You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2019/11/06 16:41:55 UTC
[ws-wss4j] branch master updated (68285b9 -> 04067f1)
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/ws-wss4j.git.
from 68285b9 Updating website
new 51386f6 Adding some more SAML tests
new 04067f1 WSS-658 - Enable signature confirmation for signed SAML tokens
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../wss4j/dom/action/SAMLTokenSignedAction.java | 5 ++
.../wss4j/dom/action/SAMLTokenUnsignedAction.java | 5 ++
.../wss4j/dom/processor/SAMLTokenProcessor.java | 1 +
.../dom/common/AbstractSAMLCallbackHandler.java | 9 +++
.../wss4j/dom/common/SAML1CallbackHandler.java | 1 +
.../wss4j/dom/common/SAML2CallbackHandler.java | 1 +
.../dom/handler/SignatureConfirmationTest.java | 71 ++++++++++++++++++
.../apache/wss4j/dom/saml/SamlTokenActionTest.java | 87 +++++++++++++++++++++-
8 files changed, 176 insertions(+), 4 deletions(-)
[ws-wss4j] 01/02: Adding some more SAML tests
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ws-wss4j.git
commit 51386f6d71e0016d50ffa428b93470d99c0a6daf
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Wed Nov 6 15:22:59 2019 +0000
Adding some more SAML tests
---
.../dom/common/AbstractSAMLCallbackHandler.java | 9 +++
.../wss4j/dom/common/SAML1CallbackHandler.java | 1 +
.../wss4j/dom/common/SAML2CallbackHandler.java | 1 +
.../apache/wss4j/dom/saml/SamlTokenActionTest.java | 87 +++++++++++++++++++++-
4 files changed, 94 insertions(+), 4 deletions(-)
diff --git a/ws-security-dom/src/test/java/org/apache/wss4j/dom/common/AbstractSAMLCallbackHandler.java b/ws-security-dom/src/test/java/org/apache/wss4j/dom/common/AbstractSAMLCallbackHandler.java
index a64ecba..50b1dd7 100644
--- a/ws-security-dom/src/test/java/org/apache/wss4j/dom/common/AbstractSAMLCallbackHandler.java
+++ b/ws-security-dom/src/test/java/org/apache/wss4j/dom/common/AbstractSAMLCallbackHandler.java
@@ -85,6 +85,15 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler {
private Element assertionAdviceElement;
private Element keyInfoElement;
protected NameIDBean subjectConfirmationNameID;
+ protected boolean signAssertion;
+
+ public boolean isSignAssertion() {
+ return signAssertion;
+ }
+
+ public void setSignAssertion(boolean signAssertion) {
+ this.signAssertion = signAssertion;
+ }
public void setSubjectName(String subjectName) {
this.subjectName = subjectName;
diff --git a/ws-security-dom/src/test/java/org/apache/wss4j/dom/common/SAML1CallbackHandler.java b/ws-security-dom/src/test/java/org/apache/wss4j/dom/common/SAML1CallbackHandler.java
index c829f8f..a763756 100644
--- a/ws-security-dom/src/test/java/org/apache/wss4j/dom/common/SAML1CallbackHandler.java
+++ b/ws-security-dom/src/test/java/org/apache/wss4j/dom/common/SAML1CallbackHandler.java
@@ -90,6 +90,7 @@ public class SAML1CallbackHandler extends AbstractSAMLCallbackHandler {
}
}
createAndSetStatement(subjectBean, callback);
+ callback.setSignAssertion(signAssertion);
} else {
throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
}
diff --git a/ws-security-dom/src/test/java/org/apache/wss4j/dom/common/SAML2CallbackHandler.java b/ws-security-dom/src/test/java/org/apache/wss4j/dom/common/SAML2CallbackHandler.java
index c554d9b..db12510 100644
--- a/ws-security-dom/src/test/java/org/apache/wss4j/dom/common/SAML2CallbackHandler.java
+++ b/ws-security-dom/src/test/java/org/apache/wss4j/dom/common/SAML2CallbackHandler.java
@@ -95,6 +95,7 @@ public class SAML2CallbackHandler extends AbstractSAMLCallbackHandler {
}
callback.setSubject(subjectBean);
createAndSetStatement(null, callback);
+ callback.setSignAssertion(signAssertion);
} else {
throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
}
diff --git a/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenActionTest.java b/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenActionTest.java
index f881986..805ae90 100644
--- a/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenActionTest.java
+++ b/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenActionTest.java
@@ -29,16 +29,19 @@ import org.w3c.dom.Document;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.CryptoFactory;
import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.common.CustomHandler;
import org.apache.wss4j.dom.common.CustomSamlAssertionValidator;
import org.apache.wss4j.dom.common.KeystoreCallbackHandler;
import org.apache.wss4j.dom.common.SAML1CallbackHandler;
+import org.apache.wss4j.dom.common.SAML2CallbackHandler;
import org.apache.wss4j.dom.common.SOAPUtil;
import org.apache.wss4j.dom.common.SecurityTestUtil;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.engine.WSSecurityEngine;
+import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.HandlerAction;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
@@ -46,6 +49,8 @@ import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.Test;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertTrue;
/**
@@ -103,7 +108,14 @@ public class SamlTokenActionTest {
LOG.debug(outputString);
}
- verify(doc, callbackHandler);
+ WSHandlerResult results = verify(doc, callbackHandler);
+ WSSecurityEngineResult actionResult =
+ results.getActionResults().get(WSConstants.ST_UNSIGNED).get(0);
+
+ SamlAssertionWrapper receivedSamlAssertion =
+ (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ assertNotNull(receivedSamlAssertion);
+ assertFalse(receivedSamlAssertion.isSigned());
}
@Test
@@ -139,7 +151,14 @@ public class SamlTokenActionTest {
LOG.debug(outputString);
}
- verify(doc, callbackHandler);
+ WSHandlerResult results = verify(doc, callbackHandler);
+ WSSecurityEngineResult actionResult =
+ results.getActionResults().get(WSConstants.ST_UNSIGNED).get(0);
+
+ SamlAssertionWrapper receivedSamlAssertion =
+ (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ assertNotNull(receivedSamlAssertion);
+ assertFalse(receivedSamlAssertion.isSigned());
}
@@ -157,6 +176,7 @@ public class SamlTokenActionTest {
samlCallbackHandler.setIssuerCrypto(crypto);
samlCallbackHandler.setIssuerName("wss40");
samlCallbackHandler.setIssuerPassword("security");
+ samlCallbackHandler.setSignAssertion(true);
java.util.Map<String, Object> config = new java.util.TreeMap<>();
config.put(WSHandlerConstants.PW_CALLBACK_REF, callbackHandler);
@@ -177,7 +197,14 @@ public class SamlTokenActionTest {
LOG.debug(outputString);
}
- verify(doc, callbackHandler);
+ WSHandlerResult results = verify(doc, callbackHandler);
+ WSSecurityEngineResult actionResult =
+ results.getActionResults().get(WSConstants.ST_SIGNED).get(0);
+
+ SamlAssertionWrapper receivedSamlAssertion =
+ (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ assertNotNull(receivedSamlAssertion);
+ assertTrue(receivedSamlAssertion.isSigned());
}
@Test
@@ -216,7 +243,59 @@ public class SamlTokenActionTest {
LOG.debug(outputString);
}
- verify(doc, callbackHandler);
+ WSHandlerResult results = verify(doc, callbackHandler);
+ WSSecurityEngineResult actionResult =
+ results.getActionResults().get(WSConstants.ST_UNSIGNED).get(0);
+
+ SamlAssertionWrapper receivedSamlAssertion =
+ (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ assertNotNull(receivedSamlAssertion);
+ assertFalse(receivedSamlAssertion.isSigned());
+ }
+
+ @Test
+ public void testSignedSAML2AssertionAction() throws Exception {
+ final WSSConfig cfg = WSSConfig.getNewInstance();
+ final RequestData reqData = new RequestData();
+ reqData.setWssConfig(cfg);
+ reqData.setUsername("wss40");
+
+ CallbackHandler callbackHandler = new KeystoreCallbackHandler();
+
+ SAML2CallbackHandler samlCallbackHandler = new SAML2CallbackHandler();
+ samlCallbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+ samlCallbackHandler.setIssuer("www.example.com");
+ samlCallbackHandler.setSignAssertion(true);
+ samlCallbackHandler.setIssuerCrypto(crypto);
+ samlCallbackHandler.setIssuerName("wss40");
+ samlCallbackHandler.setIssuerPassword("security");
+
+ java.util.Map<String, Object> config = new java.util.TreeMap<>();
+ config.put(WSHandlerConstants.SAML_CALLBACK_REF, samlCallbackHandler);
+ reqData.setMsgContext(config);
+
+ final Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ CustomHandler handler = new CustomHandler();
+ HandlerAction action = new HandlerAction(WSConstants.ST_UNSIGNED);
+ handler.send(
+ doc,
+ reqData,
+ Collections.singletonList(action),
+ true
+ );
+ if (LOG.isDebugEnabled()) {
+ String outputString = XMLUtils.prettyDocumentToString(doc);
+ LOG.debug(outputString);
+ }
+
+ WSHandlerResult results = verify(doc, callbackHandler);
+ WSSecurityEngineResult actionResult =
+ results.getActionResults().get(WSConstants.ST_SIGNED).get(0);
+
+ SamlAssertionWrapper receivedSamlAssertion =
+ (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ assertNotNull(receivedSamlAssertion);
+ assertTrue(receivedSamlAssertion.isSigned());
}
private WSHandlerResult verify(
[ws-wss4j] 02/02: WSS-658 - Enable signature confirmation for
signed SAML tokens
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ws-wss4j.git
commit 04067f19e8d6149f298cce0a97f3ca94391b6e6f
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Wed Nov 6 16:38:59 2019 +0000
WSS-658 - Enable signature confirmation for signed SAML tokens
---
.../wss4j/dom/action/SAMLTokenSignedAction.java | 5 ++
.../wss4j/dom/action/SAMLTokenUnsignedAction.java | 5 ++
.../wss4j/dom/processor/SAMLTokenProcessor.java | 1 +
.../dom/handler/SignatureConfirmationTest.java | 71 ++++++++++++++++++++++
4 files changed, 82 insertions(+)
diff --git a/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenSignedAction.java b/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenSignedAction.java
index 6dc7366..edf8493 100644
--- a/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenSignedAction.java
+++ b/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenSignedAction.java
@@ -129,7 +129,12 @@ public class SAMLTokenSignedAction implements Action {
samlCallback.getIssuerCrypto(),
samlCallback.getIssuerKeyName(),
samlCallback.getIssuerKeyPassword());
+
reqData.getSignatureValues().add(wsSign.getSignatureValue());
+ byte[] signatureValue = samlAssertion.getSignatureValue();
+ if (signatureValue != null) {
+ reqData.getSignatureValues().add(signatureValue);
+ }
} catch (WSSecurityException e) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "empty",
new Object[] {"Error when signing the SAML token: "});
diff --git a/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenUnsignedAction.java b/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenUnsignedAction.java
index 6ce7af9..f7cc633 100644
--- a/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenUnsignedAction.java
+++ b/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenUnsignedAction.java
@@ -69,5 +69,10 @@ public class SAMLTokenUnsignedAction implements Action {
// add the SAMLAssertion Token to the SOAP Envelope
builder.build(samlAssertion);
+
+ byte[] signatureValue = samlAssertion.getSignatureValue();
+ if (signatureValue != null) {
+ reqData.getSignatureValues().add(signatureValue);
+ }
}
}
diff --git a/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SAMLTokenProcessor.java b/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SAMLTokenProcessor.java
index 44b807f..3bbf47e 100644
--- a/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SAMLTokenProcessor.java
+++ b/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SAMLTokenProcessor.java
@@ -118,6 +118,7 @@ public class SAMLTokenProcessor implements Processor {
if (samlAssertion.isSigned()) {
result = new WSSecurityEngineResult(WSConstants.ST_SIGNED, samlAssertion);
result.put(WSSecurityEngineResult.TAG_DATA_REF_URIS, dataRefs);
+ result.put(WSSecurityEngineResult.TAG_SIGNATURE_VALUE, samlAssertion.getSignatureValue());
} else {
result = new WSSecurityEngineResult(WSConstants.ST_UNSIGNED, samlAssertion);
}
diff --git a/ws-security-dom/src/test/java/org/apache/wss4j/dom/handler/SignatureConfirmationTest.java b/ws-security-dom/src/test/java/org/apache/wss4j/dom/handler/SignatureConfirmationTest.java
index a2f37c4..998b21a 100644
--- a/ws-security-dom/src/test/java/org/apache/wss4j/dom/handler/SignatureConfirmationTest.java
+++ b/ws-security-dom/src/test/java/org/apache/wss4j/dom/handler/SignatureConfirmationTest.java
@@ -30,10 +30,12 @@ import org.apache.wss4j.common.bsp.BSPRule;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.CryptoFactory;
import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.builder.SAML2Constants;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.common.CustomHandler;
import org.apache.wss4j.dom.common.KeystoreCallbackHandler;
+import org.apache.wss4j.dom.common.SAML2CallbackHandler;
import org.apache.wss4j.dom.common.SOAPUtil;
import org.apache.wss4j.dom.common.SecurityTestUtil;
import org.apache.wss4j.dom.engine.WSSecurityEngine;
@@ -372,6 +374,75 @@ public class SignatureConfirmationTest {
assertFalse(outputString.contains("Value"));
}
+ @SuppressWarnings("unchecked")
+ @Test
+ public void
+ testSAMLSignatureConfirmationProcessing() throws Exception {
+ final RequestData reqData = new RequestData();
+
+ SAML2CallbackHandler samlCallbackHandler = new SAML2CallbackHandler();
+ samlCallbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+ samlCallbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+ samlCallbackHandler.setIssuer("www.example.com");
+ samlCallbackHandler.setSignAssertion(true);
+ samlCallbackHandler.setIssuerCrypto(crypto);
+ samlCallbackHandler.setIssuerName("16c73ab6-b892-458f-abf5-2f875f74882e");
+ samlCallbackHandler.setIssuerPassword("security");
+
+ java.util.Map<String, Object> msgContext = new java.util.TreeMap<>();
+ msgContext.put(WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION, "true");
+ msgContext.put(WSHandlerConstants.SAML_CALLBACK_REF, samlCallbackHandler);
+ reqData.setMsgContext(msgContext);
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ CustomHandler handler = new CustomHandler();
+ HandlerAction action = new HandlerAction(WSConstants.ST_UNSIGNED);
+ handler.send(
+ doc,
+ reqData,
+ Collections.singletonList(action),
+ true
+ );
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("After Signing....");
+ String outputString =
+ XMLUtils.prettyDocumentToString(doc);
+ LOG.debug(outputString);
+ }
+
+ //
+ // Verify the inbound request, and create a response with a Signature Confirmation
+ //
+ WSHandlerResult results = verify(doc);
+ doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ msgContext = (java.util.Map<String, Object>)reqData.getMsgContext();
+ List<WSHandlerResult> receivedResults = new ArrayList<>();
+ receivedResults.add(results);
+ msgContext.put(WSHandlerConstants.RECV_RESULTS, receivedResults);
+ handler.send(
+ doc,
+ reqData,
+ Collections.singletonList(new HandlerAction(WSConstants.NO_SECURITY)),
+ false
+ );
+ String outputString =
+ XMLUtils.prettyDocumentToString(doc);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Signature Confirmation response....");
+ LOG.debug(outputString);
+ }
+
+ //
+ // Verify the SignatureConfirmation response
+ //
+ results = verify(doc);
+ WSSecurityEngineResult scResult =
+ results.getActionResults().get(WSConstants.SC).get(0);
+ assertNotNull(scResult);
+ assertNotNull(scResult.get(WSSecurityEngineResult.TAG_SIGNATURE_CONFIRMATION));
+ handler.signatureConfirmation(reqData, results);
+ }
+
/**
* Verifies the soap envelope
* <p/>