cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1088625 - in /cxf/trunk: rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/ systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/ systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/sam...
Date Mon, 04 Apr 2011 13:48:35 GMT
Author: coheigea
Date: Mon Apr  4 13:48:35 2011
New Revision: 1088625

URL: http://svn.apache.org/viewvc?rev=1088625&view=rev
Log:
[CXF-3432] - Added support for sending signed SAML Assertions via WS-SecurityPolicy
 - Added a symmetric and asymmetric binding tests to the systests.

Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
    cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
    cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1088625&r1=1088624&r2=1088625&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
Mon Apr  4 13:48:35 2011
@@ -144,10 +144,10 @@ public abstract class AbstractBindingBui
     
     protected Set<String> encryptedTokensIdList = new HashSet<String>();
 
-    protected Map<Token, WSSecBase> endEncSuppTokMap;
-    protected Map<Token, WSSecBase> endSuppTokMap;
-    protected Map<Token, WSSecBase> sgndEndEncSuppTokMap;
-    protected Map<Token, WSSecBase> sgndEndSuppTokMap;
+    protected Map<Token, Object> endEncSuppTokMap;
+    protected Map<Token, Object> endSuppTokMap;
+    protected Map<Token, Object> sgndEndEncSuppTokMap;
+    protected Map<Token, Object> sgndEndSuppTokMap;
     
     protected List<byte[]> signatures = new ArrayList<byte[]>();
 
@@ -198,7 +198,7 @@ public abstract class AbstractBindingBui
         lastEncryptedKeyElement = el;
     }
     
-    protected void addEncyptedKeyElement(Element el) {
+    protected void addEncryptedKeyElement(Element el) {
         if (lastEncryptedKeyElement != null) {
             insertAfter(el, lastEncryptedKeyElement);
         } else if (lastDerivedKeyElement != null) {
@@ -435,11 +435,11 @@ public abstract class AbstractBindingBui
         }
     }
     
-    protected Map<Token, WSSecBase> handleSupportingTokens(
+    protected Map<Token, Object> handleSupportingTokens(
         Collection<Assertion> tokens, 
         boolean endorse
     ) throws WSSecurityException {
-        Map<Token, WSSecBase> ret = new HashMap<Token, WSSecBase>();
+        Map<Token, Object> ret = new HashMap<Token, Object>();
         if (tokens != null) {
             for (Assertion pa : tokens) {
                 if (pa instanceof SupportingToken) {
@@ -450,17 +450,17 @@ public abstract class AbstractBindingBui
         return ret;
     }
     
-    protected Map<Token, WSSecBase> handleSupportingTokens(
+    protected Map<Token, Object> handleSupportingTokens(
         SupportingToken suppTokens,
         boolean endorse
     ) throws WSSecurityException {
-        return handleSupportingTokens(suppTokens, endorse, new HashMap<Token, WSSecBase>());
+        return handleSupportingTokens(suppTokens, endorse, new HashMap<Token, Object>());
     }
     
-    protected Map<Token, WSSecBase> handleSupportingTokens(
+    protected Map<Token, Object> handleSupportingTokens(
         SupportingToken suppTokens, 
         boolean endorse,
-        Map<Token, WSSecBase> ret
+        Map<Token, Object> ret
     ) throws WSSecurityException {
         if (suppTokens == null) {
             return ret;
@@ -560,7 +560,7 @@ public abstract class AbstractBindingBui
                 AssertionWrapper assertionWrapper = addSamlToken((SamlToken)token);
                 if (assertionWrapper != null) {
                     addSupportingElement(assertionWrapper.toDOM(saaj.getSOAPPart()));
-                    // TODO ret.put(token, utBuilder);
+                    ret.put(token, assertionWrapper);
                 }
             }
         }
@@ -583,10 +583,10 @@ public abstract class AbstractBindingBui
         return st;
     }
 
-    protected void addSignatureParts(Map<Token, WSSecBase> tokenMap,
+    protected void addSignatureParts(Map<Token, Object> tokenMap,
                                        List<WSEncryptionPart> sigParts) {
         
-        for (Map.Entry<Token, WSSecBase> entry : tokenMap.entrySet()) {
+        for (Map.Entry<Token, Object> entry : tokenMap.entrySet()) {
             
             Object tempTok = entry.getValue();
             WSEncryptionPart part = null;
@@ -613,6 +613,18 @@ public abstract class AbstractBindingBui
                 WSSecUsernameToken unt = (WSSecUsernameToken)tempTok;
                 part = new WSEncryptionPart(unt.getId());
                 part.setElement(unt.getUsernameTokenElement());
+            } else if (tempTok instanceof AssertionWrapper) {
+                AssertionWrapper assertionWrapper = (AssertionWrapper)tempTok;
+                part = new WSEncryptionPart(assertionWrapper.getId());
+                part.setElement(assertionWrapper.getElement());
+                
+                // TODO We only support using a KeyIdentifier for the moment
+                SecurityTokenReference secRef = 
+                    createSTRForSamlAssertion(assertionWrapper, false);
+                addSupportingElement(secRef.getElement());
+                part = new WSEncryptionPart("STRTransform", null, "Element");
+                part.setId(secRef.getID());
+                part.setElement(secRef.getElement());
             } else {
                 policyNotAsserted(entry.getKey(), "UnsupportedTokenInSupportingToken: " +
tempTok);  
             }
@@ -621,6 +633,52 @@ public abstract class AbstractBindingBui
             }
         }
     }
+    
+    /**
+     * Create a SecurityTokenReference to point to a SAML Assertion
+     * @param assertion the SAML AssertionWrapper
+     * @param useDirectReferenceToAssertion whether to refer directly to the assertion or
not
+     * @return a SecurityTokenReference to a SAML Assertion
+     */
+    private SecurityTokenReference createSTRForSamlAssertion(
+        AssertionWrapper assertion,
+        boolean useDirectReferenceToAssertion
+    ) {
+        Document doc = assertion.getElement().getOwnerDocument();
+        SecurityTokenReference secRefSaml = new SecurityTokenReference(doc);
+        String secRefID = wssConfig.getIdAllocator().createSecureId("STRSAMLId-", secRefSaml);
+        secRefSaml.setID(secRefID);
+
+        if (useDirectReferenceToAssertion) {
+            org.apache.ws.security.message.token.Reference ref = 
+                new org.apache.ws.security.message.token.Reference(doc);
+            ref.setURI("#" + assertion.getId());
+            if (assertion.getSaml1() != null) {
+                ref.setValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
+                secRefSaml.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
+            } else if (assertion.getSaml2() != null) {
+                secRefSaml.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
+            }
+            secRefSaml.setReference(ref);
+        } else {
+            Element keyId = doc.createElementNS(WSConstants.WSSE_NS, "wsse:KeyIdentifier");
+            String valueType = null;
+            if (assertion.getSaml1() != null) {
+                valueType = WSConstants.WSS_SAML_KI_VALUE_TYPE;
+                secRefSaml.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
+            } else if (assertion.getSaml2() != null) {
+                valueType = WSConstants.WSS_SAML2_KI_VALUE_TYPE;
+                secRefSaml.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
+            }
+            keyId.setAttributeNS(
+                null, "ValueType", valueType
+            );
+            keyId.appendChild(doc.createTextNode(assertion.getId()));
+            Element elem = secRefSaml.getElement();
+            elem.appendChild(keyId);
+        }
+        return secRefSaml;
+    }
 
     protected WSSecUsernameToken addUsernameToken(UsernameToken token) {
         AssertionInfo info = null;
@@ -1443,12 +1501,12 @@ public abstract class AbstractBindingBui
         return sig;
     }
 
-    protected void doEndorsedSignatures(Map<Token, WSSecBase> tokenMap,
+    protected void doEndorsedSignatures(Map<Token, Object> tokenMap,
                                         boolean isTokenProtection,
                                         boolean isSigProtect) {
         
-        for (Map.Entry<Token, WSSecBase> ent : tokenMap.entrySet()) {
-            WSSecBase tempTok = ent.getValue();
+        for (Map.Entry<Token, Object> ent : tokenMap.entrySet()) {
+            WSSecBase tempTok = (WSSecBase)ent.getValue();
             
             List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
             WSEncryptionPart sigPart = new WSEncryptionPart(mainSigId);
@@ -1651,7 +1709,7 @@ public abstract class AbstractBindingBui
         Collection<Assertion> sgndSuppTokens = 
             findAndAssertPolicy(SP12Constants.SIGNED_SUPPORTING_TOKENS);
         
-        Map<Token, WSSecBase> sigSuppTokMap = this.handleSupportingTokens(sgndSuppTokens,
false);           
+        Map<Token, Object> sigSuppTokMap = this.handleSupportingTokens(sgndSuppTokens,
false);           
         
         Collection<Assertion> endSuppTokens = 
             findAndAssertPolicy(SP12Constants.ENDORSING_SUPPORTING_TOKENS);
@@ -1664,7 +1722,7 @@ public abstract class AbstractBindingBui
         
         Collection<Assertion> sgndEncryptedSuppTokens 
             = findAndAssertPolicy(SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
-        Map<Token, WSSecBase> sgndEncSuppTokMap 
+        Map<Token, Object> sgndEncSuppTokMap 
             = this.handleSupportingTokens(sgndEncryptedSuppTokens, false);
         
         Collection<Assertion> endorsingEncryptedSuppTokens 

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=1088625&r1=1088624&r2=1088625&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
Mon Apr  4 13:48:35 2011
@@ -120,7 +120,7 @@ public class AsymmetricBindingHandler ex
                                     == inclusion)) {
                             
                             Element el = secToken.getToken();
-                            this.addEncyptedKeyElement(cloneElement(el));
+                            this.addEncryptedKeyElement(cloneElement(el));
                             attached = true;
                         } 
                     }
@@ -210,7 +210,7 @@ public class AsymmetricBindingHandler ex
                                 == inclusion)) {
                         
                         Element el = secToken.getToken();
-                        this.addEncyptedKeyElement(cloneElement(el));
+                        this.addEncryptedKeyElement(cloneElement(el));
                         attached = true;
                     } 
                 }
@@ -381,7 +381,7 @@ public class AsymmetricBindingHandler ex
                         // Add internal refs
                         encryptedKeyElement.appendChild(refList);
                     }
-                    this.addEncyptedKeyElement(encryptedKeyElement);
+                    this.addEncryptedKeyElement(encryptedKeyElement);
                     return encr;
                 } catch (WSSecurityException e) {
                     policyNotAsserted(recToken, e.getMessage());
@@ -580,7 +580,7 @@ public class AsymmetricBindingHandler ex
         }
         
         // Add the EncryptedKey
-        this.addEncyptedKeyElement(encrKey.getEncryptedKeyElement());
+        this.addEncryptedKeyElement(encrKey.getEncryptedKeyElement());
         encryptedKeyValue = encrKey.getEphemeralKey();
         encryptedKeyId = encrKey.getId();
         

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java?rev=1088625&r1=1088624&r2=1088625&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
Mon Apr  4 13:48:35 2011
@@ -185,11 +185,11 @@ public class SymmetricBindingHandler ext
                             == encryptionToken.getInclusion())) {
                     
                     Element el = tok.getToken();
-                    this.addEncyptedKeyElement(cloneElement(el));
+                    this.addEncryptedKeyElement(cloneElement(el));
                     attached = true;
                 } else if (encryptionToken instanceof X509Token && isRequestor())
{
                     Element el = tok.getToken();
-                    this.addEncyptedKeyElement(cloneElement(el));
+                    this.addEncryptedKeyElement(cloneElement(el));
                     attached = true;
                 }
                 
@@ -307,12 +307,12 @@ public class SymmetricBindingHandler ext
                 
                 Element el = sigTok.getToken();
                 sigTokElem = cloneElement(el);
-                this.addEncyptedKeyElement((Element)sigTokElem);
+                this.addEncryptedKeyElement((Element)sigTokElem);
             } else if (isRequestor() && sigToken instanceof X509Token) {
                 Element el = sigTok.getToken();
                 sigTokElem = (Element)secHeader.getSecurityHeader().getOwnerDocument()
                         .importNode(el, true);
-                this.addEncyptedKeyElement((Element)sigTokElem);
+                this.addEncryptedKeyElement((Element)sigTokElem);
             } else {
                 tokIncluded = false;
             }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java?rev=1088625&r1=1088624&r2=1088625&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
Mon Apr  4 13:48:35 2011
@@ -41,6 +41,7 @@ import org.apache.cxf.ws.security.policy
 import org.apache.cxf.ws.security.policy.model.Header;
 import org.apache.cxf.ws.security.policy.model.IssuedToken;
 import org.apache.cxf.ws.security.policy.model.KeyValueToken;
+import org.apache.cxf.ws.security.policy.model.SamlToken;
 import org.apache.cxf.ws.security.policy.model.SecureConversationToken;
 import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
 import org.apache.cxf.ws.security.policy.model.SupportingToken;
@@ -63,6 +64,7 @@ import org.apache.ws.security.message.WS
 import org.apache.ws.security.message.WSSecSignature;
 import org.apache.ws.security.message.WSSecTimestamp;
 import org.apache.ws.security.message.WSSecUsernameToken;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
 
 /**
  * 
@@ -80,11 +82,11 @@ public class TransportBindingHandler ext
         this.tbinding = binding;
     }
     
-    private void addUsernameTokens(SupportingToken sgndSuppTokens) {
+    private void addSignedSupportingTokens(SupportingToken sgndSuppTokens) 
+        throws Exception {
         for (Token token : sgndSuppTokens.getTokens()) {
             if (token instanceof UsernameToken) {
-                WSSecUsernameToken utBuilder = 
-                    addUsernameToken((UsernameToken)token);
+                WSSecUsernameToken utBuilder = addUsernameToken((UsernameToken)token);
                 if (utBuilder != null) {
                     utBuilder.prepare(saaj.getSOAPPart());
                     utBuilder.appendToHeader(secHeader);
@@ -100,7 +102,12 @@ public class TransportBindingHandler ext
                         && isRequestor())) {
                   
                     //Add the token
-                    addEncyptedKeyElement(cloneElement(secTok.getToken()));
+                    addEncryptedKeyElement(cloneElement(secTok.getToken()));
+                }
+            } else if (token instanceof SamlToken) {
+                AssertionWrapper assertionWrapper = addSamlToken((SamlToken)token);
+                if (assertionWrapper != null) {
+                    addSupportingElement(assertionWrapper.toDOM(saaj.getSOAPPart()));
                 }
             } else {
                 //REVISIT - not supported for signed.  Exception?
@@ -141,7 +148,7 @@ public class TransportBindingHandler ext
                                 == inclusion)) {
                             
                             Element el = secToken.getToken();
-                            addEncyptedKeyElement(cloneElement(el));
+                            addEncryptedKeyElement(cloneElement(el));
                         } 
                     }
                 }
@@ -150,14 +157,13 @@ public class TransportBindingHandler ext
 
                 ais = aim.get(SP12Constants.SIGNED_SUPPORTING_TOKENS);
                 if (ais != null) {
-                    SupportingToken sgndSuppTokens = null;
                     for (AssertionInfo ai : ais) {
-                        sgndSuppTokens = (SupportingToken)ai.getAssertion();
+                        SupportingToken sgndSuppTokens = (SupportingToken)ai.getAssertion();
+                        if (sgndSuppTokens != null) {
+                            addSignedSupportingTokens(sgndSuppTokens);
+                        }
                         ai.setAsserted(true);
                     }
-                    if (sgndSuppTokens != null) {
-                        addUsernameTokens(sgndSuppTokens);
-                    }
                 }
                 ais = aim.get(SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
                 if (ais != null) {
@@ -187,14 +193,13 @@ public class TransportBindingHandler ext
                 }
                 ais = aim.get(SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
                 if (ais != null) {
-                    SupportingToken sgndSuppTokens = null;
                     for (AssertionInfo ai : ais) {
-                        sgndSuppTokens = (SupportingToken)ai.getAssertion();
+                        SupportingToken sgndSuppTokens = (SupportingToken)ai.getAssertion();
+                        if (sgndSuppTokens != null) {
+                            addSignedSupportingTokens(sgndSuppTokens);
+                        }
                         ai.setAsserted(true);
                     }
-                    if (sgndSuppTokens != null) {
-                        addUsernameTokens(sgndSuppTokens);
-                    }
                 }
                 
                 ais = aim.get(SP12Constants.ENDORSING_SUPPORTING_TOKENS);
@@ -225,15 +230,14 @@ public class TransportBindingHandler ext
                 }
                 ais = aim.get(SP12Constants.SUPPORTING_TOKENS);
                 if (ais != null) {
-                    SupportingToken suppTokens = null;
                     for (AssertionInfo ai : ais) {
-                        suppTokens = (SupportingToken)ai.getAssertion();
+                        SupportingToken suppTokens = (SupportingToken)ai.getAssertion();
+                        if (suppTokens != null && suppTokens.getTokens() != null

+                            && suppTokens.getTokens().size() > 0) {
+                            handleSupportingTokens(suppTokens, false);
+                        }
                         ai.setAsserted(true);
                     }
-                    if (suppTokens != null && suppTokens.getTokens() != null 
-                        && suppTokens.getTokens().size() > 0) {
-                        handleSupportingTokens(suppTokens, false);
-                    }
                 }
 
             } else {
@@ -354,7 +358,7 @@ public class TransportBindingHandler ext
                 //sigParts.add(new WSEncryptionPart(id));                          
             }
             
-            addEncyptedKeyElement(el);
+            addEncryptedKeyElement(el);
             tokenIncluded = true;
         }
         

Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java?rev=1088625&r1=1088624&r2=1088625&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
(original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
Mon Apr  4 13:48:35 2011
@@ -88,6 +88,85 @@ public class SamlTokenTest extends Abstr
         BigInteger result = saml1Port.doubleIt(BigInteger.valueOf(25));
         assert result.equals(BigInteger.valueOf(50));
     }
+    
+    @org.junit.Test
+    public void testSaml2OverSymmetric() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SamlTokenTest.class.getResource("client/client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        DoubleItService service = new DoubleItService();
+        
+        DoubleItPortType saml2Port = service.getDoubleItSaml2SymmetricPort();
+        
+        try {
+            saml2Port.doubleIt(BigInteger.valueOf(25));
+            fail("Expected failure on an invocation with no SAML Assertion");
+        } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+            assert ex.getMessage().contains("No SAML CallbackHandler available");
+        }
+        
+        ((BindingProvider)saml2Port).getRequestContext().put(
+            "ws-security.saml-callback-handler",
+            new org.apache.cxf.systest.ws.saml.client.SamlCallbackHandler(false)
+        );
+        try {
+            saml2Port.doubleIt(BigInteger.valueOf(25));
+            fail("Expected failure on an invocation with a SAML1 Assertion");
+        } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+            assert ex.getMessage().contains("Wrong SAML Version");
+        }
+        
+        ((BindingProvider)saml2Port).getRequestContext().put(
+            "ws-security.saml-callback-handler",
+            new org.apache.cxf.systest.ws.saml.client.SamlCallbackHandler()
+        );
+        BigInteger result = saml2Port.doubleIt(BigInteger.valueOf(25));
+        assert result.equals(BigInteger.valueOf(50));
+    }
 
+    @org.junit.Test
+    public void testSaml2OverAsymmetric() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SamlTokenTest.class.getResource("client/client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        DoubleItService service = new DoubleItService();
+        
+        DoubleItPortType saml2Port = service.getDoubleItSaml2AsymmetricPort();
+        
+        try {
+            saml2Port.doubleIt(BigInteger.valueOf(25));
+            fail("Expected failure on an invocation with no SAML Assertion");
+        } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+            assert ex.getMessage().contains("No SAML CallbackHandler available");
+        }
+        
+        ((BindingProvider)saml2Port).getRequestContext().put(
+            "ws-security.saml-callback-handler",
+            new org.apache.cxf.systest.ws.saml.client.SamlCallbackHandler(false)
+        );
+        try {
+            saml2Port.doubleIt(BigInteger.valueOf(25));
+            fail("Expected failure on an invocation with a SAML1 Assertion");
+        } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+            assert ex.getMessage().contains("Wrong SAML Version");
+        }
+        
+        ((BindingProvider)saml2Port).getRequestContext().put(
+            "ws-security.saml-callback-handler",
+            new org.apache.cxf.systest.ws.saml.client.SamlCallbackHandler()
+        );
+        BigInteger result = saml2Port.doubleIt(BigInteger.valueOf(25));
+        assert result.equals(BigInteger.valueOf(50));
+    }
     
 }

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml?rev=1088625&r1=1088624&r2=1088625&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
(original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
Mon Apr  4 13:48:35 2011
@@ -48,6 +48,31 @@
                 <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Truststore.jks"/>
             </sec:trustManagers>
         </http:tlsClientParameters>
-    </http:conduit>    
+    </http:conduit>  
+    
+    <jaxws:client name="{http://WSSec/saml}DoubleItSaml2SymmetricPort" 
+                  createdFromAPI="true">
+       <jaxws:properties>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+           <entry key="ws-security.encryption.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+           <entry key="ws-security.encryption.username" value="bob"/>
+       </jaxws:properties>
+   </jaxws:client>  
+   
+   <jaxws:client name="{http://WSSec/saml}DoubleItSaml2AsymmetricPort" 
+                  createdFromAPI="true">
+       <jaxws:properties>
+           <entry key="ws-security.encryption.username" value="alice"/>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+           <entry key="ws-security.encryption.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+           <entry key="ws-security.encryption.username" value="bob"/>
+           <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>

+       </jaxws:properties>
+   </jaxws:client>  
     
 </beans>

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml?rev=1088625&r1=1088624&r2=1088625&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
(original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
Mon Apr  4 13:48:35 2011
@@ -86,4 +86,44 @@
      
     </jaxws:endpoint> 
     
+    <jaxws:endpoint 
+       id="Saml2TokenOverSymmetric"
+       address="http://localhost:9001/DoubleItSaml2Symmetric" 
+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItSaml2SymmetricPort"
+       xmlns:s="http://WSSec/saml"
+       implementor="org.apache.cxf.systest.ws.saml.server.DoubleItImpl"
+       wsdlLocation="wsdl_systest_wssec/saml/DoubleItSaml.wsdl">
+        
+       <jaxws:properties>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+           <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+       </jaxws:properties> 
+     
+    </jaxws:endpoint> 
+    
+    <jaxws:endpoint 
+       id="Saml2TokenOverAsymmetric"
+       address="http://localhost:9001/DoubleItSaml2Asymmetric" 
+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItSaml2AsymmetricPort"
+       xmlns:s="http://WSSec/saml"
+       implementor="org.apache.cxf.systest.ws.saml.server.DoubleItImpl"
+       wsdlLocation="wsdl_systest_wssec/saml/DoubleItSaml.wsdl">
+        
+       <jaxws:properties>
+           <entry key="ws-security.username" value="bob"/>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+           <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+           <entry key="ws-security.encryption.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>

+           <entry key="ws-security.encryption.username" value="alice"/>
+       </jaxws:properties> 
+     
+    </jaxws:endpoint> 
+    
 </beans>

Modified: cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl?rev=1088625&r1=1088624&r2=1088625&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl
(original)
+++ cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl
Mon Apr  4 13:48:35 2011
@@ -16,10 +16,11 @@
 <wsdl:definitions name="DoubleIt"
 	xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
 	xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="http://WSSec/saml"
-	targetNamespace="http://WSSec/saml" xmlns:wsp="http://www.w3.org/ns/ws-policy"
+	targetNamespace="http://WSSec/saml" 
+	xmlns:wsp="http://www.w3.org/ns/ws-policy"
 	xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
-	xmlns:wsaws="http://www.w3.org/2005/08/addressing" xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
-	xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy">
+	xmlns:wsaws="http://www.w3.org/2005/08/addressing" 
+	xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
 	<wsdl:types>
 		<xsd:schema targetNamespace="http://WSSec/saml">
 			<xsd:element name="DoubleIt">
@@ -75,9 +76,49 @@
 			<soap:operation soapAction="" />
 			<wsdl:input>
 				<soap:body use="literal" />
+				<wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
 			</wsdl:input>
 			<wsdl:output>
 				<soap:body use="literal" />
+				<wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+			</wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault" />
+            </wsdl:fault>
+		</wsdl:operation>
+	</wsdl:binding>
+	<wsdl:binding name="DoubleItSaml2SymmetricBinding" type="tns:DoubleItPortType">
+		<wsp:PolicyReference URI="#DoubleItSaml2SymmetricPolicy" />
+		<soap:binding style="document"
+			transport="http://schemas.xmlsoap.org/soap/http" />
+		<wsdl:operation name="DoubleIt">
+			<soap:operation soapAction="" />
+			<wsdl:input>
+				<soap:body use="literal" />
+				<wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+			</wsdl:input>
+			<wsdl:output>
+				<soap:body use="literal" />
+				<wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+			</wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault" />
+            </wsdl:fault>
+		</wsdl:operation>
+	</wsdl:binding>
+	<wsdl:binding name="DoubleItSaml2AsymmetricBinding" type="tns:DoubleItPortType">
+		<wsp:PolicyReference URI="#DoubleItSaml2AsymmetricPolicy" />
+		<soap:binding style="document"
+			transport="http://schemas.xmlsoap.org/soap/http" />
+		<wsdl:operation name="DoubleIt">
+			<soap:operation soapAction="" />
+			<wsdl:input>
+				<soap:body use="literal" />
+				<wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+			</wsdl:input>
+			<wsdl:output>
+				<soap:body use="literal" />
+				<wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
 			</wsdl:output>
             <wsdl:fault name="DoubleItFault">
                 <soap:body use="literal" name="DoubleItFault" />
@@ -89,6 +130,12 @@
 		<wsdl:port name="DoubleItSaml1TransportPort" binding="tns:DoubleItSaml1TransportBinding">
 			<soap:address location="https://localhost:9009/DoubleItSaml1Transport" />
 		</wsdl:port>
+		<wsdl:port name="DoubleItSaml2SymmetricPort" binding="tns:DoubleItSaml2SymmetricBinding">
+			<soap:address location="http://localhost:9001/DoubleItSaml2Symmetric" />
+		</wsdl:port>
+		<wsdl:port name="DoubleItSaml2AsymmetricPort" binding="tns:DoubleItSaml2AsymmetricBinding">
+			<soap:address location="http://localhost:9001/DoubleItSaml2Asymmetric" />
+		</wsdl:port>
 	</wsdl:service>
 
 	<wsp:Policy wsu:Id="DoubleItSaml1TransportPolicy">
@@ -117,7 +164,7 @@
 				<sp:SupportingTokens>
 					<wsp:Policy>
 						<sp:SamlToken
-						    sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
+						    sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
 				            <wsp:Policy>
 				                <sp:WssSamlV11Token11/>
 				            </wsp:Policy>
@@ -127,5 +174,141 @@
 			</wsp:All>
 		</wsp:ExactlyOne>
 	</wsp:Policy>
+	<wsp:Policy wsu:Id="DoubleItSaml2SymmetricPolicy">
+      <wsp:ExactlyOne>
+         <wsp:All>
+            <sp:SymmetricBinding>
+               <wsp:Policy>
+                  <sp:ProtectionToken>
+                     <wsp:Policy>
+                        <sp:X509Token
+                           sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+                           <wsp:Policy>
+                              <sp:WssX509V3Token10 />
+                              <sp:RequireThumbprintReference />
+                           </wsp:Policy>
+                        </sp:X509Token>
+                     </wsp:Policy>
+                  </sp:ProtectionToken>
+                  <sp:Layout>
+                     <wsp:Policy>
+                        <sp:Lax/>
+                     </wsp:Policy>
+                  </sp:Layout>
+                  <sp:IncludeTimestamp/>
+                  <sp:OnlySignEntireHeadersAndBody/>
+                  <sp:AlgorithmSuite>
+                     <wsp:Policy>
+                        <sp:Basic256/>
+                     </wsp:Policy>
+                  </sp:AlgorithmSuite>
+               </wsp:Policy>
+            </sp:SymmetricBinding>
+            <sp:Wss11>
+               <wsp:Policy>
+                  <sp:MustSupportRefIssuerSerial/>
+                  <sp:MustSupportRefThumbprint/>
+                  <sp:MustSupportRefEncryptedKey/>
+               </wsp:Policy>
+            </sp:Wss11>
+            <sp:SignedSupportingTokens>
+               <wsp:Policy>
+                  <sp:SamlToken
+                      sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                      <wsp:Policy>
+                        <sp:WssSamlV20Token11/>
+                     </wsp:Policy>
+				  </sp:SamlToken>
+			   </wsp:Policy>
+			</sp:SignedSupportingTokens>
+         </wsp:All>
+      </wsp:ExactlyOne>
+    </wsp:Policy>
+    <wsp:Policy wsu:Id="DoubleItSaml2AsymmetricPolicy">
+      <wsp:ExactlyOne>
+         <wsp:All>
+            <sp:AsymmetricBinding>
+               <wsp:Policy>
+                  <sp:InitiatorToken>
+                     <wsp:Policy>
+                        <sp:X509Token
+                           sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                           <wsp:Policy>
+                              <sp:WssX509V3Token10 />
+                              <sp:RequireIssuerSerialReference />
+                           </wsp:Policy>
+                        </sp:X509Token>
+                     </wsp:Policy>
+                  </sp:InitiatorToken>
+                  <sp:RecipientToken>
+                     <wsp:Policy>
+                        <sp:X509Token
+                           sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+                           <wsp:Policy>
+                              <sp:WssX509V3Token10 />
+                              <sp:RequireIssuerSerialReference />
+                           </wsp:Policy>
+                        </sp:X509Token>
+                     </wsp:Policy>
+                  </sp:RecipientToken>
+                  <sp:Layout>
+                     <wsp:Policy>
+                        <sp:Lax/>
+                     </wsp:Policy>
+                  </sp:Layout>
+                  <sp:IncludeTimestamp/>
+                  <sp:OnlySignEntireHeadersAndBody/>
+                  <sp:AlgorithmSuite>
+                     <wsp:Policy>
+                        <sp:Basic256/>
+                     </wsp:Policy>
+                  </sp:AlgorithmSuite>
+               </wsp:Policy>
+            </sp:AsymmetricBinding>
+            <sp:Wss11>
+               <wsp:Policy>
+                  <sp:MustSupportRefIssuerSerial/>
+                  <sp:MustSupportRefThumbprint/>
+                  <sp:MustSupportRefEncryptedKey/>
+               </wsp:Policy>
+            </sp:Wss11>
+            <sp:SignedSupportingTokens>
+               <wsp:Policy>
+                  <sp:SamlToken
+                      sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                      <wsp:Policy>
+                        <sp:WssSamlV20Token11/>
+                     </wsp:Policy>
+				  </sp:SamlToken>
+			   </wsp:Policy>
+			</sp:SignedSupportingTokens>
+         </wsp:All>
+      </wsp:ExactlyOne>
+    </wsp:Policy>
+   
+    <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
+      <wsp:ExactlyOne>
+         <wsp:All>
+            <sp:EncryptedParts>
+               <sp:Body/>
+            </sp:EncryptedParts>
+            <sp:SignedParts>
+               <sp:Body/>
+            </sp:SignedParts>
+         </wsp:All>
+      </wsp:ExactlyOne>
+   </wsp:Policy>
+   <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Output_Policy">
+      <wsp:ExactlyOne>
+         <wsp:All>
+            <sp:EncryptedParts>
+               <sp:Body/>
+            </sp:EncryptedParts>
+            <sp:SignedParts>
+               <sp:Body/>
+            </sp:SignedParts>
+         </wsp:All>
+      </wsp:ExactlyOne>
+   </wsp:Policy>
 	
 </wsdl:definitions>



Mime
View raw message