE)) {
- Document doc = DOMUtils.createDocument();
- Element requestElement = OpenSAMLUtil.toDom(request, doc);
- LOG.log(Level.FINE, DOM2Writer.nodeToString(requestElement));
- }
-
- // Evaluate the request
- Source responseSource = this.pdp.evaluate(requestType2Source(request));
-
- // Parse the Response into an OpenSAML ResponseType Object
- ResponseType response = responseSourceToResponseType(responseSource);
- List<ResultType> results = response.getResults();
-
- if (results == null) {
- return false;
- }
-
- for (ResultType result : results) {
- // Handle any Obligations returned by the PDP
- handleObligations(request, principal, message, result);
-
- DECISION decision = result.getDecision() != null ? result.getDecision().getDecision() : DECISION.Deny;
- String code = "";
- String statusMessage = "";
- if (result.getStatus() != null) {
- StatusType status = result.getStatus();
- code = status.getStatusCode() != null ? status.getStatusCode().getValue() : "";
- statusMessage = status.getStatusMessage() != null ? status.getStatusMessage().getValue() : "";
- }
- LOG.fine("XACML authorization result: " + decision + ", code: " + code + ", message: " + statusMessage);
- return decision == DECISION.Permit;
- }
-
- return false;
- }
-
- private ResponseType responseSourceToResponseType(Source responseSource) {
- try {
- TransformerFactory transformerFactory = TransformerFactory.newInstance();
- transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
- Transformer trans = transformerFactory.newTransformer();
-
- DOMResult res = new DOMResult();
- trans.transform(responseSource, res);
- Node nd = res.getNode();
- if (nd instanceof Document) {
- nd = ((Document)nd).getDocumentElement();
- }
- return (ResponseType)OpenSAMLUtil.fromDom((Element)nd);
- } catch (Exception e) {
- throw new RuntimeException("Error converting pdp response to ResponseType", e);
- }
- }
-
- private Source requestType2Source(RequestType request) {
- Document doc = DOMUtils.createDocument();
- Element requestElement;
- try {
- requestElement = OpenSAMLUtil.toDom(request, doc);
- } catch (WSSecurityException e) {
- throw new RuntimeException("Error converting PDP RequestType to Dom", e);
- }
- return new DOMSource(requestElement);
- }
-
- /**
- * Handle any Obligations returned by the PDP
- */
- protected void handleObligations(
- RequestType request,
- Principal principal,
- Message message,
- ResultType result
- ) throws Exception {
- // Do nothing by default
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/28048751/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/pep/OpenSAMLXACMLRequestBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/pep/OpenSAMLXACMLRequestBuilder.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/pep/OpenSAMLXACMLRequestBuilder.java
deleted file mode 100644
index db78c12..0000000
--- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/pep/OpenSAMLXACMLRequestBuilder.java
+++ /dev/null
@@ -1,209 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.saml.xacml.pep;
-
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-
-import javax.xml.namespace.QName;
-
-import org.apache.cxf.message.Message;
-import org.apache.cxf.rt.security.saml.xacml.CXFMessageParser;
-import org.apache.cxf.rt.security.saml.xacml.RequestComponentBuilder;
-import org.apache.cxf.rt.security.saml.xacml.XACMLConstants;
-import org.joda.time.DateTime;
-import org.opensaml.xacml.ctx.ActionType;
-import org.opensaml.xacml.ctx.AttributeType;
-import org.opensaml.xacml.ctx.AttributeValueType;
-import org.opensaml.xacml.ctx.EnvironmentType;
-import org.opensaml.xacml.ctx.ResourceType;
-import org.opensaml.xacml.ctx.SubjectType;
-
-/**
- * This class constructs an XACML Request given a Principal, list of roles and MessageContext,
- * following the SAML 2.0 profile of XACML 2.0. The principal name is inserted as the Subject ID,
- * and the list of roles associated with that principal are inserted as Subject roles. The action
- * to send defaults to "execute".
- *
- * For a SOAP Service, the resource-id Attribute refers to the
- * "{serviceNamespace}serviceName#{operationNamespace}operationName" String (shortened to
- * "{serviceNamespace}serviceName#operationName" if the namespaces are identical). The
- * "{serviceNamespace}serviceName", "{operationNamespace}operationName" and resource URI are also
- * sent to simplify processing at the PDP side.
- *
- * For a REST service the request URL is the resource. You can also configure the ability to
- * send the truncated request URI instead for a SOAP or REST service. The current DateTime is
- * also sent in an Environment, however this can be disabled via configuration.
- */
-public class OpenSAMLXACMLRequestBuilder implements XACMLRequestBuilder {
-
- private boolean sendDateTime = true;
- private String action = "execute";
- private boolean sendFullRequestURL = true;
-
- /**
- * Create an XACML Request given a Principal, list of roles and Message.
- */
- public Object createRequest(Principal principal, List<String> roles, Message message)
- throws Exception {
- CXFMessageParser messageParser = new CXFMessageParser(message);
- String issuer = messageParser.getIssuer();
-
- String actionToUse = messageParser.getAction(action);
-
- SubjectType subjectType = createSubjectType(principal, roles, issuer);
- ResourceType resourceType = createResourceType(messageParser);
- AttributeType actionAttribute = createAttribute(XACMLConstants.ACTION_ID, XACMLConstants.XS_STRING,
- null, actionToUse);
- ActionType actionType = RequestComponentBuilder.createActionType(Collections.singletonList(actionAttribute));
-
- return RequestComponentBuilder.createRequestType(Collections.singletonList(subjectType),
- Collections.singletonList(resourceType),
- actionType,
- createEnvironmentType());
- }
-
- private ResourceType createResourceType(CXFMessageParser messageParser) {
- List<AttributeType> attributes = new ArrayList<>();
-
- // Resource-id
- String resourceId = null;
- boolean isSoapService = messageParser.isSOAPService();
- if (isSoapService) {
- QName serviceName = messageParser.getWSDLService();
- QName operationName = messageParser.getWSDLOperation();
-
- if (serviceName != null) {
- resourceId = serviceName.toString() + "#";
- if (serviceName.getNamespaceURI() != null
- && serviceName.getNamespaceURI().equals(operationName.getNamespaceURI())) {
- resourceId += operationName.getLocalPart();
- } else {
- resourceId += operationName.toString();
- }
- } else {
- resourceId = operationName.toString();
- }
- } else {
- resourceId = messageParser.getResourceURI(sendFullRequestURL);
- }
-
- attributes.add(createAttribute(XACMLConstants.RESOURCE_ID, XACMLConstants.XS_STRING, null,
- resourceId));
-
- if (isSoapService) {
- // WSDL Service
- QName wsdlService = messageParser.getWSDLService();
- if (wsdlService != null) {
- attributes.add(createAttribute(XACMLConstants.RESOURCE_WSDL_SERVICE_ID, XACMLConstants.XS_STRING, null,
- wsdlService.toString()));
- }
-
- // WSDL Operation
- QName wsdlOperation = messageParser.getWSDLOperation();
- attributes.add(createAttribute(XACMLConstants.RESOURCE_WSDL_OPERATION_ID, XACMLConstants.XS_STRING, null,
- wsdlOperation.toString()));
-
- // WSDL Endpoint
- String endpointURI = messageParser.getResourceURI(sendFullRequestURL);
- attributes.add(createAttribute(XACMLConstants.RESOURCE_WSDL_ENDPOINT, XACMLConstants.XS_STRING, null,
- endpointURI));
- }
-
- return RequestComponentBuilder.createResourceType(attributes, null);
- }
-
- private EnvironmentType createEnvironmentType() {
- if (sendDateTime) {
- List<AttributeType> attributes = new ArrayList<>();
- AttributeType environmentAttribute = createAttribute(XACMLConstants.CURRENT_DATETIME,
- XACMLConstants.XS_DATETIME, null,
- new DateTime().toString());
- attributes.add(environmentAttribute);
- return RequestComponentBuilder.createEnvironmentType(attributes);
- }
-
- List<AttributeType> attributes = Collections.emptyList();
- return RequestComponentBuilder.createEnvironmentType(attributes);
- }
-
- private SubjectType createSubjectType(Principal principal, List<String> roles, String issuer) {
- List<AttributeType> attributes = new ArrayList<>();
- attributes.add(createAttribute(XACMLConstants.SUBJECT_ID, XACMLConstants.XS_STRING, issuer,
- principal.getName()));
-
- if (roles != null) {
- List<AttributeValueType> roleAttributes = new ArrayList<>();
- for (String role : roles) {
- if (role != null) {
- AttributeValueType subjectRoleAttributeValue =
- RequestComponentBuilder.createAttributeValueType(role);
- roleAttributes.add(subjectRoleAttributeValue);
- }
- }
-
- if (!roleAttributes.isEmpty()) {
- AttributeType subjectRoleAttribute =
- createAttribute(
- XACMLConstants.SUBJECT_ROLE,
- XACMLConstants.XS_ANY_URI,
- issuer,
- roleAttributes
- );
- attributes.add(subjectRoleAttribute);
- }
- }
-
- return RequestComponentBuilder.createSubjectType(attributes, null);
- }
-
- private AttributeType createAttribute(String id, String type, String issuer, List<AttributeValueType> values) {
- return RequestComponentBuilder.createAttributeType(id, type, issuer, values);
- }
-
- private AttributeType createAttribute(String id, String type, String issuer, String value) {
- return createAttribute(id, type, issuer,
- Collections.singletonList(RequestComponentBuilder.createAttributeValueType(value)));
- }
-
- /**
- * Set a new Action String to use
- */
- public void setAction(String action) {
- this.action = action;
- }
-
- public void setSendDateTime(boolean sendDateTime) {
- this.sendDateTime = sendDateTime;
- }
-
- /**
- * Whether to send the full Request URL as the resource or not. If set to true,
- * the full Request URL will be sent for both a JAX-WS and JAX-RS service. If set
- * to false (the default), a JAX-WS service will send the "{namespace}operation" QName,
- * and a JAX-RS service will send the RequestURI (i.e. minus the initial https:<ip> prefix).
- */
- public void setSendFullRequestURL(boolean sendFullRequestURL) {
- this.sendFullRequestURL = sendFullRequestURL;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/28048751/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/pep/XACMLRequestBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/pep/XACMLRequestBuilder.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/pep/XACMLRequestBuilder.java
deleted file mode 100644
index c863264..0000000
--- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/pep/XACMLRequestBuilder.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.saml.xacml.pep;
-
-import java.security.Principal;
-import java.util.List;
-
-import org.apache.cxf.message.Message;
-
-
-/**
- * This interface defines a way to create an XACML Request.
- */
-public interface XACMLRequestBuilder {
-
- /**
- * Create an XACML Request given a Principal, list of roles and Message.
- *
- * @param principal The principal to insert into the Subject of the Request
- * @param roles The list of roles associated with the principal
- * @param message The Message from which to retrieve the resource
- * @return An object representing the Request
- * @throws Exception
- */
- Object createRequest(Principal principal, List<String> roles, Message message) throws Exception;
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/28048751/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/OldXACMLRequestBuilderTest.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/OldXACMLRequestBuilderTest.java b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/OldXACMLRequestBuilderTest.java
deleted file mode 100644
index 3bf9f6f..0000000
--- a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/OldXACMLRequestBuilderTest.java
+++ /dev/null
@@ -1,308 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.saml.xacml;
-
-import java.security.Principal;
-import java.util.Collections;
-import java.util.List;
-
-import javax.xml.namespace.QName;
-
-import org.apache.cxf.message.Message;
-import org.apache.cxf.message.MessageImpl;
-import org.opensaml.xacml.ctx.AttributeType;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.ctx.ResourceType;
-
-
-/**
- * Some unit tests to create a XACML Request via the XACMLRequestBuilder interface.
- */
-@SuppressWarnings("deprecation")
-public class OldXACMLRequestBuilderTest extends org.junit.Assert {
-
- static {
- org.apache.wss4j.common.saml.OpenSAMLUtil.initSamlEngine();
- }
-
- @org.junit.Test
- public void testXACMLRequestBuilder() throws Exception {
- // Mock up a request
- Principal principal = new Principal() {
- public String getName() {
- return "alice";
- }
- };
-
- String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
- MessageImpl msg = new MessageImpl();
- msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
- String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
- msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
- String resourceURL = "https://localhost:8080/doubleit";
- msg.put(Message.REQUEST_URI, resourceURL);
-
- XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
- RequestType request =
- builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
- }
-
-
- @org.junit.Test
- public void testAction() throws Exception {
- // Mock up a request
- Principal principal = new Principal() {
- public String getName() {
- return "alice";
- }
- };
-
- String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
- MessageImpl msg = new MessageImpl();
- msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
- String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
- msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
- String resourceURL = "https://localhost:8080/doubleit";
- msg.put(Message.REQUEST_URI, resourceURL);
-
- DefaultXACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
- RequestType request =
- builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
-
- String action =
- request.getAction().getAttributes().get(0).getAttributeValues().get(0).getValue();
- assertEquals("execute", action);
-
- builder.setAction("write");
- request = builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
-
- action =
- request.getAction().getAttributes().get(0).getAttributeValues().get(0).getValue();
- assertEquals("write", action);
- }
-
- @org.junit.Test
- public void testEnvironment() throws Exception {
- // Mock up a request
- Principal principal = new Principal() {
- public String getName() {
- return "alice";
- }
- };
-
- String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
- MessageImpl msg = new MessageImpl();
- msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
- String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
- msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
- String resourceURL = "https://localhost:8080/doubleit";
- msg.put(Message.REQUEST_URL, resourceURL);
-
- XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
- RequestType request =
- builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
- assertFalse(request.getEnvironment().getAttributes().isEmpty());
-
- ((DefaultXACMLRequestBuilder)builder).setSendDateTime(false);
- request = builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
- assertTrue(request.getEnvironment().getAttributes().isEmpty());
- }
-
- @org.junit.Test
- public void testSOAPResource() throws Exception {
- // Mock up a request
- Principal principal = new Principal() {
- public String getName() {
- return "alice";
- }
- };
-
- String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
- MessageImpl msg = new MessageImpl();
- msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
- String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
- msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
- String resourceURL = "https://localhost:8080/doubleit";
- msg.put(Message.REQUEST_URL, resourceURL);
-
- XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
- RequestType request =
- builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
-
- List<ResourceType> resources = request.getResources();
- assertNotNull(resources);
- assertEquals(1, resources.size());
-
- ResourceType resource = resources.get(0);
- assertEquals(4, resource.getAttributes().size());
-
- boolean resourceIdSatisfied = false;
- boolean soapServiceSatisfied = false;
- boolean soapOperationSatisfied = false;
- boolean resourceURISatisfied = false;
- for (AttributeType attribute : resource.getAttributes()) {
- String attributeValue = attribute.getAttributeValues().get(0).getValue();
- if (XACMLConstants.RESOURCE_ID.equals(attribute.getAttributeId())
- && "{http://www.example.org/contract/DoubleIt}DoubleItService#DoubleIt".equals(
- attributeValue)) {
- resourceIdSatisfied = true;
- } else if (XACMLConstants.RESOURCE_WSDL_SERVICE_ID.equals(attribute.getAttributeId())
- && service.equals(attributeValue)) {
- soapServiceSatisfied = true;
- } else if (XACMLConstants.RESOURCE_WSDL_OPERATION_ID.equals(attribute.getAttributeId())
- && operation.equals(attributeValue)) {
- soapOperationSatisfied = true;
- } else if (XACMLConstants.RESOURCE_WSDL_ENDPOINT.equals(attribute.getAttributeId())
- && resourceURL.equals(attributeValue)) {
- resourceURISatisfied = true;
- }
- }
-
- assertTrue(resourceIdSatisfied && soapServiceSatisfied && soapOperationSatisfied
- && resourceURISatisfied);
- }
-
- @org.junit.Test
- public void testSOAPResourceDifferentNamespace() throws Exception {
- // Mock up a request
- Principal principal = new Principal() {
- public String getName() {
- return "alice";
- }
- };
-
- String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
- MessageImpl msg = new MessageImpl();
- msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
- String service = "{http://www.example.org/contract/DoubleItService}DoubleItService";
- msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
- String resourceURL = "https://localhost:8080/doubleit";
- msg.put(Message.REQUEST_URL, resourceURL);
-
- XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
- RequestType request =
- builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
-
- List<ResourceType> resources = request.getResources();
- assertNotNull(resources);
- assertEquals(1, resources.size());
-
- ResourceType resource = resources.get(0);
- assertEquals(4, resource.getAttributes().size());
-
- boolean resourceIdSatisfied = false;
- boolean soapServiceSatisfied = false;
- boolean soapOperationSatisfied = false;
- boolean resourceURISatisfied = false;
- String expectedResourceId =
- service + "#" + operation;
- for (AttributeType attribute : resource.getAttributes()) {
- String attributeValue = attribute.getAttributeValues().get(0).getValue();
- if (XACMLConstants.RESOURCE_ID.equals(attribute.getAttributeId())
- && expectedResourceId.equals(attributeValue)) {
- resourceIdSatisfied = true;
- } else if (XACMLConstants.RESOURCE_WSDL_SERVICE_ID.equals(attribute.getAttributeId())
- && service.equals(attributeValue)) {
- soapServiceSatisfied = true;
- } else if (XACMLConstants.RESOURCE_WSDL_OPERATION_ID.equals(attribute.getAttributeId())
- && operation.equals(attributeValue)) {
- soapOperationSatisfied = true;
- } else if (XACMLConstants.RESOURCE_WSDL_ENDPOINT.equals(attribute.getAttributeId())
- && resourceURL.equals(attributeValue)) {
- resourceURISatisfied = true;
- }
- }
-
- assertTrue(resourceIdSatisfied && soapServiceSatisfied && soapOperationSatisfied
- && resourceURISatisfied);
- }
-
- @org.junit.Test
- public void testRESTResource() throws Exception {
- // Mock up a request
- Principal principal = new Principal() {
- public String getName() {
- return "alice";
- }
- };
-
- MessageImpl msg = new MessageImpl();
- String resourceURL = "https://localhost:8080/doubleit";
- msg.put(Message.REQUEST_URL, resourceURL);
-
- XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
- RequestType request =
- builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
-
- List<ResourceType> resources = request.getResources();
- assertNotNull(resources);
- assertEquals(1, resources.size());
-
- ResourceType resource = resources.get(0);
- assertEquals(1, resource.getAttributes().size());
-
- for (AttributeType attribute : resource.getAttributes()) {
- String attributeValue = attribute.getAttributeValues().get(0).getValue();
- assertEquals(attributeValue, resourceURL);
- }
- }
-
- @org.junit.Test
- public void testRESTResourceTruncatedURI() throws Exception {
- // Mock up a request
- Principal principal = new Principal() {
- public String getName() {
- return "alice";
- }
- };
-
- MessageImpl msg = new MessageImpl();
- String resourceURL = "https://localhost:8080/doubleit";
- msg.put(Message.REQUEST_URL, resourceURL);
- String resourceURI = "/doubleit";
- msg.put(Message.REQUEST_URI, resourceURI);
-
- XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
- ((DefaultXACMLRequestBuilder)builder).setSendFullRequestURL(false);
- RequestType request =
- builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
-
- List<ResourceType> resources = request.getResources();
- assertNotNull(resources);
- assertEquals(1, resources.size());
-
- ResourceType resource = resources.get(0);
- assertEquals(1, resource.getAttributes().size());
-
- for (AttributeType attribute : resource.getAttributes()) {
- String attributeValue = attribute.getAttributeValues().get(0).getValue();
- assertEquals(attributeValue, resourceURI);
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/28048751/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/XACMLRequestBuilderTest.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/XACMLRequestBuilderTest.java b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/XACMLRequestBuilderTest.java
index 8647dd6..baccaeb 100644
--- a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/XACMLRequestBuilderTest.java
+++ b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/XACMLRequestBuilderTest.java
@@ -27,9 +27,6 @@ import javax.xml.namespace.QName;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageImpl;
-import org.apache.cxf.rt.security.saml.xacml.pep.OpenSAMLXACMLRequestBuilder;
-import org.apache.cxf.rt.security.saml.xacml.pep.XACMLRequestBuilder;
-
import org.opensaml.xacml.ctx.AttributeType;
import org.opensaml.xacml.ctx.RequestType;
import org.opensaml.xacml.ctx.ResourceType;
@@ -38,6 +35,7 @@ import org.opensaml.xacml.ctx.ResourceType;
/**
* Some unit tests to create a XACML Request via the XACMLRequestBuilder interface.
*/
+@SuppressWarnings("deprecation")
public class XACMLRequestBuilderTest extends org.junit.Assert {
static {
@@ -61,9 +59,9 @@ public class XACMLRequestBuilderTest extends org.junit.Assert {
String resourceURL = "https://localhost:8080/doubleit";
msg.put(Message.REQUEST_URI, resourceURL);
- XACMLRequestBuilder builder = new OpenSAMLXACMLRequestBuilder();
+ XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
RequestType request =
- (RequestType)builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ builder.createRequest(principal, Collections.singletonList("manager"), msg);
assertNotNull(request);
}
@@ -85,9 +83,9 @@ public class XACMLRequestBuilderTest extends org.junit.Assert {
String resourceURL = "https://localhost:8080/doubleit";
msg.put(Message.REQUEST_URI, resourceURL);
- OpenSAMLXACMLRequestBuilder builder = new OpenSAMLXACMLRequestBuilder();
+ DefaultXACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
RequestType request =
- (RequestType)builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ builder.createRequest(principal, Collections.singletonList("manager"), msg);
assertNotNull(request);
String action =
@@ -95,7 +93,7 @@ public class XACMLRequestBuilderTest extends org.junit.Assert {
assertEquals("execute", action);
builder.setAction("write");
- request = (RequestType)builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ request = builder.createRequest(principal, Collections.singletonList("manager"), msg);
assertNotNull(request);
action =
@@ -120,14 +118,14 @@ public class XACMLRequestBuilderTest extends org.junit.Assert {
String resourceURL = "https://localhost:8080/doubleit";
msg.put(Message.REQUEST_URL, resourceURL);
- XACMLRequestBuilder builder = new OpenSAMLXACMLRequestBuilder();
+ XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
RequestType request =
- (RequestType)builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ builder.createRequest(principal, Collections.singletonList("manager"), msg);
assertNotNull(request);
assertFalse(request.getEnvironment().getAttributes().isEmpty());
- ((OpenSAMLXACMLRequestBuilder)builder).setSendDateTime(false);
- request = (RequestType)builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ ((DefaultXACMLRequestBuilder)builder).setSendDateTime(false);
+ request = builder.createRequest(principal, Collections.singletonList("manager"), msg);
assertNotNull(request);
assertTrue(request.getEnvironment().getAttributes().isEmpty());
}
@@ -149,9 +147,9 @@ public class XACMLRequestBuilderTest extends org.junit.Assert {
String resourceURL = "https://localhost:8080/doubleit";
msg.put(Message.REQUEST_URL, resourceURL);
- XACMLRequestBuilder builder = new OpenSAMLXACMLRequestBuilder();
+ XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
RequestType request =
- (RequestType)builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ builder.createRequest(principal, Collections.singletonList("manager"), msg);
assertNotNull(request);
List<ResourceType> resources = request.getResources();
@@ -204,9 +202,9 @@ public class XACMLRequestBuilderTest extends org.junit.Assert {
String resourceURL = "https://localhost:8080/doubleit";
msg.put(Message.REQUEST_URL, resourceURL);
- XACMLRequestBuilder builder = new OpenSAMLXACMLRequestBuilder();
+ XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
RequestType request =
- (RequestType)builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ builder.createRequest(principal, Collections.singletonList("manager"), msg);
assertNotNull(request);
List<ResourceType> resources = request.getResources();
@@ -256,9 +254,9 @@ public class XACMLRequestBuilderTest extends org.junit.Assert {
String resourceURL = "https://localhost:8080/doubleit";
msg.put(Message.REQUEST_URL, resourceURL);
- XACMLRequestBuilder builder = new OpenSAMLXACMLRequestBuilder();
+ XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
RequestType request =
- (RequestType)builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ builder.createRequest(principal, Collections.singletonList("manager"), msg);
assertNotNull(request);
List<ResourceType> resources = request.getResources();
@@ -289,10 +287,10 @@ public class XACMLRequestBuilderTest extends org.junit.Assert {
String resourceURI = "/doubleit";
msg.put(Message.REQUEST_URI, resourceURI);
- XACMLRequestBuilder builder = new OpenSAMLXACMLRequestBuilder();
- ((OpenSAMLXACMLRequestBuilder)builder).setSendFullRequestURL(false);
+ XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
+ ((DefaultXACMLRequestBuilder)builder).setSendFullRequestURL(false);
RequestType request =
- (RequestType)builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ builder.createRequest(principal, Collections.singletonList("manager"), msg);
assertNotNull(request);
List<ResourceType> resources = request.getResources();
http://git-wip-us.apache.org/repos/asf/cxf/blob/28048751/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
index 557ab62..ff0839b 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
@@ -940,54 +940,6 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase {
}
@org.junit.Test
- public void testSaml2OpenSAMLPEP() throws Exception {
-
- SpringBusFactory bf = new SpringBusFactory();
- URL busFile = SamlTokenTest.class.getResource("client.xml");
-
- Bus bus = bf.createBus(busFile.toString());
- SpringBusFactory.setDefaultBus(bus);
- SpringBusFactory.setThreadDefaultBus(bus);
-
- URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
- Service service = Service.create(wsdl, SERVICE_QNAME);
- QName portQName = new QName(NAMESPACE, "DoubleItSaml2PEP2Port");
- DoubleItPortType saml2Port =
- service.getPort(portQName, DoubleItPortType.class);
- updateAddressPort(saml2Port, test.getPort());
-
- try {
- saml2Port.doubleIt(25);
- fail("Failure expected as Assertion doesn't contain Role information");
- } catch (javax.xml.ws.soap.SOAPFaultException ex) {
- // expected
- }
-
- SamlRoleCallbackHandler roleCallbackHandler =
- new SamlRoleCallbackHandler();
- roleCallbackHandler.setSignAssertion(true);
- roleCallbackHandler.setRoleName("manager");
- ((BindingProvider)saml2Port).getRequestContext().put(
- "security.saml-callback-handler", roleCallbackHandler
- );
-
- int result = saml2Port.doubleIt(25);
- assertTrue(result == 50);
-
- // Expected failure on incorrect role
- roleCallbackHandler.setRoleName("boss");
- try {
- saml2Port.doubleIt(25);
- fail("Failure expected as Assertion doesn't contain correct role");
- } catch (javax.xml.ws.soap.SOAPFaultException ex) {
- // expected
- }
-
- ((java.io.Closeable)saml2Port).close();
- bus.shutdown(true);
- }
-
- @org.junit.Test
public void testSaml2Replay() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
http://git-wip-us.apache.org/repos/asf/cxf/blob/28048751/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
index 7cbc0e3..ea0d132 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
@@ -377,9 +377,6 @@
<wsdl:port name="DoubleItSaml2PEPPort" binding="tns:DoubleItSaml2SymmetricBinding">
<soap:address location="http://localhost:9001/DoubleItSaml2PEP"/>
</wsdl:port>
- <wsdl:port name="DoubleItSaml2PEP2Port" binding="tns:DoubleItSaml2SymmetricBinding">
- <soap:address location="http://localhost:9001/DoubleItSaml2PEP2"/>
- </wsdl:port>
<wsdl:port name="DoubleItSaml2TransportPort" binding="tns:DoubleItSaml2TransportBinding">
<soap:address location="https://localhost:9009/DoubleItSaml2Transport"/>
</wsdl:port>
http://git-wip-us.apache.org/repos/asf/cxf/blob/28048751/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client.xml
index de4425f..26c6b2f 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client.xml
@@ -217,10 +217,4 @@
<entry key="security.encryption.username" value="bob"/>
</jaxws:properties>
</jaxws:client>
- <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSaml2PEP2Port" createdFromAPI="true">
- <jaxws:properties>
- <entry key="security.encryption.properties" value="bob.properties"/>
- <entry key="security.encryption.username" value="bob"/>
- </jaxws:properties>
- </jaxws:client>
</beans>
http://git-wip-us.apache.org/repos/asf/cxf/blob/28048751/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
index 05e419e..9d3895f 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
@@ -243,19 +243,6 @@
<ref bean="XACMLInterceptor"/>
</jaxws:inInterceptors>
</jaxws:endpoint>
- <bean class="org.apache.cxf.rt.security.saml.xacml.pep.OpenSAMLXACMLAuthorizingInterceptor" id="XACMLInterceptor2">
- <constructor-arg ref="MockPDP"/>
- </bean>
- <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetricPEP2" address="http://localhost:${testutil.ports.saml.Server}/DoubleItSaml2PEP2" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2PEP2Port" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
- <jaxws:properties>
- <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
- <entry key="security.signature.properties" value="bob.properties"/>
- <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>
- </jaxws:properties>
- <jaxws:inInterceptors>
- <ref bean="XACMLInterceptor2"/>
- </jaxws:inInterceptors>
- </jaxws:endpoint>
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken" address="https://localhost:${testutil.ports.saml.Server.2}/DoubleItSaml2Transport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
<jaxws:properties>
<entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
http://git-wip-us.apache.org/repos/asf/cxf/blob/28048751/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
index 33aadf7..91768b8 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
@@ -268,21 +268,6 @@
<ref bean="XACMLInterceptor"/>
</jaxws:inInterceptors>
</jaxws:endpoint>
- <bean class="org.apache.cxf.rt.security.saml.xacml.pep.OpenSAMLXACMLAuthorizingInterceptor" id="XACMLInterceptor2">
- <constructor-arg ref="MockPDP"/>
- </bean>
- <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetricPEP2" address="http://localhost:${testutil.ports.saml.StaxServer}/DoubleItSaml2PEP2" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2PEP2Port" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
- <jaxws:properties>
- <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
- <entry key="security.signature.properties" value="bob.properties"/>
- <!--<entry key="ws-security.saml2.validator"
- value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>-->
- <entry key="ws-security.enable.streaming" value="true"/>
- </jaxws:properties>
- <jaxws:inInterceptors>
- <ref bean="XACMLInterceptor2"/>
- </jaxws:inInterceptors>
- </jaxws:endpoint>
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken" address="https://localhost:${testutil.ports.saml.StaxServer.2}/DoubleItSaml2Transport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
<jaxws:properties>
<entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
[4/5] cxf git commit: Adding in Abstract XACML interceptor
Posted by co...@apache.org.
Adding in Abstract XACML interceptor
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2302aa58
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2302aa58
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2302aa58
Branch: refs/heads/master
Commit: 2302aa5820661975bb04857fa6d48bb68bebb4f7
Parents: 292fe25
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jul 17 14:55:38 2015 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 17 15:17:01 2015 +0100
----------------------------------------------------------------------
.../AbstractXACMLAuthorizingInterceptor.java | 163 +++++++++++++++++++
.../xacml2/XACMLAuthorizingInterceptor.java | 127 +--------------
2 files changed, 166 insertions(+), 124 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/2302aa58/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/AbstractXACMLAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/AbstractXACMLAuthorizingInterceptor.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/AbstractXACMLAuthorizingInterceptor.java
new file mode 100644
index 0000000..f81f07a
--- /dev/null
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/AbstractXACMLAuthorizingInterceptor.java
@@ -0,0 +1,163 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.saml.xacml2;
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.interceptor.security.AccessDeniedException;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.phase.AbstractPhaseInterceptor;
+import org.apache.cxf.phase.Phase;
+import org.apache.cxf.security.LoginSecurityContext;
+import org.apache.cxf.security.SecurityContext;
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
+import org.apache.wss4j.common.util.DOM2Writer;
+import org.opensaml.xacml.ctx.DecisionType.DECISION;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResponseType;
+import org.opensaml.xacml.ctx.ResultType;
+import org.opensaml.xacml.ctx.StatusType;
+
+/**
+ * An interceptor to perform an XACML 2.0 authorization request to a remote PDP using OpenSAML,
+ * and make an authorization decision based on the response. It takes the principal and roles
+ * from the SecurityContext, and uses the XACMLRequestBuilder to construct an XACML Request
+ * statement. How the actual PDP invocation is made is up to a subclass.
+ */
+public abstract class AbstractXACMLAuthorizingInterceptor extends AbstractPhaseInterceptor<Message> {
+ private static final Logger LOG = LogUtils.getL7dLogger(AbstractXACMLAuthorizingInterceptor.class);
+
+ private XACMLRequestBuilder requestBuilder = new DefaultXACMLRequestBuilder();
+
+ public AbstractXACMLAuthorizingInterceptor() {
+ super(Phase.PRE_INVOKE);
+ org.apache.wss4j.common.saml.OpenSAMLUtil.initSamlEngine();
+ }
+
+ public void handleMessage(Message message) throws Fault {
+ SecurityContext sc = message.get(SecurityContext.class);
+
+ if (sc instanceof LoginSecurityContext) {
+ Principal principal = sc.getUserPrincipal();
+
+ LoginSecurityContext loginSecurityContext = (LoginSecurityContext)sc;
+ Set<Principal> principalRoles = loginSecurityContext.getUserRoles();
+ List<String> roles = new ArrayList<>();
+ if (principalRoles != null) {
+ for (Principal p : principalRoles) {
+ if (p != principal) {
+ roles.add(p.getName());
+ }
+ }
+ }
+
+ try {
+ if (authorize(principal, roles, message)) {
+ return;
+ }
+ } catch (Exception e) {
+ LOG.log(Level.FINE, "Unauthorized: " + e.getMessage(), e);
+ throw new AccessDeniedException("Unauthorized");
+ }
+ } else {
+ LOG.log(
+ Level.FINE,
+ "The SecurityContext was not an instance of LoginSecurityContext. No authorization "
+ + "is possible as a result"
+ );
+ }
+
+ throw new AccessDeniedException("Unauthorized");
+ }
+
+ public XACMLRequestBuilder getRequestBuilder() {
+ return requestBuilder;
+ }
+
+ public void setRequestBuilder(XACMLRequestBuilder requestBuilder) {
+ this.requestBuilder = requestBuilder;
+ }
+
+ /**
+ * Perform a (remote) authorization decision and return a boolean depending on the result
+ */
+ protected boolean authorize(
+ Principal principal, List<String> roles, Message message
+ ) throws Exception {
+ RequestType request = requestBuilder.createRequest(principal, roles, message);
+ if (LOG.isLoggable(Level.FINE)) {
+ Document doc = DOMUtils.createDocument();
+ Element requestElement = OpenSAMLUtil.toDom(request, doc);
+ LOG.log(Level.FINE, DOM2Writer.nodeToString(requestElement));
+ }
+
+ ResponseType response = performRequest(request, message);
+
+ List<ResultType> results = response.getResults();
+
+ if (results == null) {
+ return false;
+ }
+
+ for (ResultType result : results) {
+ // Handle any Obligations returned by the PDP
+ handleObligations(request, principal, message, result);
+
+ DECISION decision = result.getDecision() != null ? result.getDecision().getDecision() : DECISION.Deny;
+ String code = "";
+ String statusMessage = "";
+ if (result.getStatus() != null) {
+ StatusType status = result.getStatus();
+ code = status.getStatusCode() != null ? status.getStatusCode().getValue() : "";
+ statusMessage = status.getStatusMessage() != null ? status.getStatusMessage().getValue() : "";
+ }
+ LOG.fine("XACML authorization result: " + decision + ", code: " + code + ", message: " + statusMessage);
+ return decision == DECISION.Permit;
+ }
+
+ return false;
+ }
+
+ /**
+ * Handle any Obligations returned by the PDP
+ */
+ protected void handleObligations(
+ RequestType request,
+ Principal principal,
+ Message message,
+ ResultType result
+ ) throws Exception {
+ // Do nothing by default
+ }
+
+ protected abstract ResponseType performRequest(RequestType request, Message message) throws Exception;
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2302aa58/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLAuthorizingInterceptor.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLAuthorizingInterceptor.java
index 1238099..c9301e6 100644
--- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLAuthorizingInterceptor.java
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLAuthorizingInterceptor.java
@@ -19,32 +19,9 @@
package org.apache.cxf.rt.security.saml.xacml2;
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Set;
-import java.util.logging.Level;
-import java.util.logging.Logger;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-
-import org.apache.cxf.common.logging.LogUtils;
-import org.apache.cxf.helpers.DOMUtils;
-import org.apache.cxf.interceptor.Fault;
-import org.apache.cxf.interceptor.security.AccessDeniedException;
import org.apache.cxf.message.Message;
-import org.apache.cxf.phase.AbstractPhaseInterceptor;
-import org.apache.cxf.phase.Phase;
-import org.apache.cxf.security.LoginSecurityContext;
-import org.apache.cxf.security.SecurityContext;
-import org.apache.wss4j.common.saml.OpenSAMLUtil;
-import org.apache.wss4j.common.util.DOM2Writer;
-import org.opensaml.xacml.ctx.DecisionType.DECISION;
import org.opensaml.xacml.ctx.RequestType;
import org.opensaml.xacml.ctx.ResponseType;
-import org.opensaml.xacml.ctx.ResultType;
-import org.opensaml.xacml.ctx.StatusType;
/**
* An interceptor to perform an XACML 2.0 authorization request to a remote PDP using OpenSAML,
@@ -52,114 +29,16 @@ import org.opensaml.xacml.ctx.StatusType;
* from the SecurityContext, and uses the XACMLRequestBuilder to construct an XACML Request
* statement.
*/
-public class XACMLAuthorizingInterceptor extends AbstractPhaseInterceptor<Message> {
- private static final Logger LOG = LogUtils.getL7dLogger(XACMLAuthorizingInterceptor.class);
+public class XACMLAuthorizingInterceptor extends AbstractXACMLAuthorizingInterceptor {
- private XACMLRequestBuilder requestBuilder = new DefaultXACMLRequestBuilder();
private PolicyDecisionPoint pdp;
public XACMLAuthorizingInterceptor(PolicyDecisionPoint pdp) {
- super(Phase.PRE_INVOKE);
- org.apache.wss4j.common.saml.OpenSAMLUtil.initSamlEngine();
+ super();
this.pdp = pdp;
}
- public void handleMessage(Message message) throws Fault {
- SecurityContext sc = message.get(SecurityContext.class);
-
- if (sc instanceof LoginSecurityContext) {
- Principal principal = sc.getUserPrincipal();
-
- LoginSecurityContext loginSecurityContext = (LoginSecurityContext)sc;
- Set<Principal> principalRoles = loginSecurityContext.getUserRoles();
- List<String> roles = new ArrayList<>();
- if (principalRoles != null) {
- for (Principal p : principalRoles) {
- if (p != principal) {
- roles.add(p.getName());
- }
- }
- }
-
- try {
- if (authorize(principal, roles, message)) {
- return;
- }
- } catch (Exception e) {
- LOG.log(Level.FINE, "Unauthorized: " + e.getMessage(), e);
- throw new AccessDeniedException("Unauthorized");
- }
- } else {
- LOG.log(
- Level.FINE,
- "The SecurityContext was not an instance of LoginSecurityContext. No authorization "
- + "is possible as a result"
- );
- }
-
- throw new AccessDeniedException("Unauthorized");
- }
-
- public XACMLRequestBuilder getRequestBuilder() {
- return requestBuilder;
- }
-
- public void setRequestBuilder(XACMLRequestBuilder requestBuilder) {
- this.requestBuilder = requestBuilder;
- }
-
- /**
- * Perform a (remote) authorization decision and return a boolean depending on the result
- */
- protected boolean authorize(
- Principal principal, List<String> roles, Message message
- ) throws Exception {
- RequestType request = requestBuilder.createRequest(principal, roles, message);
- if (LOG.isLoggable(Level.FINE)) {
- Document doc = DOMUtils.createDocument();
- Element requestElement = OpenSAMLUtil.toDom(request, doc);
- LOG.log(Level.FINE, DOM2Writer.nodeToString(requestElement));
- }
-
- ResponseType response = performRequest(request, message);
-
- List<ResultType> results = response.getResults();
-
- if (results == null) {
- return false;
- }
-
- for (ResultType result : results) {
- // Handle any Obligations returned by the PDP
- handleObligations(request, principal, message, result);
-
- DECISION decision = result.getDecision() != null ? result.getDecision().getDecision() : DECISION.Deny;
- String code = "";
- String statusMessage = "";
- if (result.getStatus() != null) {
- StatusType status = result.getStatus();
- code = status.getStatusCode() != null ? status.getStatusCode().getValue() : "";
- statusMessage = status.getStatusMessage() != null ? status.getStatusMessage().getValue() : "";
- }
- LOG.fine("XACML authorization result: " + decision + ", code: " + code + ", message: " + statusMessage);
- return decision == DECISION.Permit;
- }
-
- return false;
- }
-
- /**
- * Handle any Obligations returned by the PDP
- */
- protected void handleObligations(
- RequestType request,
- Principal principal,
- Message message,
- ResultType result
- ) throws Exception {
- // Do nothing by default
- }
-
+ @Override
protected ResponseType performRequest(RequestType request, Message message) throws Exception {
return this.pdp.evaluate(request);
}
[5/5] cxf git commit: Updating javadocs
Posted by co...@apache.org.
Updating javadocs
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/292fe254
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/292fe254
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/292fe254
Branch: refs/heads/master
Commit: 292fe2541e32bb31a59955975972cd6adfa1a9dc
Parents: 8176b1b
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jul 17 12:45:09 2015 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 17 15:17:01 2015 +0100
----------------------------------------------------------------------
.../cxf/rt/security/saml/xacml2/DefaultXACMLRequestBuilder.java | 2 +-
.../apache/cxf/rt/security/saml/xacml2/PolicyDecisionPoint.java | 2 +-
.../cxf/rt/security/saml/xacml2/XACMLAuthorizingInterceptor.java | 2 +-
.../apache/cxf/rt/security/saml/xacml2/XACMLRequestBuilder.java | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/292fe254/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/DefaultXACMLRequestBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/DefaultXACMLRequestBuilder.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/DefaultXACMLRequestBuilder.java
index 468d875..20ba102 100644
--- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/DefaultXACMLRequestBuilder.java
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/DefaultXACMLRequestBuilder.java
@@ -39,7 +39,7 @@ import org.opensaml.xacml.ctx.ResourceType;
import org.opensaml.xacml.ctx.SubjectType;
/**
- * This class constructs an XACML Request given a Principal, list of roles and MessageContext,
+ * This class constructs an XACML 2.0 Request given a Principal, list of roles and MessageContext,
* following the SAML 2.0 profile of XACML 2.0. The principal name is inserted as the Subject ID,
* and the list of roles associated with that principal are inserted as Subject roles. The action
* to send defaults to "execute".
http://git-wip-us.apache.org/repos/asf/cxf/blob/292fe254/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/PolicyDecisionPoint.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/PolicyDecisionPoint.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/PolicyDecisionPoint.java
index 1bf1bdb..da84025 100644
--- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/PolicyDecisionPoint.java
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/PolicyDecisionPoint.java
@@ -22,7 +22,7 @@ import org.opensaml.xacml.ctx.RequestType;
import org.opensaml.xacml.ctx.ResponseType;
/**
- * An interface that describes a PolicyDecisionPoint (PDP).
+ * An interface that describes a PolicyDecisionPoint (PDP) that supports XACML 2.0 using OpenSAML
*/
public interface PolicyDecisionPoint {
http://git-wip-us.apache.org/repos/asf/cxf/blob/292fe254/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLAuthorizingInterceptor.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLAuthorizingInterceptor.java
index ca76382..1238099 100644
--- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLAuthorizingInterceptor.java
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLAuthorizingInterceptor.java
@@ -47,7 +47,7 @@ import org.opensaml.xacml.ctx.ResultType;
import org.opensaml.xacml.ctx.StatusType;
/**
- * An interceptor to perform an XACML authorization request to a remote PDP,
+ * An interceptor to perform an XACML 2.0 authorization request to a remote PDP using OpenSAML,
* and make an authorization decision based on the response. It takes the principal and roles
* from the SecurityContext, and uses the XACMLRequestBuilder to construct an XACML Request
* statement.
http://git-wip-us.apache.org/repos/asf/cxf/blob/292fe254/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLRequestBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLRequestBuilder.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLRequestBuilder.java
index 8aa6e4c..99b32ef 100644
--- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLRequestBuilder.java
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLRequestBuilder.java
@@ -27,7 +27,7 @@ import org.opensaml.xacml.ctx.RequestType;
/**
- * This interface defines a way to create an XACML Request.
+ * This interface defines a way to create an XACML 2.0 Request using OpenSAML
*/
public interface XACMLRequestBuilder {
[2/5] cxf git commit: Refactoring of XACML code
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/cxf/blob/8176b1b0/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/RequestComponentBuilderTest.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/RequestComponentBuilderTest.java b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/RequestComponentBuilderTest.java
deleted file mode 100644
index 53cd863..0000000
--- a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/RequestComponentBuilderTest.java
+++ /dev/null
@@ -1,222 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.saml.xacml;
-
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-
-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-
-import org.apache.wss4j.common.saml.OpenSAMLUtil;
-import org.joda.time.DateTime;
-import org.opensaml.xacml.ctx.ActionType;
-import org.opensaml.xacml.ctx.AttributeType;
-import org.opensaml.xacml.ctx.AttributeValueType;
-import org.opensaml.xacml.ctx.EnvironmentType;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.ctx.ResourceType;
-import org.opensaml.xacml.ctx.SubjectType;
-
-
-/**
- * Some unit tests to create a XACML Request using the RequestComponentBuilder.
- */
-public class RequestComponentBuilderTest extends org.junit.Assert {
-
- private DocumentBuilder docBuilder;
- static {
- OpenSAMLUtil.initSamlEngine();
- }
-
- public RequestComponentBuilderTest() throws ParserConfigurationException {
- DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
- docBuilderFactory.setNamespaceAware(true);
- docBuilder = docBuilderFactory.newDocumentBuilder();
- }
-
- @org.junit.Test
- public void testCreateXACMLRequest() throws Exception {
- Document doc = docBuilder.newDocument();
-
- // Subject
- AttributeValueType subjectIdAttributeValue =
- RequestComponentBuilder.createAttributeValueType(
- "alice-user@apache.org"
- );
- AttributeType subjectIdAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.SUBJECT_ID,
- XACMLConstants.RFC_822_NAME,
- null,
- Collections.singletonList(subjectIdAttributeValue)
- );
-
- AttributeValueType subjectGroupAttributeValue =
- RequestComponentBuilder.createAttributeValueType(
- "manager"
- );
- AttributeType subjectGroupAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.SUBJECT_ROLE,
- XACMLConstants.XS_ANY_URI,
- "admin-user@apache.org",
- Collections.singletonList(subjectGroupAttributeValue)
- );
- List<AttributeType> attributes = new ArrayList<AttributeType>();
- attributes.add(subjectIdAttribute);
- attributes.add(subjectGroupAttribute);
- SubjectType subject = RequestComponentBuilder.createSubjectType(attributes, null);
-
- // Resource
- AttributeValueType resourceAttributeValue =
- RequestComponentBuilder.createAttributeValueType(
- "{http://www.example.org/contract/DoubleIt}DoubleIt"
- );
- AttributeType resourceAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.RESOURCE_ID,
- XACMLConstants.XS_STRING,
- null,
- Collections.singletonList(resourceAttributeValue)
- );
- attributes.clear();
- attributes.add(resourceAttribute);
- ResourceType resource = RequestComponentBuilder.createResourceType(attributes, null);
-
- // Action
- AttributeValueType actionAttributeValue =
- RequestComponentBuilder.createAttributeValueType(
- "execute"
- );
- AttributeType actionAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.ACTION_ID,
- XACMLConstants.XS_STRING,
- null,
- Collections.singletonList(actionAttributeValue)
- );
- attributes.clear();
- attributes.add(actionAttribute);
- ActionType action = RequestComponentBuilder.createActionType(attributes);
-
- // Request
- RequestType request =
- RequestComponentBuilder.createRequestType(
- Collections.singletonList(subject),
- Collections.singletonList(resource),
- action,
- null
- );
-
- Element policyElement = OpenSAMLUtil.toDom(request, doc);
- // String outputString = DOM2Writer.nodeToString(policyElement);
- assertNotNull(policyElement);
- }
-
- @org.junit.Test
- public void testEnvironment() throws Exception {
- Document doc = docBuilder.newDocument();
-
- // Subject
- AttributeValueType subjectIdAttributeValue =
- RequestComponentBuilder.createAttributeValueType(
- "alice-user@apache.org"
- );
- AttributeType subjectIdAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.SUBJECT_ID,
- XACMLConstants.RFC_822_NAME,
- null,
- Collections.singletonList(subjectIdAttributeValue)
- );
-
- List<AttributeType> attributes = new ArrayList<AttributeType>();
- attributes.add(subjectIdAttribute);
- SubjectType subject = RequestComponentBuilder.createSubjectType(attributes, null);
-
- // Resource
- AttributeValueType resourceAttributeValue =
- RequestComponentBuilder.createAttributeValueType(
- "{http://www.example.org/contract/DoubleIt}DoubleIt"
- );
- AttributeType resourceAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.RESOURCE_ID,
- XACMLConstants.XS_STRING,
- null,
- Collections.singletonList(resourceAttributeValue)
- );
- attributes.clear();
- attributes.add(resourceAttribute);
- ResourceType resource = RequestComponentBuilder.createResourceType(attributes, null);
-
- // Action
- AttributeValueType actionAttributeValue =
- RequestComponentBuilder.createAttributeValueType(
- "execute"
- );
- AttributeType actionAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.ACTION_ID,
- XACMLConstants.XS_STRING,
- null,
- Collections.singletonList(actionAttributeValue)
- );
- attributes.clear();
- attributes.add(actionAttribute);
- ActionType action = RequestComponentBuilder.createActionType(attributes);
-
- // Environment
- DateTime dateTime = new DateTime();
- AttributeValueType environmentAttributeValue =
- RequestComponentBuilder.createAttributeValueType(dateTime.toString());
- AttributeType environmentAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.CURRENT_DATETIME,
- XACMLConstants.XS_DATETIME,
- null,
- Collections.singletonList(environmentAttributeValue)
- );
- attributes.clear();
- attributes.add(environmentAttribute);
- EnvironmentType environmentType =
- RequestComponentBuilder.createEnvironmentType(attributes);
-
- // Request
- RequestType request =
- RequestComponentBuilder.createRequestType(
- Collections.singletonList(subject),
- Collections.singletonList(resource),
- action,
- environmentType
- );
-
- Element policyElement = OpenSAMLUtil.toDom(request, doc);
- // String outputString = DOM2Writer.nodeToString(policyElement);
- assertNotNull(policyElement);
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/8176b1b0/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/SamlRequestComponentBuilderTest.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/SamlRequestComponentBuilderTest.java b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/SamlRequestComponentBuilderTest.java
deleted file mode 100644
index 526be4a..0000000
--- a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/SamlRequestComponentBuilderTest.java
+++ /dev/null
@@ -1,153 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.saml.xacml;
-
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-
-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-
-import org.apache.wss4j.common.saml.OpenSAMLUtil;
-import org.opensaml.xacml.ctx.ActionType;
-import org.opensaml.xacml.ctx.AttributeType;
-import org.opensaml.xacml.ctx.AttributeValueType;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.ctx.ResourceType;
-import org.opensaml.xacml.ctx.SubjectType;
-import org.opensaml.xacml.profile.saml.SAMLProfileConstants;
-import org.opensaml.xacml.profile.saml.XACMLAuthzDecisionQueryType;
-
-
-/**
- * Some unit tests for creating a SAML XACML Request.
- */
-public class SamlRequestComponentBuilderTest extends org.junit.Assert {
-
- private DocumentBuilder docBuilder;
- static {
- OpenSAMLUtil.initSamlEngine();
- }
-
- public SamlRequestComponentBuilderTest() throws ParserConfigurationException {
- DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
- docBuilderFactory.setNamespaceAware(true);
- docBuilder = docBuilderFactory.newDocumentBuilder();
- }
-
- @org.junit.Test
- public void testCreateXACMLSamlAuthzQueryRequest() throws Exception {
- Document doc = docBuilder.newDocument();
-
- //
- // Create XACML request
- //
-
- // Subject
- AttributeValueType subjectIdAttributeValue =
- RequestComponentBuilder.createAttributeValueType(
- "alice-user@apache.org"
- );
- AttributeType subjectIdAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.SUBJECT_ID,
- XACMLConstants.RFC_822_NAME,
- null,
- Collections.singletonList(subjectIdAttributeValue)
- );
-
- AttributeValueType subjectGroupAttributeValue =
- RequestComponentBuilder.createAttributeValueType(
- "manager"
- );
- AttributeType subjectGroupAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.SUBJECT_ROLE,
- XACMLConstants.XS_ANY_URI,
- "admin-user@apache.org",
- Collections.singletonList(subjectGroupAttributeValue)
- );
- List<AttributeType> attributes = new ArrayList<AttributeType>();
- attributes.add(subjectIdAttribute);
- attributes.add(subjectGroupAttribute);
- SubjectType subject = RequestComponentBuilder.createSubjectType(attributes, null);
-
- // Resource
- AttributeValueType resourceAttributeValue =
- RequestComponentBuilder.createAttributeValueType(
- "{http://www.example.org/contract/DoubleIt}DoubleIt"
- );
- AttributeType resourceAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.RESOURCE_ID,
- XACMLConstants.XS_STRING,
- null,
- Collections.singletonList(resourceAttributeValue)
- );
- attributes.clear();
- attributes.add(resourceAttribute);
- ResourceType resource = RequestComponentBuilder.createResourceType(attributes, null);
-
- // Action
- AttributeValueType actionAttributeValue =
- RequestComponentBuilder.createAttributeValueType(
- "execute"
- );
- AttributeType actionAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.ACTION_ID,
- XACMLConstants.XS_STRING,
- null,
- Collections.singletonList(actionAttributeValue)
- );
- attributes.clear();
- attributes.add(actionAttribute);
- ActionType action = RequestComponentBuilder.createActionType(attributes);
-
- // Request
- RequestType request =
- RequestComponentBuilder.createRequestType(
- Collections.singletonList(subject),
- Collections.singletonList(resource),
- action,
- null
- );
-
- //
- // Create SAML wrapper
- //
-
- XACMLAuthzDecisionQueryType authzQuery =
- SamlRequestComponentBuilder.createAuthzDecisionQuery(
- "Issuer", request, SAMLProfileConstants.SAML20XACML20P_NS
- );
-
- Element policyElement = OpenSAMLUtil.toDom(authzQuery, doc);
- // String outputString = DOM2Writer.nodeToString(policyElement);
- assertNotNull(policyElement);
- }
-
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/8176b1b0/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/XACMLAuthorizingInterceptorTest.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/XACMLAuthorizingInterceptorTest.java b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/XACMLAuthorizingInterceptorTest.java
deleted file mode 100644
index 30fb821..0000000
--- a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/XACMLAuthorizingInterceptorTest.java
+++ /dev/null
@@ -1,127 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.saml.xacml;
-
-import java.security.Principal;
-import java.util.HashSet;
-import java.util.Set;
-
-import javax.security.auth.Subject;
-import javax.xml.namespace.QName;
-
-import org.apache.cxf.message.Message;
-import org.apache.cxf.message.MessageImpl;
-import org.apache.cxf.rt.security.saml.xacml.pdp.api.PolicyDecisionPoint;
-import org.apache.cxf.security.LoginSecurityContext;
-import org.apache.cxf.security.SecurityContext;
-
-
-/**
- * Some unit tests to test the AbstractXACMLAuthorizingInterceptor.
- */
-public class XACMLAuthorizingInterceptorTest extends org.junit.Assert {
-
- static {
- org.apache.wss4j.common.saml.OpenSAMLUtil.initSamlEngine();
- }
-
- @SuppressWarnings("deprecation")
- @org.junit.Test
- public void testPermit() throws Exception {
- // Mock up a Security Context
- SecurityContext sc = createSecurityContext("alice", "manager");
-
- String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
- MessageImpl msg = new MessageImpl();
- msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
- String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
- msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
- String resourceURI = "https://localhost:8080/doubleit";
- msg.put(Message.REQUEST_URI, resourceURI);
- msg.put(SecurityContext.class, sc);
-
- PolicyDecisionPoint pdp = new DummyPDP();
- XACMLAuthorizingInterceptor authorizingInterceptor = new XACMLAuthorizingInterceptor(pdp);
- authorizingInterceptor.handleMessage(msg);
- }
-
- @SuppressWarnings("deprecation")
- @org.junit.Test
- public void testDeny() throws Exception {
- // Mock up a Security Context
- SecurityContext sc = createSecurityContext("alice", "boss");
-
- String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
- MessageImpl msg = new MessageImpl();
- msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
- String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
- msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
- String resourceURI = "https://localhost:8080/doubleit";
- msg.put(Message.REQUEST_URI, resourceURI);
- msg.put(SecurityContext.class, sc);
-
- PolicyDecisionPoint pdp = new DummyPDP();
- XACMLAuthorizingInterceptor authorizingInterceptor = new XACMLAuthorizingInterceptor(pdp);
-
- try {
- authorizingInterceptor.handleMessage(msg);
- fail("Failure expected on deny");
- } catch (Exception ex) {
- // Failure expected
- }
- }
-
- private SecurityContext createSecurityContext(final String user, final String role) {
- return new LoginSecurityContext() {
-
- @Override
- public Principal getUserPrincipal() {
- return new Principal() {
- public String getName() {
- return user;
- }
- };
- }
-
- @Override
- public boolean isUserInRole(String role) {
- return false;
- }
-
- @Override
- public Subject getSubject() {
- return null;
- }
-
- @Override
- public Set<Principal> getUserRoles() {
- Set<Principal> principals = new HashSet<Principal>();
- principals.add(new Principal() {
- public String getName() {
- return role;
- }
- });
- return principals;
- }
-
- };
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/8176b1b0/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/XACMLRequestBuilderTest.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/XACMLRequestBuilderTest.java b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/XACMLRequestBuilderTest.java
deleted file mode 100644
index baccaeb..0000000
--- a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/XACMLRequestBuilderTest.java
+++ /dev/null
@@ -1,308 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.saml.xacml;
-
-import java.security.Principal;
-import java.util.Collections;
-import java.util.List;
-
-import javax.xml.namespace.QName;
-
-import org.apache.cxf.message.Message;
-import org.apache.cxf.message.MessageImpl;
-import org.opensaml.xacml.ctx.AttributeType;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.ctx.ResourceType;
-
-
-/**
- * Some unit tests to create a XACML Request via the XACMLRequestBuilder interface.
- */
-@SuppressWarnings("deprecation")
-public class XACMLRequestBuilderTest extends org.junit.Assert {
-
- static {
- org.apache.wss4j.common.saml.OpenSAMLUtil.initSamlEngine();
- }
-
- @org.junit.Test
- public void testXACMLRequestBuilder() throws Exception {
- // Mock up a request
- Principal principal = new Principal() {
- public String getName() {
- return "alice";
- }
- };
-
- String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
- MessageImpl msg = new MessageImpl();
- msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
- String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
- msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
- String resourceURL = "https://localhost:8080/doubleit";
- msg.put(Message.REQUEST_URI, resourceURL);
-
- XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
- RequestType request =
- builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
- }
-
-
- @org.junit.Test
- public void testAction() throws Exception {
- // Mock up a request
- Principal principal = new Principal() {
- public String getName() {
- return "alice";
- }
- };
-
- String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
- MessageImpl msg = new MessageImpl();
- msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
- String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
- msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
- String resourceURL = "https://localhost:8080/doubleit";
- msg.put(Message.REQUEST_URI, resourceURL);
-
- DefaultXACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
- RequestType request =
- builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
-
- String action =
- request.getAction().getAttributes().get(0).getAttributeValues().get(0).getValue();
- assertEquals("execute", action);
-
- builder.setAction("write");
- request = builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
-
- action =
- request.getAction().getAttributes().get(0).getAttributeValues().get(0).getValue();
- assertEquals("write", action);
- }
-
- @org.junit.Test
- public void testEnvironment() throws Exception {
- // Mock up a request
- Principal principal = new Principal() {
- public String getName() {
- return "alice";
- }
- };
-
- String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
- MessageImpl msg = new MessageImpl();
- msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
- String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
- msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
- String resourceURL = "https://localhost:8080/doubleit";
- msg.put(Message.REQUEST_URL, resourceURL);
-
- XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
- RequestType request =
- builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
- assertFalse(request.getEnvironment().getAttributes().isEmpty());
-
- ((DefaultXACMLRequestBuilder)builder).setSendDateTime(false);
- request = builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
- assertTrue(request.getEnvironment().getAttributes().isEmpty());
- }
-
- @org.junit.Test
- public void testSOAPResource() throws Exception {
- // Mock up a request
- Principal principal = new Principal() {
- public String getName() {
- return "alice";
- }
- };
-
- String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
- MessageImpl msg = new MessageImpl();
- msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
- String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
- msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
- String resourceURL = "https://localhost:8080/doubleit";
- msg.put(Message.REQUEST_URL, resourceURL);
-
- XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
- RequestType request =
- builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
-
- List<ResourceType> resources = request.getResources();
- assertNotNull(resources);
- assertEquals(1, resources.size());
-
- ResourceType resource = resources.get(0);
- assertEquals(4, resource.getAttributes().size());
-
- boolean resourceIdSatisfied = false;
- boolean soapServiceSatisfied = false;
- boolean soapOperationSatisfied = false;
- boolean resourceURISatisfied = false;
- for (AttributeType attribute : resource.getAttributes()) {
- String attributeValue = attribute.getAttributeValues().get(0).getValue();
- if (XACMLConstants.RESOURCE_ID.equals(attribute.getAttributeId())
- && "{http://www.example.org/contract/DoubleIt}DoubleItService#DoubleIt".equals(
- attributeValue)) {
- resourceIdSatisfied = true;
- } else if (XACMLConstants.RESOURCE_WSDL_SERVICE_ID.equals(attribute.getAttributeId())
- && service.equals(attributeValue)) {
- soapServiceSatisfied = true;
- } else if (XACMLConstants.RESOURCE_WSDL_OPERATION_ID.equals(attribute.getAttributeId())
- && operation.equals(attributeValue)) {
- soapOperationSatisfied = true;
- } else if (XACMLConstants.RESOURCE_WSDL_ENDPOINT.equals(attribute.getAttributeId())
- && resourceURL.equals(attributeValue)) {
- resourceURISatisfied = true;
- }
- }
-
- assertTrue(resourceIdSatisfied && soapServiceSatisfied && soapOperationSatisfied
- && resourceURISatisfied);
- }
-
- @org.junit.Test
- public void testSOAPResourceDifferentNamespace() throws Exception {
- // Mock up a request
- Principal principal = new Principal() {
- public String getName() {
- return "alice";
- }
- };
-
- String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
- MessageImpl msg = new MessageImpl();
- msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
- String service = "{http://www.example.org/contract/DoubleItService}DoubleItService";
- msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
- String resourceURL = "https://localhost:8080/doubleit";
- msg.put(Message.REQUEST_URL, resourceURL);
-
- XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
- RequestType request =
- builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
-
- List<ResourceType> resources = request.getResources();
- assertNotNull(resources);
- assertEquals(1, resources.size());
-
- ResourceType resource = resources.get(0);
- assertEquals(4, resource.getAttributes().size());
-
- boolean resourceIdSatisfied = false;
- boolean soapServiceSatisfied = false;
- boolean soapOperationSatisfied = false;
- boolean resourceURISatisfied = false;
- String expectedResourceId =
- service + "#" + operation;
- for (AttributeType attribute : resource.getAttributes()) {
- String attributeValue = attribute.getAttributeValues().get(0).getValue();
- if (XACMLConstants.RESOURCE_ID.equals(attribute.getAttributeId())
- && expectedResourceId.equals(attributeValue)) {
- resourceIdSatisfied = true;
- } else if (XACMLConstants.RESOURCE_WSDL_SERVICE_ID.equals(attribute.getAttributeId())
- && service.equals(attributeValue)) {
- soapServiceSatisfied = true;
- } else if (XACMLConstants.RESOURCE_WSDL_OPERATION_ID.equals(attribute.getAttributeId())
- && operation.equals(attributeValue)) {
- soapOperationSatisfied = true;
- } else if (XACMLConstants.RESOURCE_WSDL_ENDPOINT.equals(attribute.getAttributeId())
- && resourceURL.equals(attributeValue)) {
- resourceURISatisfied = true;
- }
- }
-
- assertTrue(resourceIdSatisfied && soapServiceSatisfied && soapOperationSatisfied
- && resourceURISatisfied);
- }
-
- @org.junit.Test
- public void testRESTResource() throws Exception {
- // Mock up a request
- Principal principal = new Principal() {
- public String getName() {
- return "alice";
- }
- };
-
- MessageImpl msg = new MessageImpl();
- String resourceURL = "https://localhost:8080/doubleit";
- msg.put(Message.REQUEST_URL, resourceURL);
-
- XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
- RequestType request =
- builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
-
- List<ResourceType> resources = request.getResources();
- assertNotNull(resources);
- assertEquals(1, resources.size());
-
- ResourceType resource = resources.get(0);
- assertEquals(1, resource.getAttributes().size());
-
- for (AttributeType attribute : resource.getAttributes()) {
- String attributeValue = attribute.getAttributeValues().get(0).getValue();
- assertEquals(attributeValue, resourceURL);
- }
- }
-
- @org.junit.Test
- public void testRESTResourceTruncatedURI() throws Exception {
- // Mock up a request
- Principal principal = new Principal() {
- public String getName() {
- return "alice";
- }
- };
-
- MessageImpl msg = new MessageImpl();
- String resourceURL = "https://localhost:8080/doubleit";
- msg.put(Message.REQUEST_URL, resourceURL);
- String resourceURI = "/doubleit";
- msg.put(Message.REQUEST_URI, resourceURI);
-
- XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
- ((DefaultXACMLRequestBuilder)builder).setSendFullRequestURL(false);
- RequestType request =
- builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
-
- List<ResourceType> resources = request.getResources();
- assertNotNull(resources);
- assertEquals(1, resources.size());
-
- ResourceType resource = resources.get(0);
- assertEquals(1, resource.getAttributes().size());
-
- for (AttributeType attribute : resource.getAttributes()) {
- String attributeValue = attribute.getAttributeValues().get(0).getValue();
- assertEquals(attributeValue, resourceURI);
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/8176b1b0/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/DummyPDP.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/DummyPDP.java b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/DummyPDP.java
new file mode 100644
index 0000000..3481598
--- /dev/null
+++ b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/DummyPDP.java
@@ -0,0 +1,113 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.saml.xacml2;
+
+import java.util.List;
+
+import org.apache.cxf.rt.security.saml.xacml.XACMLConstants;
+import org.opensaml.core.xml.XMLObjectBuilderFactory;
+import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
+import org.opensaml.xacml.XACMLObjectBuilder;
+import org.opensaml.xacml.ctx.AttributeType;
+import org.opensaml.xacml.ctx.DecisionType;
+import org.opensaml.xacml.ctx.DecisionType.DECISION;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResponseType;
+import org.opensaml.xacml.ctx.ResultType;
+import org.opensaml.xacml.ctx.StatusCodeType;
+import org.opensaml.xacml.ctx.StatusType;
+import org.opensaml.xacml.ctx.SubjectType;
+
+/**
+ * A test implementation of AbstractXACMLAuthorizingInterceptor. It just mocks up a Response
+ * object based on the role of the Subject. If the role is "manager" then it permits the
+ * request, otherwise it denies it.
+ */
+public class DummyPDP implements PolicyDecisionPoint {
+
+ public ResponseType evaluate(RequestType request) {
+ String role = getSubjectRole(request);
+ DECISION decision = "manager".equals(role) ? DecisionType.DECISION.Permit : DecisionType.DECISION.Deny;
+ return createResponse(decision);
+ }
+
+ private ResponseType createResponse(DECISION decision) {
+ XMLObjectBuilderFactory builderFactory = XMLObjectProviderRegistrySupport.getBuilderFactory();
+
+ @SuppressWarnings("unchecked")
+ XACMLObjectBuilder<ResponseType> responseTypeBuilder =
+ (XACMLObjectBuilder<ResponseType>)
+ builderFactory.getBuilder(ResponseType.DEFAULT_ELEMENT_NAME);
+
+ @SuppressWarnings("unchecked")
+ XACMLObjectBuilder<ResultType> resultTypeBuilder =
+ (XACMLObjectBuilder<ResultType>)
+ builderFactory.getBuilder(ResultType.DEFAULT_ELEMENT_NAME);
+
+ @SuppressWarnings("unchecked")
+ XACMLObjectBuilder<DecisionType> decisionTypeBuilder =
+ (XACMLObjectBuilder<DecisionType>)
+ builderFactory.getBuilder(DecisionType.DEFAULT_ELEMENT_NAME);
+
+ @SuppressWarnings("unchecked")
+ XACMLObjectBuilder<StatusType> statusTypeBuilder =
+ (XACMLObjectBuilder<StatusType>)
+ builderFactory.getBuilder(StatusType.DEFAULT_ELEMENT_NAME);
+
+ @SuppressWarnings("unchecked")
+ XACMLObjectBuilder<StatusCodeType> statusCodeTypeBuilder =
+ (XACMLObjectBuilder<StatusCodeType>)
+ builderFactory.getBuilder(StatusCodeType.DEFAULT_ELEMENT_NAME);
+
+ ResultType result = resultTypeBuilder.buildObject();
+
+ DecisionType decisionType = decisionTypeBuilder.buildObject();
+ decisionType.setDecision(decision);
+ result.setDecision(decisionType);
+
+ StatusType status = statusTypeBuilder.buildObject();
+ StatusCodeType statusCode = statusCodeTypeBuilder.buildObject();
+ statusCode.setValue("urn:oasis:names:tc:xacml:1.0:status:ok");
+ status.setStatusCode(statusCode);
+ result.setStatus(status);
+
+ ResponseType response = responseTypeBuilder.buildObject();
+ response.getResults().add(result);
+ return response;
+ }
+
+ private String getSubjectRole(RequestType request) {
+ List<SubjectType> subjects = request.getSubjects();
+ if (subjects != null) {
+ for (SubjectType subject : subjects) {
+ List<AttributeType> attributes = subject.getAttributes();
+ if (attributes != null) {
+ for (AttributeType attribute : attributes) {
+ if (XACMLConstants.SUBJECT_ROLE.equals(attribute.getAttributeId())) {
+ return attribute.getAttributeValues().get(0).getValue();
+ }
+ }
+ }
+ }
+ }
+ return null;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/8176b1b0/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/RequestComponentBuilderTest.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/RequestComponentBuilderTest.java b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/RequestComponentBuilderTest.java
new file mode 100644
index 0000000..3a2bc3c
--- /dev/null
+++ b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/RequestComponentBuilderTest.java
@@ -0,0 +1,222 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.saml.xacml2;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.apache.cxf.rt.security.saml.xacml.XACMLConstants;
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
+import org.joda.time.DateTime;
+import org.opensaml.xacml.ctx.ActionType;
+import org.opensaml.xacml.ctx.AttributeType;
+import org.opensaml.xacml.ctx.AttributeValueType;
+import org.opensaml.xacml.ctx.EnvironmentType;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResourceType;
+import org.opensaml.xacml.ctx.SubjectType;
+
+
+/**
+ * Some unit tests to create a XACML Request using the RequestComponentBuilder.
+ */
+public class RequestComponentBuilderTest extends org.junit.Assert {
+
+ private DocumentBuilder docBuilder;
+ static {
+ OpenSAMLUtil.initSamlEngine();
+ }
+
+ public RequestComponentBuilderTest() throws ParserConfigurationException {
+ DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
+ docBuilderFactory.setNamespaceAware(true);
+ docBuilder = docBuilderFactory.newDocumentBuilder();
+ }
+
+ @org.junit.Test
+ public void testCreateXACMLRequest() throws Exception {
+ Document doc = docBuilder.newDocument();
+
+ // Subject
+ AttributeValueType subjectIdAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "alice-user@apache.org"
+ );
+ AttributeType subjectIdAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.SUBJECT_ID,
+ XACMLConstants.RFC_822_NAME,
+ null,
+ Collections.singletonList(subjectIdAttributeValue)
+ );
+
+ AttributeValueType subjectGroupAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "manager"
+ );
+ AttributeType subjectGroupAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.SUBJECT_ROLE,
+ XACMLConstants.XS_ANY_URI,
+ "admin-user@apache.org",
+ Collections.singletonList(subjectGroupAttributeValue)
+ );
+ List<AttributeType> attributes = new ArrayList<AttributeType>();
+ attributes.add(subjectIdAttribute);
+ attributes.add(subjectGroupAttribute);
+ SubjectType subject = RequestComponentBuilder.createSubjectType(attributes, null);
+
+ // Resource
+ AttributeValueType resourceAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "{http://www.example.org/contract/DoubleIt}DoubleIt"
+ );
+ AttributeType resourceAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.RESOURCE_ID,
+ XACMLConstants.XS_STRING,
+ null,
+ Collections.singletonList(resourceAttributeValue)
+ );
+ attributes.clear();
+ attributes.add(resourceAttribute);
+ ResourceType resource = RequestComponentBuilder.createResourceType(attributes, null);
+
+ // Action
+ AttributeValueType actionAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "execute"
+ );
+ AttributeType actionAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.ACTION_ID,
+ XACMLConstants.XS_STRING,
+ null,
+ Collections.singletonList(actionAttributeValue)
+ );
+ attributes.clear();
+ attributes.add(actionAttribute);
+ ActionType action = RequestComponentBuilder.createActionType(attributes);
+
+ // Request
+ RequestType request =
+ RequestComponentBuilder.createRequestType(
+ Collections.singletonList(subject),
+ Collections.singletonList(resource),
+ action,
+ null
+ );
+
+ Element policyElement = OpenSAMLUtil.toDom(request, doc);
+ // String outputString = DOM2Writer.nodeToString(policyElement);
+ assertNotNull(policyElement);
+ }
+
+ @org.junit.Test
+ public void testEnvironment() throws Exception {
+ Document doc = docBuilder.newDocument();
+
+ // Subject
+ AttributeValueType subjectIdAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "alice-user@apache.org"
+ );
+ AttributeType subjectIdAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.SUBJECT_ID,
+ XACMLConstants.RFC_822_NAME,
+ null,
+ Collections.singletonList(subjectIdAttributeValue)
+ );
+
+ List<AttributeType> attributes = new ArrayList<AttributeType>();
+ attributes.add(subjectIdAttribute);
+ SubjectType subject = RequestComponentBuilder.createSubjectType(attributes, null);
+
+ // Resource
+ AttributeValueType resourceAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "{http://www.example.org/contract/DoubleIt}DoubleIt"
+ );
+ AttributeType resourceAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.RESOURCE_ID,
+ XACMLConstants.XS_STRING,
+ null,
+ Collections.singletonList(resourceAttributeValue)
+ );
+ attributes.clear();
+ attributes.add(resourceAttribute);
+ ResourceType resource = RequestComponentBuilder.createResourceType(attributes, null);
+
+ // Action
+ AttributeValueType actionAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "execute"
+ );
+ AttributeType actionAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.ACTION_ID,
+ XACMLConstants.XS_STRING,
+ null,
+ Collections.singletonList(actionAttributeValue)
+ );
+ attributes.clear();
+ attributes.add(actionAttribute);
+ ActionType action = RequestComponentBuilder.createActionType(attributes);
+
+ // Environment
+ DateTime dateTime = new DateTime();
+ AttributeValueType environmentAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(dateTime.toString());
+ AttributeType environmentAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.CURRENT_DATETIME,
+ XACMLConstants.XS_DATETIME,
+ null,
+ Collections.singletonList(environmentAttributeValue)
+ );
+ attributes.clear();
+ attributes.add(environmentAttribute);
+ EnvironmentType environmentType =
+ RequestComponentBuilder.createEnvironmentType(attributes);
+
+ // Request
+ RequestType request =
+ RequestComponentBuilder.createRequestType(
+ Collections.singletonList(subject),
+ Collections.singletonList(resource),
+ action,
+ environmentType
+ );
+
+ Element policyElement = OpenSAMLUtil.toDom(request, doc);
+ // String outputString = DOM2Writer.nodeToString(policyElement);
+ assertNotNull(policyElement);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/8176b1b0/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/SamlRequestComponentBuilderTest.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/SamlRequestComponentBuilderTest.java b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/SamlRequestComponentBuilderTest.java
new file mode 100644
index 0000000..7d594dc
--- /dev/null
+++ b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/SamlRequestComponentBuilderTest.java
@@ -0,0 +1,153 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.saml.xacml2;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.apache.cxf.rt.security.saml.xacml.XACMLConstants;
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
+import org.opensaml.xacml.ctx.ActionType;
+import org.opensaml.xacml.ctx.AttributeType;
+import org.opensaml.xacml.ctx.AttributeValueType;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResourceType;
+import org.opensaml.xacml.ctx.SubjectType;
+import org.opensaml.xacml.profile.saml.SAMLProfileConstants;
+import org.opensaml.xacml.profile.saml.XACMLAuthzDecisionQueryType;
+
+
+/**
+ * Some unit tests for creating a SAML XACML Request.
+ */
+public class SamlRequestComponentBuilderTest extends org.junit.Assert {
+
+ private DocumentBuilder docBuilder;
+ static {
+ OpenSAMLUtil.initSamlEngine();
+ }
+
+ public SamlRequestComponentBuilderTest() throws ParserConfigurationException {
+ DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
+ docBuilderFactory.setNamespaceAware(true);
+ docBuilder = docBuilderFactory.newDocumentBuilder();
+ }
+
+ @org.junit.Test
+ public void testCreateXACMLSamlAuthzQueryRequest() throws Exception {
+ Document doc = docBuilder.newDocument();
+
+ //
+ // Create XACML request
+ //
+
+ // Subject
+ AttributeValueType subjectIdAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "alice-user@apache.org"
+ );
+ AttributeType subjectIdAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.SUBJECT_ID,
+ XACMLConstants.RFC_822_NAME,
+ null,
+ Collections.singletonList(subjectIdAttributeValue)
+ );
+
+ AttributeValueType subjectGroupAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "manager"
+ );
+ AttributeType subjectGroupAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.SUBJECT_ROLE,
+ XACMLConstants.XS_ANY_URI,
+ "admin-user@apache.org",
+ Collections.singletonList(subjectGroupAttributeValue)
+ );
+ List<AttributeType> attributes = new ArrayList<AttributeType>();
+ attributes.add(subjectIdAttribute);
+ attributes.add(subjectGroupAttribute);
+ SubjectType subject = RequestComponentBuilder.createSubjectType(attributes, null);
+
+ // Resource
+ AttributeValueType resourceAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "{http://www.example.org/contract/DoubleIt}DoubleIt"
+ );
+ AttributeType resourceAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.RESOURCE_ID,
+ XACMLConstants.XS_STRING,
+ null,
+ Collections.singletonList(resourceAttributeValue)
+ );
+ attributes.clear();
+ attributes.add(resourceAttribute);
+ ResourceType resource = RequestComponentBuilder.createResourceType(attributes, null);
+
+ // Action
+ AttributeValueType actionAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(
+ "execute"
+ );
+ AttributeType actionAttribute =
+ RequestComponentBuilder.createAttributeType(
+ XACMLConstants.ACTION_ID,
+ XACMLConstants.XS_STRING,
+ null,
+ Collections.singletonList(actionAttributeValue)
+ );
+ attributes.clear();
+ attributes.add(actionAttribute);
+ ActionType action = RequestComponentBuilder.createActionType(attributes);
+
+ // Request
+ RequestType request =
+ RequestComponentBuilder.createRequestType(
+ Collections.singletonList(subject),
+ Collections.singletonList(resource),
+ action,
+ null
+ );
+
+ //
+ // Create SAML wrapper
+ //
+
+ XACMLAuthzDecisionQueryType authzQuery =
+ SamlRequestComponentBuilder.createAuthzDecisionQuery(
+ "Issuer", request, SAMLProfileConstants.SAML20XACML20P_NS
+ );
+
+ Element policyElement = OpenSAMLUtil.toDom(authzQuery, doc);
+ // String outputString = DOM2Writer.nodeToString(policyElement);
+ assertNotNull(policyElement);
+ }
+
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/8176b1b0/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/XACMLAuthorizingInterceptorTest.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/XACMLAuthorizingInterceptorTest.java b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/XACMLAuthorizingInterceptorTest.java
new file mode 100644
index 0000000..7c6589c
--- /dev/null
+++ b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/XACMLAuthorizingInterceptorTest.java
@@ -0,0 +1,124 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.saml.xacml2;
+
+import java.security.Principal;
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+import javax.xml.namespace.QName;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageImpl;
+import org.apache.cxf.security.LoginSecurityContext;
+import org.apache.cxf.security.SecurityContext;
+
+
+/**
+ * Some unit tests to test the AbstractXACMLAuthorizingInterceptor.
+ */
+public class XACMLAuthorizingInterceptorTest extends org.junit.Assert {
+
+ static {
+ org.apache.wss4j.common.saml.OpenSAMLUtil.initSamlEngine();
+ }
+
+ @org.junit.Test
+ public void testPermit() throws Exception {
+ // Mock up a Security Context
+ SecurityContext sc = createSecurityContext("alice", "manager");
+
+ String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+ MessageImpl msg = new MessageImpl();
+ msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
+ String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
+ msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
+ String resourceURI = "https://localhost:8080/doubleit";
+ msg.put(Message.REQUEST_URI, resourceURI);
+ msg.put(SecurityContext.class, sc);
+
+ PolicyDecisionPoint pdp = new DummyPDP();
+ XACMLAuthorizingInterceptor authorizingInterceptor = new XACMLAuthorizingInterceptor(pdp);
+ authorizingInterceptor.handleMessage(msg);
+ }
+
+ @org.junit.Test
+ public void testDeny() throws Exception {
+ // Mock up a Security Context
+ SecurityContext sc = createSecurityContext("alice", "boss");
+
+ String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+ MessageImpl msg = new MessageImpl();
+ msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
+ String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
+ msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
+ String resourceURI = "https://localhost:8080/doubleit";
+ msg.put(Message.REQUEST_URI, resourceURI);
+ msg.put(SecurityContext.class, sc);
+
+ PolicyDecisionPoint pdp = new DummyPDP();
+ XACMLAuthorizingInterceptor authorizingInterceptor = new XACMLAuthorizingInterceptor(pdp);
+
+ try {
+ authorizingInterceptor.handleMessage(msg);
+ fail("Failure expected on deny");
+ } catch (Exception ex) {
+ // Failure expected
+ }
+ }
+
+ private SecurityContext createSecurityContext(final String user, final String role) {
+ return new LoginSecurityContext() {
+
+ @Override
+ public Principal getUserPrincipal() {
+ return new Principal() {
+ public String getName() {
+ return user;
+ }
+ };
+ }
+
+ @Override
+ public boolean isUserInRole(String role) {
+ return false;
+ }
+
+ @Override
+ public Subject getSubject() {
+ return null;
+ }
+
+ @Override
+ public Set<Principal> getUserRoles() {
+ Set<Principal> principals = new HashSet<Principal>();
+ principals.add(new Principal() {
+ public String getName() {
+ return role;
+ }
+ });
+ return principals;
+ }
+
+ };
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/8176b1b0/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/XACMLRequestBuilderTest.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/XACMLRequestBuilderTest.java b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/XACMLRequestBuilderTest.java
new file mode 100644
index 0000000..cefa37a
--- /dev/null
+++ b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/XACMLRequestBuilderTest.java
@@ -0,0 +1,308 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.saml.xacml2;
+
+import java.security.Principal;
+import java.util.Collections;
+import java.util.List;
+
+import javax.xml.namespace.QName;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageImpl;
+import org.apache.cxf.rt.security.saml.xacml.XACMLConstants;
+import org.opensaml.xacml.ctx.AttributeType;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResourceType;
+
+
+/**
+ * Some unit tests to create a XACML Request via the XACMLRequestBuilder interface.
+ */
+public class XACMLRequestBuilderTest extends org.junit.Assert {
+
+ static {
+ org.apache.wss4j.common.saml.OpenSAMLUtil.initSamlEngine();
+ }
+
+ @org.junit.Test
+ public void testXACMLRequestBuilder() throws Exception {
+ // Mock up a request
+ Principal principal = new Principal() {
+ public String getName() {
+ return "alice";
+ }
+ };
+
+ String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+ MessageImpl msg = new MessageImpl();
+ msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
+ String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
+ msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
+ String resourceURL = "https://localhost:8080/doubleit";
+ msg.put(Message.REQUEST_URI, resourceURL);
+
+ XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
+ RequestType request =
+ builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ assertNotNull(request);
+ }
+
+
+ @org.junit.Test
+ public void testAction() throws Exception {
+ // Mock up a request
+ Principal principal = new Principal() {
+ public String getName() {
+ return "alice";
+ }
+ };
+
+ String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+ MessageImpl msg = new MessageImpl();
+ msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
+ String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
+ msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
+ String resourceURL = "https://localhost:8080/doubleit";
+ msg.put(Message.REQUEST_URI, resourceURL);
+
+ DefaultXACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
+ RequestType request =
+ builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ assertNotNull(request);
+
+ String action =
+ request.getAction().getAttributes().get(0).getAttributeValues().get(0).getValue();
+ assertEquals("execute", action);
+
+ builder.setAction("write");
+ request = builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ assertNotNull(request);
+
+ action =
+ request.getAction().getAttributes().get(0).getAttributeValues().get(0).getValue();
+ assertEquals("write", action);
+ }
+
+ @org.junit.Test
+ public void testEnvironment() throws Exception {
+ // Mock up a request
+ Principal principal = new Principal() {
+ public String getName() {
+ return "alice";
+ }
+ };
+
+ String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+ MessageImpl msg = new MessageImpl();
+ msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
+ String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
+ msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
+ String resourceURL = "https://localhost:8080/doubleit";
+ msg.put(Message.REQUEST_URL, resourceURL);
+
+ XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
+ RequestType request =
+ builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ assertNotNull(request);
+ assertFalse(request.getEnvironment().getAttributes().isEmpty());
+
+ ((DefaultXACMLRequestBuilder)builder).setSendDateTime(false);
+ request = builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ assertNotNull(request);
+ assertTrue(request.getEnvironment().getAttributes().isEmpty());
+ }
+
+ @org.junit.Test
+ public void testSOAPResource() throws Exception {
+ // Mock up a request
+ Principal principal = new Principal() {
+ public String getName() {
+ return "alice";
+ }
+ };
+
+ String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+ MessageImpl msg = new MessageImpl();
+ msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
+ String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
+ msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
+ String resourceURL = "https://localhost:8080/doubleit";
+ msg.put(Message.REQUEST_URL, resourceURL);
+
+ XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
+ RequestType request =
+ builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ assertNotNull(request);
+
+ List<ResourceType> resources = request.getResources();
+ assertNotNull(resources);
+ assertEquals(1, resources.size());
+
+ ResourceType resource = resources.get(0);
+ assertEquals(4, resource.getAttributes().size());
+
+ boolean resourceIdSatisfied = false;
+ boolean soapServiceSatisfied = false;
+ boolean soapOperationSatisfied = false;
+ boolean resourceURISatisfied = false;
+ for (AttributeType attribute : resource.getAttributes()) {
+ String attributeValue = attribute.getAttributeValues().get(0).getValue();
+ if (XACMLConstants.RESOURCE_ID.equals(attribute.getAttributeId())
+ && "{http://www.example.org/contract/DoubleIt}DoubleItService#DoubleIt".equals(
+ attributeValue)) {
+ resourceIdSatisfied = true;
+ } else if (XACMLConstants.RESOURCE_WSDL_SERVICE_ID.equals(attribute.getAttributeId())
+ && service.equals(attributeValue)) {
+ soapServiceSatisfied = true;
+ } else if (XACMLConstants.RESOURCE_WSDL_OPERATION_ID.equals(attribute.getAttributeId())
+ && operation.equals(attributeValue)) {
+ soapOperationSatisfied = true;
+ } else if (XACMLConstants.RESOURCE_WSDL_ENDPOINT.equals(attribute.getAttributeId())
+ && resourceURL.equals(attributeValue)) {
+ resourceURISatisfied = true;
+ }
+ }
+
+ assertTrue(resourceIdSatisfied && soapServiceSatisfied && soapOperationSatisfied
+ && resourceURISatisfied);
+ }
+
+ @org.junit.Test
+ public void testSOAPResourceDifferentNamespace() throws Exception {
+ // Mock up a request
+ Principal principal = new Principal() {
+ public String getName() {
+ return "alice";
+ }
+ };
+
+ String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+ MessageImpl msg = new MessageImpl();
+ msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
+ String service = "{http://www.example.org/contract/DoubleItService}DoubleItService";
+ msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
+ String resourceURL = "https://localhost:8080/doubleit";
+ msg.put(Message.REQUEST_URL, resourceURL);
+
+ XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
+ RequestType request =
+ builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ assertNotNull(request);
+
+ List<ResourceType> resources = request.getResources();
+ assertNotNull(resources);
+ assertEquals(1, resources.size());
+
+ ResourceType resource = resources.get(0);
+ assertEquals(4, resource.getAttributes().size());
+
+ boolean resourceIdSatisfied = false;
+ boolean soapServiceSatisfied = false;
+ boolean soapOperationSatisfied = false;
+ boolean resourceURISatisfied = false;
+ String expectedResourceId =
+ service + "#" + operation;
+ for (AttributeType attribute : resource.getAttributes()) {
+ String attributeValue = attribute.getAttributeValues().get(0).getValue();
+ if (XACMLConstants.RESOURCE_ID.equals(attribute.getAttributeId())
+ && expectedResourceId.equals(attributeValue)) {
+ resourceIdSatisfied = true;
+ } else if (XACMLConstants.RESOURCE_WSDL_SERVICE_ID.equals(attribute.getAttributeId())
+ && service.equals(attributeValue)) {
+ soapServiceSatisfied = true;
+ } else if (XACMLConstants.RESOURCE_WSDL_OPERATION_ID.equals(attribute.getAttributeId())
+ && operation.equals(attributeValue)) {
+ soapOperationSatisfied = true;
+ } else if (XACMLConstants.RESOURCE_WSDL_ENDPOINT.equals(attribute.getAttributeId())
+ && resourceURL.equals(attributeValue)) {
+ resourceURISatisfied = true;
+ }
+ }
+
+ assertTrue(resourceIdSatisfied && soapServiceSatisfied && soapOperationSatisfied
+ && resourceURISatisfied);
+ }
+
+ @org.junit.Test
+ public void testRESTResource() throws Exception {
+ // Mock up a request
+ Principal principal = new Principal() {
+ public String getName() {
+ return "alice";
+ }
+ };
+
+ MessageImpl msg = new MessageImpl();
+ String resourceURL = "https://localhost:8080/doubleit";
+ msg.put(Message.REQUEST_URL, resourceURL);
+
+ XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
+ RequestType request =
+ builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ assertNotNull(request);
+
+ List<ResourceType> resources = request.getResources();
+ assertNotNull(resources);
+ assertEquals(1, resources.size());
+
+ ResourceType resource = resources.get(0);
+ assertEquals(1, resource.getAttributes().size());
+
+ for (AttributeType attribute : resource.getAttributes()) {
+ String attributeValue = attribute.getAttributeValues().get(0).getValue();
+ assertEquals(attributeValue, resourceURL);
+ }
+ }
+
+ @org.junit.Test
+ public void testRESTResourceTruncatedURI() throws Exception {
+ // Mock up a request
+ Principal principal = new Principal() {
+ public String getName() {
+ return "alice";
+ }
+ };
+
+ MessageImpl msg = new MessageImpl();
+ String resourceURL = "https://localhost:8080/doubleit";
+ msg.put(Message.REQUEST_URL, resourceURL);
+ String resourceURI = "/doubleit";
+ msg.put(Message.REQUEST_URI, resourceURI);
+
+ XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
+ ((DefaultXACMLRequestBuilder)builder).setSendFullRequestURL(false);
+ RequestType request =
+ builder.createRequest(principal, Collections.singletonList("manager"), msg);
+ assertNotNull(request);
+
+ List<ResourceType> resources = request.getResources();
+ assertNotNull(resources);
+ assertEquals(1, resources.size());
+
+ ResourceType resource = resources.get(0);
+ assertEquals(1, resource.getAttributes().size());
+
+ for (AttributeType attribute : resource.getAttributes()) {
+ String attributeValue = attribute.getAttributeValues().get(0).getValue();
+ assertEquals(attributeValue, resourceURI);
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/8176b1b0/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/PolicyDecisionPointMockImpl.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/PolicyDecisionPointMockImpl.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/PolicyDecisionPointMockImpl.java
index d149db1..aac677d 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/PolicyDecisionPointMockImpl.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/PolicyDecisionPointMockImpl.java
@@ -21,20 +21,8 @@ package org.apache.cxf.systest.ws.saml;
import java.util.List;
-import javax.xml.transform.Source;
-import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerFactory;
-import javax.xml.transform.dom.DOMResult;
-import javax.xml.transform.dom.DOMSource;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-import org.w3c.dom.Node;
-import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.rt.security.saml.xacml.XACMLConstants;
-import org.apache.cxf.rt.security.saml.xacml.pdp.api.PolicyDecisionPoint;
-import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.saml.OpenSAMLUtil;
+import org.apache.cxf.rt.security.saml.xacml2.PolicyDecisionPoint;
import org.opensaml.core.xml.XMLObjectBuilderFactory;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.xacml.XACMLObjectBuilder;
@@ -59,8 +47,7 @@ public class PolicyDecisionPointMockImpl implements PolicyDecisionPoint {
}
@Override
- public Source evaluate(Source request) {
- RequestType requestType = requestSourceToRequestType(request);
+ public ResponseType evaluate(RequestType requestType) {
XMLObjectBuilderFactory builderFactory =
XMLObjectProviderRegistrySupport.getBuilderFactory();
@@ -111,33 +98,7 @@ public class PolicyDecisionPointMockImpl implements PolicyDecisionPoint {
ResponseType response = responseTypeBuilder.buildObject();
response.getResults().add(result);
- return responseType2Source(response);
- }
-
- private RequestType requestSourceToRequestType(Source requestSource) {
- try {
- Transformer trans = TransformerFactory.newInstance().newTransformer();
- DOMResult res = new DOMResult();
- trans.transform(requestSource, res);
- Node nd = res.getNode();
- if (nd instanceof Document) {
- nd = ((Document)nd).getDocumentElement();
- }
- return (RequestType)OpenSAMLUtil.fromDom((Element)nd);
- } catch (Exception e) {
- throw new RuntimeException("Error converting pdp response to ResponseType", e);
- }
- }
-
- private Source responseType2Source(ResponseType response) {
- Document doc = DOMUtils.createDocument();
- Element responseElement;
- try {
- responseElement = OpenSAMLUtil.toDom(response, doc);
- } catch (WSSecurityException e) {
- throw new RuntimeException("Error converting PDP RequestType to Dom", e);
- }
- return new DOMSource(responseElement);
+ return response;
}
private String getSubjectRole(RequestType request) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/8176b1b0/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
index 9d3895f..e0c7c00 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
@@ -230,7 +230,7 @@
</jaxws:features>
</jaxws:endpoint>
<bean class="org.apache.cxf.systest.ws.saml.PolicyDecisionPointMockImpl" id="MockPDP" />
- <bean class="org.apache.cxf.rt.security.saml.xacml.XACMLAuthorizingInterceptor" id="XACMLInterceptor">
+ <bean class="org.apache.cxf.rt.security.saml.xacml2.XACMLAuthorizingInterceptor" id="XACMLInterceptor">
<constructor-arg ref="MockPDP"/>
</bean>
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetricPEP" address="http://localhost:${testutil.ports.saml.Server}/DoubleItSaml2PEP" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2PEPPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
http://git-wip-us.apache.org/repos/asf/cxf/blob/8176b1b0/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
index 91768b8..6651ff9 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
@@ -253,7 +253,7 @@
</jaxws:features>
</jaxws:endpoint>
<bean class="org.apache.cxf.systest.ws.saml.PolicyDecisionPointMockImpl" id="MockPDP" />
- <bean class="org.apache.cxf.rt.security.saml.xacml.XACMLAuthorizingInterceptor" id="XACMLInterceptor">
+ <bean class="org.apache.cxf.rt.security.saml.xacml2.XACMLAuthorizingInterceptor" id="XACMLInterceptor">
<constructor-arg ref="MockPDP"/>
</bean>
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetricPEP" address="http://localhost:${testutil.ports.saml.StaxServer}/DoubleItSaml2PEP" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2PEPPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
[3/5] cxf git commit: Refactoring of XACML code
Posted by co...@apache.org.
Refactoring of XACML code
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/8176b1b0
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/8176b1b0
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/8176b1b0
Branch: refs/heads/master
Commit: 8176b1b0faad2de44a4ff85083c74b5a4b74918a
Parents: 2804875
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jul 17 12:43:20 2015 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 17 15:17:01 2015 +0100
----------------------------------------------------------------------
.../AbstractXACMLAuthorizingInterceptor.java | 167 ----------
.../saml/xacml/DefaultXACMLRequestBuilder.java | 218 -------------
.../saml/xacml/RequestComponentBuilder.java | 183 -----------
.../saml/xacml/SamlRequestComponentBuilder.java | 118 -------
.../saml/xacml/XACMLAuthorizingInterceptor.java | 89 ------
.../saml/xacml/XACMLRequestBuilder.java | 62 ----
.../saml/xacml/pdp/api/PolicyDecisionPoint.java | 35 ---
.../saml/xacml2/DefaultXACMLRequestBuilder.java | 210 +++++++++++++
.../saml/xacml2/PolicyDecisionPoint.java | 36 +++
.../saml/xacml2/RequestComponentBuilder.java | 183 +++++++++++
.../xacml2/SamlRequestComponentBuilder.java | 118 +++++++
.../xacml2/XACMLAuthorizingInterceptor.java | 167 ++++++++++
.../saml/xacml2/XACMLRequestBuilder.java | 45 +++
.../cxf/rt/security/saml/xacml/DummyPDP.java | 153 ---------
.../saml/xacml/RequestComponentBuilderTest.java | 222 -------------
.../xacml/SamlRequestComponentBuilderTest.java | 153 ---------
.../xacml/XACMLAuthorizingInterceptorTest.java | 127 --------
.../saml/xacml/XACMLRequestBuilderTest.java | 308 -------------------
.../cxf/rt/security/saml/xacml2/DummyPDP.java | 113 +++++++
.../xacml2/RequestComponentBuilderTest.java | 222 +++++++++++++
.../xacml2/SamlRequestComponentBuilderTest.java | 153 +++++++++
.../xacml2/XACMLAuthorizingInterceptorTest.java | 124 ++++++++
.../saml/xacml2/XACMLRequestBuilderTest.java | 308 +++++++++++++++++++
.../ws/saml/PolicyDecisionPointMockImpl.java | 45 +--
.../org/apache/cxf/systest/ws/saml/server.xml | 2 +-
.../apache/cxf/systest/ws/saml/stax-server.xml | 2 +-
26 files changed, 1684 insertions(+), 1879 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/8176b1b0/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/AbstractXACMLAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/AbstractXACMLAuthorizingInterceptor.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/AbstractXACMLAuthorizingInterceptor.java
deleted file mode 100644
index 69ca071..0000000
--- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/AbstractXACMLAuthorizingInterceptor.java
+++ /dev/null
@@ -1,167 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.saml.xacml;
-
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Set;
-import java.util.logging.Level;
-import java.util.logging.Logger;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-
-import org.apache.cxf.common.logging.LogUtils;
-import org.apache.cxf.helpers.DOMUtils;
-import org.apache.cxf.interceptor.Fault;
-import org.apache.cxf.interceptor.security.AccessDeniedException;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.phase.AbstractPhaseInterceptor;
-import org.apache.cxf.phase.Phase;
-import org.apache.cxf.security.LoginSecurityContext;
-import org.apache.cxf.security.SecurityContext;
-import org.apache.wss4j.common.saml.OpenSAMLUtil;
-import org.apache.wss4j.common.util.DOM2Writer;
-import org.opensaml.xacml.ctx.DecisionType.DECISION;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.ctx.ResponseType;
-import org.opensaml.xacml.ctx.ResultType;
-import org.opensaml.xacml.ctx.StatusType;
-
-
-/**
- * An abstract interceptor to perform an XACML authorization request to a remote PDP,
- * and make an authorization decision based on the response. It takes the principal and roles
- * from the SecurityContext, and uses the XACMLRequestBuilder to construct an XACML Request
- * statement.
- *
- * This class must be subclassed to actually perform the request to the PDP.
- */
-public abstract class AbstractXACMLAuthorizingInterceptor extends AbstractPhaseInterceptor<Message> {
-
- private static final Logger LOG = LogUtils.getL7dLogger(AbstractXACMLAuthorizingInterceptor.class);
-
- private XACMLRequestBuilder requestBuilder = new DefaultXACMLRequestBuilder();
-
- public AbstractXACMLAuthorizingInterceptor() {
- super(Phase.PRE_INVOKE);
- org.apache.wss4j.common.saml.OpenSAMLUtil.initSamlEngine();
- }
-
- public void handleMessage(Message message) throws Fault {
- SecurityContext sc = message.get(SecurityContext.class);
-
- if (sc instanceof LoginSecurityContext) {
- Principal principal = sc.getUserPrincipal();
-
- LoginSecurityContext loginSecurityContext = (LoginSecurityContext)sc;
- Set<Principal> principalRoles = loginSecurityContext.getUserRoles();
- List<String> roles = new ArrayList<>();
- if (principalRoles != null) {
- for (Principal p : principalRoles) {
- if (p != principal) {
- roles.add(p.getName());
- }
- }
- }
-
- try {
- if (authorize(principal, roles, message)) {
- return;
- }
- } catch (Exception e) {
- LOG.log(Level.FINE, "Unauthorized: " + e.getMessage(), e);
- throw new AccessDeniedException("Unauthorized");
- }
- } else {
- LOG.log(
- Level.FINE,
- "The SecurityContext was not an instance of LoginSecurityContext. No authorization "
- + "is possible as a result"
- );
- }
-
- throw new AccessDeniedException("Unauthorized");
- }
-
- public XACMLRequestBuilder getRequestBuilder() {
- return requestBuilder;
- }
-
- public void setRequestBuilder(XACMLRequestBuilder requestBuilder) {
- this.requestBuilder = requestBuilder;
- }
-
- /**
- * Perform a (remote) authorization decision and return a boolean depending on the result
- */
- protected boolean authorize(
- Principal principal, List<String> roles, Message message
- ) throws Exception {
- RequestType request = requestBuilder.createRequest(principal, roles, message);
- if (LOG.isLoggable(Level.FINE)) {
- Document doc = DOMUtils.createDocument();
- Element requestElement = OpenSAMLUtil.toDom(request, doc);
- LOG.log(Level.FINE, DOM2Writer.nodeToString(requestElement));
- }
-
- ResponseType response = performRequest(request, message);
-
- List<ResultType> results = response.getResults();
-
- if (results == null) {
- return false;
- }
-
- for (ResultType result : results) {
- // Handle any Obligations returned by the PDP
- handleObligations(request, principal, message, result);
-
- DECISION decision = result.getDecision() != null ? result.getDecision().getDecision() : DECISION.Deny;
- String code = "";
- String statusMessage = "";
- if (result.getStatus() != null) {
- StatusType status = result.getStatus();
- code = status.getStatusCode() != null ? status.getStatusCode().getValue() : "";
- statusMessage = status.getStatusMessage() != null ? status.getStatusMessage().getValue() : "";
- }
- LOG.fine("XACML authorization result: " + decision + ", code: " + code + ", message: " + statusMessage);
- return decision == DECISION.Permit;
- }
-
- return false;
- }
-
- public abstract ResponseType performRequest(RequestType request, Message message) throws Exception;
-
- /**
- * Handle any Obligations returned by the PDP
- */
- protected void handleObligations(
- RequestType request,
- Principal principal,
- Message message,
- ResultType result
- ) throws Exception {
- // Do nothing by default
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/8176b1b0/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/DefaultXACMLRequestBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/DefaultXACMLRequestBuilder.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/DefaultXACMLRequestBuilder.java
deleted file mode 100644
index 1040a56..0000000
--- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/DefaultXACMLRequestBuilder.java
+++ /dev/null
@@ -1,218 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.saml.xacml;
-
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-
-import javax.xml.namespace.QName;
-
-import org.apache.cxf.message.Message;
-import org.joda.time.DateTime;
-import org.opensaml.xacml.ctx.ActionType;
-import org.opensaml.xacml.ctx.AttributeType;
-import org.opensaml.xacml.ctx.AttributeValueType;
-import org.opensaml.xacml.ctx.EnvironmentType;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.ctx.ResourceType;
-import org.opensaml.xacml.ctx.SubjectType;
-
-/**
- * This class constructs an XACML Request given a Principal, list of roles and MessageContext,
- * following the SAML 2.0 profile of XACML 2.0. The principal name is inserted as the Subject ID,
- * and the list of roles associated with that principal are inserted as Subject roles. The action
- * to send defaults to "execute".
- *
- * For a SOAP Service, the resource-id Attribute refers to the
- * "{serviceNamespace}serviceName#{operationNamespace}operationName" String (shortened to
- * "{serviceNamespace}serviceName#operationName" if the namespaces are identical). The
- * "{serviceNamespace}serviceName", "{operationNamespace}operationName" and resource URI are also
- * sent to simplify processing at the PDP side.
- *
- * For a REST service the request URL is the resource. You can also configure the ability to
- * send the truncated request URI instead for a SOAP or REST service. The current DateTime is
- * also sent in an Environment, however this can be disabled via configuration.
- *
- */
-public class DefaultXACMLRequestBuilder implements XACMLRequestBuilder {
-
- private boolean sendDateTime = true;
- private String action = "execute";
- private boolean sendFullRequestURL = true;
-
- /**
- * Create an XACML Request given a Principal, list of roles and Message.
- */
- public RequestType createRequest(Principal principal, List<String> roles, Message message)
- throws Exception {
- CXFMessageParser messageParser = new CXFMessageParser(message);
- String issuer = messageParser.getIssuer();
-
- String actionToUse = messageParser.getAction(action);
-
- SubjectType subjectType = createSubjectType(principal, roles, issuer);
- ResourceType resourceType = createResourceType(messageParser);
- AttributeType actionAttribute = createAttribute(XACMLConstants.ACTION_ID, XACMLConstants.XS_STRING,
- null, actionToUse);
- ActionType actionType = RequestComponentBuilder.createActionType(Collections.singletonList(actionAttribute));
-
- return RequestComponentBuilder.createRequestType(Collections.singletonList(subjectType),
- Collections.singletonList(resourceType),
- actionType,
- createEnvironmentType());
- }
-
- private ResourceType createResourceType(CXFMessageParser messageParser) {
- List<AttributeType> attributes = new ArrayList<>();
-
- // Resource-id
- String resourceId = null;
- boolean isSoapService = messageParser.isSOAPService();
- if (isSoapService) {
- QName serviceName = messageParser.getWSDLService();
- QName operationName = messageParser.getWSDLOperation();
-
- if (serviceName != null) {
- resourceId = serviceName.toString() + "#";
- if (serviceName.getNamespaceURI() != null
- && serviceName.getNamespaceURI().equals(operationName.getNamespaceURI())) {
- resourceId += operationName.getLocalPart();
- } else {
- resourceId += operationName.toString();
- }
- } else {
- resourceId = operationName.toString();
- }
- } else {
- resourceId = messageParser.getResourceURI(sendFullRequestURL);
- }
-
- attributes.add(createAttribute(XACMLConstants.RESOURCE_ID, XACMLConstants.XS_STRING, null,
- resourceId));
-
- if (isSoapService) {
- // WSDL Service
- QName wsdlService = messageParser.getWSDLService();
- if (wsdlService != null) {
- attributes.add(createAttribute(XACMLConstants.RESOURCE_WSDL_SERVICE_ID, XACMLConstants.XS_STRING, null,
- wsdlService.toString()));
- }
-
- // WSDL Operation
- QName wsdlOperation = messageParser.getWSDLOperation();
- attributes.add(createAttribute(XACMLConstants.RESOURCE_WSDL_OPERATION_ID, XACMLConstants.XS_STRING, null,
- wsdlOperation.toString()));
-
- // WSDL Endpoint
- String endpointURI = messageParser.getResourceURI(sendFullRequestURL);
- attributes.add(createAttribute(XACMLConstants.RESOURCE_WSDL_ENDPOINT, XACMLConstants.XS_STRING, null,
- endpointURI));
- }
-
- return RequestComponentBuilder.createResourceType(attributes, null);
- }
-
- private EnvironmentType createEnvironmentType() {
- if (sendDateTime) {
- List<AttributeType> attributes = new ArrayList<>();
- AttributeType environmentAttribute = createAttribute(XACMLConstants.CURRENT_DATETIME,
- XACMLConstants.XS_DATETIME, null,
- new DateTime().toString());
- attributes.add(environmentAttribute);
- return RequestComponentBuilder.createEnvironmentType(attributes);
- }
-
- List<AttributeType> attributes = Collections.emptyList();
- return RequestComponentBuilder.createEnvironmentType(attributes);
- }
-
- private SubjectType createSubjectType(Principal principal, List<String> roles, String issuer) {
- List<AttributeType> attributes = new ArrayList<>();
- attributes.add(createAttribute(XACMLConstants.SUBJECT_ID, XACMLConstants.XS_STRING, issuer,
- principal.getName()));
-
- if (roles != null) {
- List<AttributeValueType> roleAttributes = new ArrayList<>();
- for (String role : roles) {
- if (role != null) {
- AttributeValueType subjectRoleAttributeValue =
- RequestComponentBuilder.createAttributeValueType(role);
- roleAttributes.add(subjectRoleAttributeValue);
- }
- }
-
- if (!roleAttributes.isEmpty()) {
- AttributeType subjectRoleAttribute =
- createAttribute(
- XACMLConstants.SUBJECT_ROLE,
- XACMLConstants.XS_ANY_URI,
- issuer,
- roleAttributes
- );
- attributes.add(subjectRoleAttribute);
- }
- }
-
- return RequestComponentBuilder.createSubjectType(attributes, null);
- }
-
- private AttributeType createAttribute(String id, String type, String issuer, List<AttributeValueType> values) {
- return RequestComponentBuilder.createAttributeType(id, type, issuer, values);
- }
-
- private AttributeType createAttribute(String id, String type, String issuer, String value) {
- return createAttribute(id, type, issuer,
- Collections.singletonList(RequestComponentBuilder.createAttributeValueType(value)));
- }
-
- /**
- * Set a new Action String to use
- */
- public void setAction(String action) {
- this.action = action;
- }
-
- public void setSendDateTime(boolean sendDateTime) {
- this.sendDateTime = sendDateTime;
- }
-
- /**
- * Whether to send the full Request URL as the resource or not. If set to true,
- * the full Request URL will be sent for both a JAX-WS and JAX-RS service. If set
- * to false (the default), a JAX-WS service will send the "{namespace}operation" QName,
- * and a JAX-RS service will send the RequestURI (i.e. minus the initial https:<ip> prefix).
- */
- public void setSendFullRequestURL(boolean sendFullRequestURL) {
- this.sendFullRequestURL = sendFullRequestURL;
- }
-
- @Override
- public List<String> getResources(Message message) {
- throw new IllegalAccessError("Deprecated");
- }
-
- @Override
- public String getResource(Message message) {
- throw new IllegalAccessError("Deprecated");
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/8176b1b0/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/RequestComponentBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/RequestComponentBuilder.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/RequestComponentBuilder.java
deleted file mode 100644
index 08f8da8..0000000
--- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/RequestComponentBuilder.java
+++ /dev/null
@@ -1,183 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.saml.xacml;
-
-import java.util.List;
-
-import org.opensaml.core.xml.XMLObjectBuilderFactory;
-import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
-import org.opensaml.xacml.XACMLObjectBuilder;
-import org.opensaml.xacml.ctx.ActionType;
-import org.opensaml.xacml.ctx.AttributeType;
-import org.opensaml.xacml.ctx.AttributeValueType;
-import org.opensaml.xacml.ctx.EnvironmentType;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.ctx.ResourceContentType;
-import org.opensaml.xacml.ctx.ResourceType;
-import org.opensaml.xacml.ctx.SubjectType;
-
-/**
- * A set of utility methods to construct XACML 2.0 Request statements
- */
-public final class RequestComponentBuilder {
- private static volatile XACMLObjectBuilder<AttributeValueType> attributeValueTypeBuilder;
-
- private static volatile XACMLObjectBuilder<AttributeType> attributeTypeBuilder;
-
- private static volatile XACMLObjectBuilder<SubjectType> subjectTypeBuilder;
-
- private static volatile XACMLObjectBuilder<ResourceType> resourceTypeBuilder;
-
- private static volatile XACMLObjectBuilder<ActionType> actionTypeBuilder;
-
- private static volatile XACMLObjectBuilder<EnvironmentType> environmentTypeBuilder;
-
- private static volatile XACMLObjectBuilder<RequestType> requestTypeBuilder;
-
- private static volatile XMLObjectBuilderFactory builderFactory =
- XMLObjectProviderRegistrySupport.getBuilderFactory();
-
- private RequestComponentBuilder() {
- // complete
- }
-
- @SuppressWarnings("unchecked")
- public static AttributeValueType createAttributeValueType(
- String value
- ) {
- if (attributeValueTypeBuilder == null) {
- attributeValueTypeBuilder = (XACMLObjectBuilder<AttributeValueType>)
- builderFactory.getBuilder(AttributeValueType.DEFAULT_ELEMENT_NAME);
- }
- AttributeValueType attributeValue = attributeValueTypeBuilder.buildObject();
- attributeValue.setValue(value);
-
- return attributeValue;
- }
-
- @SuppressWarnings("unchecked")
- public static AttributeType createAttributeType(
- String attributeId,
- String dataType,
- String issuer,
- List<AttributeValueType> attributeValues
- ) {
- if (attributeTypeBuilder == null) {
- attributeTypeBuilder = (XACMLObjectBuilder<AttributeType>)
- builderFactory.getBuilder(AttributeType.DEFAULT_ELEMENT_NAME);
- }
- AttributeType attributeType = attributeTypeBuilder.buildObject();
- attributeType.setAttributeID(attributeId);
- attributeType.setDataType(dataType);
- attributeType.setIssuer(issuer);
- attributeType.getAttributeValues().addAll(attributeValues);
-
- return attributeType;
- }
-
- @SuppressWarnings("unchecked")
- public static SubjectType createSubjectType(
- List<AttributeType> attributes,
- String subjectCategory
- ) {
- if (subjectTypeBuilder == null) {
- subjectTypeBuilder = (XACMLObjectBuilder<SubjectType>)
- builderFactory.getBuilder(SubjectType.DEFAULT_ELEMENT_NAME);
- }
- SubjectType subject = subjectTypeBuilder.buildObject();
- if (attributes != null) {
- subject.getAttributes().addAll(attributes);
- }
- subject.setSubjectCategory(subjectCategory);
-
- return subject;
- }
-
- @SuppressWarnings("unchecked")
- public static ResourceType createResourceType(
- List<AttributeType> attributes,
- ResourceContentType resourceContent
- ) {
- if (resourceTypeBuilder == null) {
- resourceTypeBuilder = (XACMLObjectBuilder<ResourceType>)
- builderFactory.getBuilder(ResourceType.DEFAULT_ELEMENT_NAME);
- }
- ResourceType resource = resourceTypeBuilder.buildObject();
- if (attributes != null) {
- resource.getAttributes().addAll(attributes);
- }
- resource.setResourceContent(resourceContent);
-
- return resource;
- }
-
- @SuppressWarnings("unchecked")
- public static ActionType createActionType(
- List<AttributeType> attributes
- ) {
- if (actionTypeBuilder == null) {
- actionTypeBuilder = (XACMLObjectBuilder<ActionType>)
- builderFactory.getBuilder(ActionType.DEFAULT_ELEMENT_NAME);
- }
- ActionType action = actionTypeBuilder.buildObject();
- if (attributes != null) {
- action.getAttributes().addAll(attributes);
- }
-
- return action;
- }
-
- @SuppressWarnings("unchecked")
- public static EnvironmentType createEnvironmentType(
- List<AttributeType> attributes
- ) {
- if (environmentTypeBuilder == null) {
- environmentTypeBuilder = (XACMLObjectBuilder<EnvironmentType>)
- builderFactory.getBuilder(EnvironmentType.DEFAULT_ELEMENT_NAME);
- }
- EnvironmentType enviroment = environmentTypeBuilder.buildObject();
- if (attributes != null) {
- enviroment.getAttributes().addAll(attributes);
- }
-
- return enviroment;
- }
-
- @SuppressWarnings("unchecked")
- public static RequestType createRequestType(
- List<SubjectType> subjects,
- List<ResourceType> resources,
- ActionType action,
- EnvironmentType environment
- ) {
- if (requestTypeBuilder == null) {
- requestTypeBuilder = (XACMLObjectBuilder<RequestType>)
- builderFactory.getBuilder(RequestType.DEFAULT_ELEMENT_NAME);
- }
- RequestType request = requestTypeBuilder.buildObject();
- request.getSubjects().addAll(subjects);
- request.getResources().addAll(resources);
- request.setAction(action);
- request.setEnvironment(environment);
-
- return request;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/8176b1b0/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/SamlRequestComponentBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/SamlRequestComponentBuilder.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/SamlRequestComponentBuilder.java
deleted file mode 100644
index c0d8255..0000000
--- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/SamlRequestComponentBuilder.java
+++ /dev/null
@@ -1,118 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.saml.xacml;
-
-import java.util.UUID;
-
-import org.joda.time.DateTime;
-import org.opensaml.core.xml.XMLObjectBuilderFactory;
-import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
-import org.opensaml.saml.common.SAMLObjectBuilder;
-import org.opensaml.saml.common.SAMLVersion;
-import org.opensaml.saml.saml2.core.Issuer;
-import org.opensaml.xacml.XACMLObjectBuilder;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.profile.saml.SAMLProfileConstants;
-import org.opensaml.xacml.profile.saml.XACMLAuthzDecisionQueryType;
-
-/**
- * A set of utility methods to construct XACML SAML Request statements, based on the
- * SAML 2.0 profile of XACML v2.0 specification.
- */
-public final class SamlRequestComponentBuilder {
- private static volatile XACMLObjectBuilder<XACMLAuthzDecisionQueryType> xacmlAuthzDecisionQueryTypeBuilder;
-
- private static volatile SAMLObjectBuilder<Issuer> issuerBuilder;
-
- private static volatile XMLObjectBuilderFactory builderFactory =
- XMLObjectProviderRegistrySupport.getBuilderFactory();
-
- private SamlRequestComponentBuilder() {
- // complete
- }
-
- /**
- * Create an AuthzDecisionQuery using the defaults
- */
- public static XACMLAuthzDecisionQueryType createAuthzDecisionQuery(
- String issuerValue,
- RequestType request,
- String namespace
- ) {
- return createAuthzDecisionQuery(false, false, issuerValue, request, namespace);
- }
-
- @SuppressWarnings("unchecked")
- public static XACMLAuthzDecisionQueryType createAuthzDecisionQuery(
- boolean inputContextOnly,
- boolean returnContext,
- String issuerValue,
- RequestType request,
- String namespace
- ) {
- if (xacmlAuthzDecisionQueryTypeBuilder == null) {
- xacmlAuthzDecisionQueryTypeBuilder = (XACMLObjectBuilder<XACMLAuthzDecisionQueryType>)
- builderFactory.getBuilder(XACMLAuthzDecisionQueryType.DEFAULT_ELEMENT_NAME_XACML20);
- }
- XACMLAuthzDecisionQueryType authzQuery =
- xacmlAuthzDecisionQueryTypeBuilder.buildObject(
- namespace,
- XACMLAuthzDecisionQueryType.DEFAULT_ELEMENT_LOCAL_NAME,
- SAMLProfileConstants.SAML20XACMLPROTOCOL_PREFIX
- );
- authzQuery.setID("_" + UUID.randomUUID().toString());
- authzQuery.setVersion(SAMLVersion.VERSION_20);
- authzQuery.setIssueInstant(new DateTime());
- authzQuery.setInputContextOnly(Boolean.valueOf(inputContextOnly));
- authzQuery.setReturnContext(Boolean.valueOf(returnContext));
-
- if (issuerValue != null) {
- Issuer issuer = createIssuer(issuerValue);
- authzQuery.setIssuer(issuer);
- }
-
- authzQuery.setRequest(request);
-
- return authzQuery;
- }
-
-
- /**
- * Create an Issuer object
- *
- * @param issuerValue of type String
- * @return an Issuer object
- */
- @SuppressWarnings("unchecked")
- public static Issuer createIssuer(String issuerValue) {
- if (issuerBuilder == null) {
- issuerBuilder = (SAMLObjectBuilder<Issuer>)
- builderFactory.getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
-
- }
- Issuer issuer = issuerBuilder.buildObject();
- //
- // The SAML authority that is making the claim(s) in the assertion. The issuer SHOULD
- // be unambiguous to the intended relying parties.
- issuer.setValue(issuerValue);
- return issuer;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/8176b1b0/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLAuthorizingInterceptor.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLAuthorizingInterceptor.java
deleted file mode 100644
index 78875a3..0000000
--- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLAuthorizingInterceptor.java
+++ /dev/null
@@ -1,89 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.saml.xacml;
-
-import javax.xml.XMLConstants;
-import javax.xml.transform.Source;
-import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerFactory;
-import javax.xml.transform.dom.DOMResult;
-import javax.xml.transform.dom.DOMSource;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-import org.w3c.dom.Node;
-import org.apache.cxf.helpers.DOMUtils;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.rt.security.saml.xacml.pdp.api.PolicyDecisionPoint;
-import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.saml.OpenSAMLUtil;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.ctx.ResponseType;
-
-/**
- * An interceptor to perform an XACML authorization request to a remote PDP,
- * and make an authorization decision based on the response. It takes the principal and roles
- * from the SecurityContext, and uses the XACMLRequestBuilder to construct an XACML Request
- * statement.
- */
-public class XACMLAuthorizingInterceptor extends AbstractXACMLAuthorizingInterceptor {
- private PolicyDecisionPoint pdp;
-
- public XACMLAuthorizingInterceptor(PolicyDecisionPoint pdp) {
- super();
- this.pdp = pdp;
- }
-
- @Override
- public ResponseType performRequest(RequestType request, Message message) throws Exception {
- Source requestSource = requestType2Source(request);
- Source responseSource = this.pdp.evaluate(requestSource);
- return responseSourceToResponseType(responseSource);
- }
-
- private Source requestType2Source(RequestType request) {
- Document doc = DOMUtils.createDocument();
- Element requestElement;
- try {
- requestElement = OpenSAMLUtil.toDom(request, doc);
- } catch (WSSecurityException e) {
- throw new RuntimeException("Error converting PDP RequestType to Dom", e);
- }
- return new DOMSource(requestElement);
- }
-
- private ResponseType responseSourceToResponseType(Source responseSource) {
- try {
- TransformerFactory transformerFactory = TransformerFactory.newInstance();
- transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
- Transformer transformer = transformerFactory.newTransformer();
-
- DOMResult res = new DOMResult();
- transformer.transform(responseSource, res);
- Node nd = res.getNode();
- if (nd instanceof Document) {
- nd = ((Document)nd).getDocumentElement();
- }
- return (ResponseType)OpenSAMLUtil.fromDom((Element)nd);
- } catch (Exception e) {
- throw new RuntimeException("Error converting pdp response to ResponseType", e);
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/8176b1b0/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLRequestBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLRequestBuilder.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLRequestBuilder.java
deleted file mode 100644
index d3bd32c..0000000
--- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/XACMLRequestBuilder.java
+++ /dev/null
@@ -1,62 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.saml.xacml;
-
-import java.security.Principal;
-import java.util.List;
-
-import org.apache.cxf.message.Message;
-import org.opensaml.xacml.ctx.RequestType;
-
-
-/**
- * This interface defines a way to create an XACML Request.
- */
-public interface XACMLRequestBuilder {
-
- /**
- * Create an XACML Request given a Principal, list of roles and Message.
- *
- * @param principal The principal to insert into the Subject of the Request
- * @param roles The list of roles associated with the principal
- * @param message The Message from which to retrieve the resource
- * @return An OpenSAML RequestType object
- * @throws Exception
- */
- RequestType createRequest(Principal principal, List<String> roles, Message message) throws Exception;
-
- /**
- * Return the list of Resources that have been inserted into the Request.
- *
- * @param message The Message from which to retrieve the resource
- * @return the list of Resources that have been inserted into the Request
- */
- @Deprecated
- List<String> getResources(Message message);
-
- /**
- * Return the Resource that has been inserted into the Request.
- *
- * @param message The Message from which to retrieve the resource
- * @return the Resource that has been inserted into the Request
- */
- @Deprecated
- String getResource(Message message);
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/8176b1b0/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/pdp/api/PolicyDecisionPoint.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/pdp/api/PolicyDecisionPoint.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/pdp/api/PolicyDecisionPoint.java
deleted file mode 100644
index 80e1623..0000000
--- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml/pdp/api/PolicyDecisionPoint.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rt.security.saml.xacml.pdp.api;
-
-import javax.xml.transform.Source;
-
-/**
- * An interface that describes a PolicyDecisionPoint (PDP).
- */
-public interface PolicyDecisionPoint {
-
- /**
- * Evaluate an XACML Request and return a Response
- * @param request an XACML Request as a Source
- * @return the XACML Response as a Source
- */
- Source evaluate(Source request);
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/8176b1b0/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/DefaultXACMLRequestBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/DefaultXACMLRequestBuilder.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/DefaultXACMLRequestBuilder.java
new file mode 100644
index 0000000..468d875
--- /dev/null
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/DefaultXACMLRequestBuilder.java
@@ -0,0 +1,210 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.saml.xacml2;
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import javax.xml.namespace.QName;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.rt.security.saml.xacml.CXFMessageParser;
+import org.apache.cxf.rt.security.saml.xacml.XACMLConstants;
+import org.joda.time.DateTime;
+import org.opensaml.xacml.ctx.ActionType;
+import org.opensaml.xacml.ctx.AttributeType;
+import org.opensaml.xacml.ctx.AttributeValueType;
+import org.opensaml.xacml.ctx.EnvironmentType;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResourceType;
+import org.opensaml.xacml.ctx.SubjectType;
+
+/**
+ * This class constructs an XACML Request given a Principal, list of roles and MessageContext,
+ * following the SAML 2.0 profile of XACML 2.0. The principal name is inserted as the Subject ID,
+ * and the list of roles associated with that principal are inserted as Subject roles. The action
+ * to send defaults to "execute".
+ *
+ * For a SOAP Service, the resource-id Attribute refers to the
+ * "{serviceNamespace}serviceName#{operationNamespace}operationName" String (shortened to
+ * "{serviceNamespace}serviceName#operationName" if the namespaces are identical). The
+ * "{serviceNamespace}serviceName", "{operationNamespace}operationName" and resource URI are also
+ * sent to simplify processing at the PDP side.
+ *
+ * For a REST service the request URL is the resource. You can also configure the ability to
+ * send the truncated request URI instead for a SOAP or REST service. The current DateTime is
+ * also sent in an Environment, however this can be disabled via configuration.
+ *
+ */
+public class DefaultXACMLRequestBuilder implements XACMLRequestBuilder {
+
+ private boolean sendDateTime = true;
+ private String action = "execute";
+ private boolean sendFullRequestURL = true;
+
+ /**
+ * Create an XACML Request given a Principal, list of roles and Message.
+ */
+ public RequestType createRequest(Principal principal, List<String> roles, Message message)
+ throws Exception {
+ CXFMessageParser messageParser = new CXFMessageParser(message);
+ String issuer = messageParser.getIssuer();
+
+ String actionToUse = messageParser.getAction(action);
+
+ SubjectType subjectType = createSubjectType(principal, roles, issuer);
+ ResourceType resourceType = createResourceType(messageParser);
+ AttributeType actionAttribute = createAttribute(XACMLConstants.ACTION_ID, XACMLConstants.XS_STRING,
+ null, actionToUse);
+ ActionType actionType = RequestComponentBuilder.createActionType(Collections.singletonList(actionAttribute));
+
+ return RequestComponentBuilder.createRequestType(Collections.singletonList(subjectType),
+ Collections.singletonList(resourceType),
+ actionType,
+ createEnvironmentType());
+ }
+
+ private ResourceType createResourceType(CXFMessageParser messageParser) {
+ List<AttributeType> attributes = new ArrayList<>();
+
+ // Resource-id
+ String resourceId = null;
+ boolean isSoapService = messageParser.isSOAPService();
+ if (isSoapService) {
+ QName serviceName = messageParser.getWSDLService();
+ QName operationName = messageParser.getWSDLOperation();
+
+ if (serviceName != null) {
+ resourceId = serviceName.toString() + "#";
+ if (serviceName.getNamespaceURI() != null
+ && serviceName.getNamespaceURI().equals(operationName.getNamespaceURI())) {
+ resourceId += operationName.getLocalPart();
+ } else {
+ resourceId += operationName.toString();
+ }
+ } else {
+ resourceId = operationName.toString();
+ }
+ } else {
+ resourceId = messageParser.getResourceURI(sendFullRequestURL);
+ }
+
+ attributes.add(createAttribute(XACMLConstants.RESOURCE_ID, XACMLConstants.XS_STRING, null,
+ resourceId));
+
+ if (isSoapService) {
+ // WSDL Service
+ QName wsdlService = messageParser.getWSDLService();
+ if (wsdlService != null) {
+ attributes.add(createAttribute(XACMLConstants.RESOURCE_WSDL_SERVICE_ID, XACMLConstants.XS_STRING, null,
+ wsdlService.toString()));
+ }
+
+ // WSDL Operation
+ QName wsdlOperation = messageParser.getWSDLOperation();
+ attributes.add(createAttribute(XACMLConstants.RESOURCE_WSDL_OPERATION_ID, XACMLConstants.XS_STRING, null,
+ wsdlOperation.toString()));
+
+ // WSDL Endpoint
+ String endpointURI = messageParser.getResourceURI(sendFullRequestURL);
+ attributes.add(createAttribute(XACMLConstants.RESOURCE_WSDL_ENDPOINT, XACMLConstants.XS_STRING, null,
+ endpointURI));
+ }
+
+ return RequestComponentBuilder.createResourceType(attributes, null);
+ }
+
+ private EnvironmentType createEnvironmentType() {
+ if (sendDateTime) {
+ List<AttributeType> attributes = new ArrayList<>();
+ AttributeType environmentAttribute = createAttribute(XACMLConstants.CURRENT_DATETIME,
+ XACMLConstants.XS_DATETIME, null,
+ new DateTime().toString());
+ attributes.add(environmentAttribute);
+ return RequestComponentBuilder.createEnvironmentType(attributes);
+ }
+
+ List<AttributeType> attributes = Collections.emptyList();
+ return RequestComponentBuilder.createEnvironmentType(attributes);
+ }
+
+ private SubjectType createSubjectType(Principal principal, List<String> roles, String issuer) {
+ List<AttributeType> attributes = new ArrayList<>();
+ attributes.add(createAttribute(XACMLConstants.SUBJECT_ID, XACMLConstants.XS_STRING, issuer,
+ principal.getName()));
+
+ if (roles != null) {
+ List<AttributeValueType> roleAttributes = new ArrayList<>();
+ for (String role : roles) {
+ if (role != null) {
+ AttributeValueType subjectRoleAttributeValue =
+ RequestComponentBuilder.createAttributeValueType(role);
+ roleAttributes.add(subjectRoleAttributeValue);
+ }
+ }
+
+ if (!roleAttributes.isEmpty()) {
+ AttributeType subjectRoleAttribute =
+ createAttribute(
+ XACMLConstants.SUBJECT_ROLE,
+ XACMLConstants.XS_ANY_URI,
+ issuer,
+ roleAttributes
+ );
+ attributes.add(subjectRoleAttribute);
+ }
+ }
+
+ return RequestComponentBuilder.createSubjectType(attributes, null);
+ }
+
+ private AttributeType createAttribute(String id, String type, String issuer, List<AttributeValueType> values) {
+ return RequestComponentBuilder.createAttributeType(id, type, issuer, values);
+ }
+
+ private AttributeType createAttribute(String id, String type, String issuer, String value) {
+ return createAttribute(id, type, issuer,
+ Collections.singletonList(RequestComponentBuilder.createAttributeValueType(value)));
+ }
+
+ /**
+ * Set a new Action String to use
+ */
+ public void setAction(String action) {
+ this.action = action;
+ }
+
+ public void setSendDateTime(boolean sendDateTime) {
+ this.sendDateTime = sendDateTime;
+ }
+
+ /**
+ * Whether to send the full Request URL as the resource or not. If set to true,
+ * the full Request URL will be sent for both a JAX-WS and JAX-RS service. If set
+ * to false (the default), a JAX-WS service will send the "{namespace}operation" QName,
+ * and a JAX-RS service will send the RequestURI (i.e. minus the initial https:<ip> prefix).
+ */
+ public void setSendFullRequestURL(boolean sendFullRequestURL) {
+ this.sendFullRequestURL = sendFullRequestURL;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/8176b1b0/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/PolicyDecisionPoint.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/PolicyDecisionPoint.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/PolicyDecisionPoint.java
new file mode 100644
index 0000000..1bf1bdb
--- /dev/null
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/PolicyDecisionPoint.java
@@ -0,0 +1,36 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rt.security.saml.xacml2;
+
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResponseType;
+
+/**
+ * An interface that describes a PolicyDecisionPoint (PDP).
+ */
+public interface PolicyDecisionPoint {
+
+ /**
+ * Evaluate an XACML Request and return a Response
+ * @param request an XACML Request as a RequestType
+ * @return the XACML Response as a ResponseType
+ */
+ ResponseType evaluate(RequestType request);
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/8176b1b0/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/RequestComponentBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/RequestComponentBuilder.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/RequestComponentBuilder.java
new file mode 100644
index 0000000..61d1a61
--- /dev/null
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/RequestComponentBuilder.java
@@ -0,0 +1,183 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.saml.xacml2;
+
+import java.util.List;
+
+import org.opensaml.core.xml.XMLObjectBuilderFactory;
+import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
+import org.opensaml.xacml.XACMLObjectBuilder;
+import org.opensaml.xacml.ctx.ActionType;
+import org.opensaml.xacml.ctx.AttributeType;
+import org.opensaml.xacml.ctx.AttributeValueType;
+import org.opensaml.xacml.ctx.EnvironmentType;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResourceContentType;
+import org.opensaml.xacml.ctx.ResourceType;
+import org.opensaml.xacml.ctx.SubjectType;
+
+/**
+ * A set of utility methods to construct XACML 2.0 Request statements
+ */
+public final class RequestComponentBuilder {
+ private static volatile XACMLObjectBuilder<AttributeValueType> attributeValueTypeBuilder;
+
+ private static volatile XACMLObjectBuilder<AttributeType> attributeTypeBuilder;
+
+ private static volatile XACMLObjectBuilder<SubjectType> subjectTypeBuilder;
+
+ private static volatile XACMLObjectBuilder<ResourceType> resourceTypeBuilder;
+
+ private static volatile XACMLObjectBuilder<ActionType> actionTypeBuilder;
+
+ private static volatile XACMLObjectBuilder<EnvironmentType> environmentTypeBuilder;
+
+ private static volatile XACMLObjectBuilder<RequestType> requestTypeBuilder;
+
+ private static volatile XMLObjectBuilderFactory builderFactory =
+ XMLObjectProviderRegistrySupport.getBuilderFactory();
+
+ private RequestComponentBuilder() {
+ // complete
+ }
+
+ @SuppressWarnings("unchecked")
+ public static AttributeValueType createAttributeValueType(
+ String value
+ ) {
+ if (attributeValueTypeBuilder == null) {
+ attributeValueTypeBuilder = (XACMLObjectBuilder<AttributeValueType>)
+ builderFactory.getBuilder(AttributeValueType.DEFAULT_ELEMENT_NAME);
+ }
+ AttributeValueType attributeValue = attributeValueTypeBuilder.buildObject();
+ attributeValue.setValue(value);
+
+ return attributeValue;
+ }
+
+ @SuppressWarnings("unchecked")
+ public static AttributeType createAttributeType(
+ String attributeId,
+ String dataType,
+ String issuer,
+ List<AttributeValueType> attributeValues
+ ) {
+ if (attributeTypeBuilder == null) {
+ attributeTypeBuilder = (XACMLObjectBuilder<AttributeType>)
+ builderFactory.getBuilder(AttributeType.DEFAULT_ELEMENT_NAME);
+ }
+ AttributeType attributeType = attributeTypeBuilder.buildObject();
+ attributeType.setAttributeID(attributeId);
+ attributeType.setDataType(dataType);
+ attributeType.setIssuer(issuer);
+ attributeType.getAttributeValues().addAll(attributeValues);
+
+ return attributeType;
+ }
+
+ @SuppressWarnings("unchecked")
+ public static SubjectType createSubjectType(
+ List<AttributeType> attributes,
+ String subjectCategory
+ ) {
+ if (subjectTypeBuilder == null) {
+ subjectTypeBuilder = (XACMLObjectBuilder<SubjectType>)
+ builderFactory.getBuilder(SubjectType.DEFAULT_ELEMENT_NAME);
+ }
+ SubjectType subject = subjectTypeBuilder.buildObject();
+ if (attributes != null) {
+ subject.getAttributes().addAll(attributes);
+ }
+ subject.setSubjectCategory(subjectCategory);
+
+ return subject;
+ }
+
+ @SuppressWarnings("unchecked")
+ public static ResourceType createResourceType(
+ List<AttributeType> attributes,
+ ResourceContentType resourceContent
+ ) {
+ if (resourceTypeBuilder == null) {
+ resourceTypeBuilder = (XACMLObjectBuilder<ResourceType>)
+ builderFactory.getBuilder(ResourceType.DEFAULT_ELEMENT_NAME);
+ }
+ ResourceType resource = resourceTypeBuilder.buildObject();
+ if (attributes != null) {
+ resource.getAttributes().addAll(attributes);
+ }
+ resource.setResourceContent(resourceContent);
+
+ return resource;
+ }
+
+ @SuppressWarnings("unchecked")
+ public static ActionType createActionType(
+ List<AttributeType> attributes
+ ) {
+ if (actionTypeBuilder == null) {
+ actionTypeBuilder = (XACMLObjectBuilder<ActionType>)
+ builderFactory.getBuilder(ActionType.DEFAULT_ELEMENT_NAME);
+ }
+ ActionType action = actionTypeBuilder.buildObject();
+ if (attributes != null) {
+ action.getAttributes().addAll(attributes);
+ }
+
+ return action;
+ }
+
+ @SuppressWarnings("unchecked")
+ public static EnvironmentType createEnvironmentType(
+ List<AttributeType> attributes
+ ) {
+ if (environmentTypeBuilder == null) {
+ environmentTypeBuilder = (XACMLObjectBuilder<EnvironmentType>)
+ builderFactory.getBuilder(EnvironmentType.DEFAULT_ELEMENT_NAME);
+ }
+ EnvironmentType enviroment = environmentTypeBuilder.buildObject();
+ if (attributes != null) {
+ enviroment.getAttributes().addAll(attributes);
+ }
+
+ return enviroment;
+ }
+
+ @SuppressWarnings("unchecked")
+ public static RequestType createRequestType(
+ List<SubjectType> subjects,
+ List<ResourceType> resources,
+ ActionType action,
+ EnvironmentType environment
+ ) {
+ if (requestTypeBuilder == null) {
+ requestTypeBuilder = (XACMLObjectBuilder<RequestType>)
+ builderFactory.getBuilder(RequestType.DEFAULT_ELEMENT_NAME);
+ }
+ RequestType request = requestTypeBuilder.buildObject();
+ request.getSubjects().addAll(subjects);
+ request.getResources().addAll(resources);
+ request.setAction(action);
+ request.setEnvironment(environment);
+
+ return request;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/8176b1b0/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/SamlRequestComponentBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/SamlRequestComponentBuilder.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/SamlRequestComponentBuilder.java
new file mode 100644
index 0000000..674dc67
--- /dev/null
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/SamlRequestComponentBuilder.java
@@ -0,0 +1,118 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.saml.xacml2;
+
+import java.util.UUID;
+
+import org.joda.time.DateTime;
+import org.opensaml.core.xml.XMLObjectBuilderFactory;
+import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
+import org.opensaml.saml.common.SAMLObjectBuilder;
+import org.opensaml.saml.common.SAMLVersion;
+import org.opensaml.saml.saml2.core.Issuer;
+import org.opensaml.xacml.XACMLObjectBuilder;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.profile.saml.SAMLProfileConstants;
+import org.opensaml.xacml.profile.saml.XACMLAuthzDecisionQueryType;
+
+/**
+ * A set of utility methods to construct XACML SAML Request statements, based on the
+ * SAML 2.0 profile of XACML v2.0 specification.
+ */
+public final class SamlRequestComponentBuilder {
+ private static volatile XACMLObjectBuilder<XACMLAuthzDecisionQueryType> xacmlAuthzDecisionQueryTypeBuilder;
+
+ private static volatile SAMLObjectBuilder<Issuer> issuerBuilder;
+
+ private static volatile XMLObjectBuilderFactory builderFactory =
+ XMLObjectProviderRegistrySupport.getBuilderFactory();
+
+ private SamlRequestComponentBuilder() {
+ // complete
+ }
+
+ /**
+ * Create an AuthzDecisionQuery using the defaults
+ */
+ public static XACMLAuthzDecisionQueryType createAuthzDecisionQuery(
+ String issuerValue,
+ RequestType request,
+ String namespace
+ ) {
+ return createAuthzDecisionQuery(false, false, issuerValue, request, namespace);
+ }
+
+ @SuppressWarnings("unchecked")
+ public static XACMLAuthzDecisionQueryType createAuthzDecisionQuery(
+ boolean inputContextOnly,
+ boolean returnContext,
+ String issuerValue,
+ RequestType request,
+ String namespace
+ ) {
+ if (xacmlAuthzDecisionQueryTypeBuilder == null) {
+ xacmlAuthzDecisionQueryTypeBuilder = (XACMLObjectBuilder<XACMLAuthzDecisionQueryType>)
+ builderFactory.getBuilder(XACMLAuthzDecisionQueryType.DEFAULT_ELEMENT_NAME_XACML20);
+ }
+ XACMLAuthzDecisionQueryType authzQuery =
+ xacmlAuthzDecisionQueryTypeBuilder.buildObject(
+ namespace,
+ XACMLAuthzDecisionQueryType.DEFAULT_ELEMENT_LOCAL_NAME,
+ SAMLProfileConstants.SAML20XACMLPROTOCOL_PREFIX
+ );
+ authzQuery.setID("_" + UUID.randomUUID().toString());
+ authzQuery.setVersion(SAMLVersion.VERSION_20);
+ authzQuery.setIssueInstant(new DateTime());
+ authzQuery.setInputContextOnly(Boolean.valueOf(inputContextOnly));
+ authzQuery.setReturnContext(Boolean.valueOf(returnContext));
+
+ if (issuerValue != null) {
+ Issuer issuer = createIssuer(issuerValue);
+ authzQuery.setIssuer(issuer);
+ }
+
+ authzQuery.setRequest(request);
+
+ return authzQuery;
+ }
+
+
+ /**
+ * Create an Issuer object
+ *
+ * @param issuerValue of type String
+ * @return an Issuer object
+ */
+ @SuppressWarnings("unchecked")
+ public static Issuer createIssuer(String issuerValue) {
+ if (issuerBuilder == null) {
+ issuerBuilder = (SAMLObjectBuilder<Issuer>)
+ builderFactory.getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
+
+ }
+ Issuer issuer = issuerBuilder.buildObject();
+ //
+ // The SAML authority that is making the claim(s) in the assertion. The issuer SHOULD
+ // be unambiguous to the intended relying parties.
+ issuer.setValue(issuerValue);
+ return issuer;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/8176b1b0/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLAuthorizingInterceptor.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLAuthorizingInterceptor.java
new file mode 100644
index 0000000..ca76382
--- /dev/null
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLAuthorizingInterceptor.java
@@ -0,0 +1,167 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.saml.xacml2;
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.interceptor.security.AccessDeniedException;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.phase.AbstractPhaseInterceptor;
+import org.apache.cxf.phase.Phase;
+import org.apache.cxf.security.LoginSecurityContext;
+import org.apache.cxf.security.SecurityContext;
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
+import org.apache.wss4j.common.util.DOM2Writer;
+import org.opensaml.xacml.ctx.DecisionType.DECISION;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResponseType;
+import org.opensaml.xacml.ctx.ResultType;
+import org.opensaml.xacml.ctx.StatusType;
+
+/**
+ * An interceptor to perform an XACML authorization request to a remote PDP,
+ * and make an authorization decision based on the response. It takes the principal and roles
+ * from the SecurityContext, and uses the XACMLRequestBuilder to construct an XACML Request
+ * statement.
+ */
+public class XACMLAuthorizingInterceptor extends AbstractPhaseInterceptor<Message> {
+ private static final Logger LOG = LogUtils.getL7dLogger(XACMLAuthorizingInterceptor.class);
+
+ private XACMLRequestBuilder requestBuilder = new DefaultXACMLRequestBuilder();
+ private PolicyDecisionPoint pdp;
+
+ public XACMLAuthorizingInterceptor(PolicyDecisionPoint pdp) {
+ super(Phase.PRE_INVOKE);
+ org.apache.wss4j.common.saml.OpenSAMLUtil.initSamlEngine();
+ this.pdp = pdp;
+ }
+
+ public void handleMessage(Message message) throws Fault {
+ SecurityContext sc = message.get(SecurityContext.class);
+
+ if (sc instanceof LoginSecurityContext) {
+ Principal principal = sc.getUserPrincipal();
+
+ LoginSecurityContext loginSecurityContext = (LoginSecurityContext)sc;
+ Set<Principal> principalRoles = loginSecurityContext.getUserRoles();
+ List<String> roles = new ArrayList<>();
+ if (principalRoles != null) {
+ for (Principal p : principalRoles) {
+ if (p != principal) {
+ roles.add(p.getName());
+ }
+ }
+ }
+
+ try {
+ if (authorize(principal, roles, message)) {
+ return;
+ }
+ } catch (Exception e) {
+ LOG.log(Level.FINE, "Unauthorized: " + e.getMessage(), e);
+ throw new AccessDeniedException("Unauthorized");
+ }
+ } else {
+ LOG.log(
+ Level.FINE,
+ "The SecurityContext was not an instance of LoginSecurityContext. No authorization "
+ + "is possible as a result"
+ );
+ }
+
+ throw new AccessDeniedException("Unauthorized");
+ }
+
+ public XACMLRequestBuilder getRequestBuilder() {
+ return requestBuilder;
+ }
+
+ public void setRequestBuilder(XACMLRequestBuilder requestBuilder) {
+ this.requestBuilder = requestBuilder;
+ }
+
+ /**
+ * Perform a (remote) authorization decision and return a boolean depending on the result
+ */
+ protected boolean authorize(
+ Principal principal, List<String> roles, Message message
+ ) throws Exception {
+ RequestType request = requestBuilder.createRequest(principal, roles, message);
+ if (LOG.isLoggable(Level.FINE)) {
+ Document doc = DOMUtils.createDocument();
+ Element requestElement = OpenSAMLUtil.toDom(request, doc);
+ LOG.log(Level.FINE, DOM2Writer.nodeToString(requestElement));
+ }
+
+ ResponseType response = performRequest(request, message);
+
+ List<ResultType> results = response.getResults();
+
+ if (results == null) {
+ return false;
+ }
+
+ for (ResultType result : results) {
+ // Handle any Obligations returned by the PDP
+ handleObligations(request, principal, message, result);
+
+ DECISION decision = result.getDecision() != null ? result.getDecision().getDecision() : DECISION.Deny;
+ String code = "";
+ String statusMessage = "";
+ if (result.getStatus() != null) {
+ StatusType status = result.getStatus();
+ code = status.getStatusCode() != null ? status.getStatusCode().getValue() : "";
+ statusMessage = status.getStatusMessage() != null ? status.getStatusMessage().getValue() : "";
+ }
+ LOG.fine("XACML authorization result: " + decision + ", code: " + code + ", message: " + statusMessage);
+ return decision == DECISION.Permit;
+ }
+
+ return false;
+ }
+
+ /**
+ * Handle any Obligations returned by the PDP
+ */
+ protected void handleObligations(
+ RequestType request,
+ Principal principal,
+ Message message,
+ ResultType result
+ ) throws Exception {
+ // Do nothing by default
+ }
+
+ protected ResponseType performRequest(RequestType request, Message message) throws Exception {
+ return this.pdp.evaluate(request);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/8176b1b0/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLRequestBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLRequestBuilder.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLRequestBuilder.java
new file mode 100644
index 0000000..8aa6e4c
--- /dev/null
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLRequestBuilder.java
@@ -0,0 +1,45 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.saml.xacml2;
+
+import java.security.Principal;
+import java.util.List;
+
+import org.apache.cxf.message.Message;
+import org.opensaml.xacml.ctx.RequestType;
+
+
+/**
+ * This interface defines a way to create an XACML Request.
+ */
+public interface XACMLRequestBuilder {
+
+ /**
+ * Create an XACML Request given a Principal, list of roles and Message.
+ *
+ * @param principal The principal to insert into the Subject of the Request
+ * @param roles The list of roles associated with the principal
+ * @param message The Message from which to retrieve the resource
+ * @return An OpenSAML RequestType object
+ * @throws Exception
+ */
+ RequestType createRequest(Principal principal, List<String> roles, Message message) throws Exception;
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/8176b1b0/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/DummyPDP.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/DummyPDP.java b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/DummyPDP.java
deleted file mode 100644
index a096208..0000000
--- a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml/DummyPDP.java
+++ /dev/null
@@ -1,153 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.saml.xacml;
-
-import java.util.List;
-
-import javax.xml.transform.Source;
-import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerFactory;
-import javax.xml.transform.dom.DOMResult;
-import javax.xml.transform.dom.DOMSource;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-import org.w3c.dom.Node;
-import org.apache.cxf.helpers.DOMUtils;
-import org.apache.cxf.rt.security.saml.xacml.pdp.api.PolicyDecisionPoint;
-import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.saml.OpenSAMLUtil;
-import org.opensaml.core.xml.XMLObjectBuilderFactory;
-import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
-import org.opensaml.xacml.XACMLObjectBuilder;
-import org.opensaml.xacml.ctx.AttributeType;
-import org.opensaml.xacml.ctx.DecisionType;
-import org.opensaml.xacml.ctx.DecisionType.DECISION;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.ctx.ResponseType;
-import org.opensaml.xacml.ctx.ResultType;
-import org.opensaml.xacml.ctx.StatusCodeType;
-import org.opensaml.xacml.ctx.StatusType;
-import org.opensaml.xacml.ctx.SubjectType;
-
-/**
- * A test implementation of AbstractXACMLAuthorizingInterceptor. It just mocks up a Response
- * object based on the role of the Subject. If the role is "manager" then it permits the
- * request, otherwise it denies it.
- */
-public class DummyPDP implements PolicyDecisionPoint {
-
- public Source evaluate(Source requestSource) {
- RequestType request = requestSourceToRequestType(requestSource);
- String role = getSubjectRole(request);
- DECISION decision = "manager".equals(role) ? DecisionType.DECISION.Permit : DecisionType.DECISION.Deny;
- ResponseType response = createResponse(decision);
- return responseType2Source(response);
- }
-
- private RequestType requestSourceToRequestType(Source requestSource) {
- try {
- Transformer trans = TransformerFactory.newInstance().newTransformer();
- DOMResult res = new DOMResult();
- trans.transform(requestSource, res);
- Node nd = res.getNode();
- if (nd instanceof Document) {
- nd = ((Document)nd).getDocumentElement();
- }
- return (RequestType)OpenSAMLUtil.fromDom((Element)nd);
- } catch (Exception e) {
- throw new RuntimeException("Error converting pdp response to ResponseType", e);
- }
- }
-
- private Source responseType2Source(ResponseType response) {
- Document doc = DOMUtils.createDocument();
- Element responseElement;
- try {
- responseElement = OpenSAMLUtil.toDom(response, doc);
- } catch (WSSecurityException e) {
- throw new RuntimeException("Error converting PDP RequestType to Dom", e);
- }
- return new DOMSource(responseElement);
- }
-
- private ResponseType createResponse(DECISION decision) {
- XMLObjectBuilderFactory builderFactory = XMLObjectProviderRegistrySupport.getBuilderFactory();
-
- @SuppressWarnings("unchecked")
- XACMLObjectBuilder<ResponseType> responseTypeBuilder =
- (XACMLObjectBuilder<ResponseType>)
- builderFactory.getBuilder(ResponseType.DEFAULT_ELEMENT_NAME);
-
- @SuppressWarnings("unchecked")
- XACMLObjectBuilder<ResultType> resultTypeBuilder =
- (XACMLObjectBuilder<ResultType>)
- builderFactory.getBuilder(ResultType.DEFAULT_ELEMENT_NAME);
-
- @SuppressWarnings("unchecked")
- XACMLObjectBuilder<DecisionType> decisionTypeBuilder =
- (XACMLObjectBuilder<DecisionType>)
- builderFactory.getBuilder(DecisionType.DEFAULT_ELEMENT_NAME);
-
- @SuppressWarnings("unchecked")
- XACMLObjectBuilder<StatusType> statusTypeBuilder =
- (XACMLObjectBuilder<StatusType>)
- builderFactory.getBuilder(StatusType.DEFAULT_ELEMENT_NAME);
-
- @SuppressWarnings("unchecked")
- XACMLObjectBuilder<StatusCodeType> statusCodeTypeBuilder =
- (XACMLObjectBuilder<StatusCodeType>)
- builderFactory.getBuilder(StatusCodeType.DEFAULT_ELEMENT_NAME);
-
- ResultType result = resultTypeBuilder.buildObject();
-
- DecisionType decisionType = decisionTypeBuilder.buildObject();
- decisionType.setDecision(decision);
- result.setDecision(decisionType);
-
- StatusType status = statusTypeBuilder.buildObject();
- StatusCodeType statusCode = statusCodeTypeBuilder.buildObject();
- statusCode.setValue("urn:oasis:names:tc:xacml:1.0:status:ok");
- status.setStatusCode(statusCode);
- result.setStatus(status);
-
- ResponseType response = responseTypeBuilder.buildObject();
- response.getResults().add(result);
- return response;
- }
-
- private String getSubjectRole(RequestType request) {
- List<SubjectType> subjects = request.getSubjects();
- if (subjects != null) {
- for (SubjectType subject : subjects) {
- List<AttributeType> attributes = subject.getAttributes();
- if (attributes != null) {
- for (AttributeType attribute : attributes) {
- if (XACMLConstants.SUBJECT_ROLE.equals(attribute.getAttributeId())) {
- return attribute.getAttributeValues().get(0).getValue();
- }
- }
- }
- }
- }
- return null;
- }
-
-}