cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1088679 - in /cxf/trunk: rt/ws/security/src/main/java/org/apache/cxf/ws/security/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/ rt/ws/security/s...
Date Mon, 04 Apr 2011 16:31:40 GMT
Author: coheigea
Date: Mon Apr  4 16:31:40 2011
New Revision: 1088679

URL: http://svn.apache.org/viewvc?rev=1088679&view=rev
Log:
[CXF-3432] - Support WS-SecurityPolicy SamlToken expressions (Part IV)
 - Add support for creating self-signed assertions via configuration.

Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
    cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
    cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?rev=1088679&r1=1088678&r2=1088679&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
Mon Apr  4 16:31:40 2011
@@ -82,6 +82,13 @@ public final class SecurityConstants {
     public static final String TIMESTAMP_FUTURE_TTL = "ws-security.timestamp.futureTimeToLive";
     
     /**
+     * This configuration tag specifies whether to self-sign a SAML Assertion or not. If
this
+     * is set to true, then an enveloped signature will be generated when the SAML Assertion
is
+     * constructed. The default is false.
+     */
+    public static final String SELF_SIGN_SAML_ASSERTION = "ws-security.self-sign-saml-assertion";
+    
+    /**
      * WCF's trust server sometimes will encrypt the token in the response IN ADDITION TO
      * the full security on the message. These properties control the way the STS client
      * will decrypt the EncryptedData elements in the response

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1088679&r1=1088678&r2=1088679&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Mon Apr  4 16:31:40 2011
@@ -60,7 +60,6 @@ import org.apache.cxf.ws.security.policy
 import org.apache.cxf.ws.security.policy.model.AsymmetricBinding;
 import org.apache.cxf.ws.security.policy.model.ContentEncryptedElements;
 import org.apache.cxf.ws.security.policy.model.Header;
-import org.apache.cxf.ws.security.policy.model.IssuedToken;
 import org.apache.cxf.ws.security.policy.model.RequiredElements;
 import org.apache.cxf.ws.security.policy.model.RequiredParts;
 import org.apache.cxf.ws.security.policy.model.SignedEncryptedElements;
@@ -280,7 +279,7 @@ public class PolicyBasedWSS4JInIntercept
             for (AssertionInfo ai : ais) {
                 TransportBinding binding = (TransportBinding)ai.getAssertion();
                 TransportToken token = binding.getTransportToken();
-                if (token != null && token.getToken() instanceof IssuedToken) {
+                if (token != null) {
                     action = addToAction(action, "Signature", true);
                     action = addToAction(action, "Encrypt", true);
                     Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1088679&r1=1088678&r2=1088679&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
Mon Apr  4 16:31:40 2011
@@ -618,17 +618,23 @@ public abstract class AbstractBindingBui
                 part = new WSEncryptionPart(unt.getId());
                 part.setElement(unt.getUsernameTokenElement());
             } else if (tempTok instanceof AssertionWrapper) {
-                AssertionWrapper assertionWrapper = (AssertionWrapper)tempTok;
-                part = new WSEncryptionPart(assertionWrapper.getId());
-                part.setElement(assertionWrapper.getElement());
-                
-                // TODO We only support using a KeyIdentifier for the moment
-                SecurityTokenReference secRef = 
-                    createSTRForSamlAssertion(assertionWrapper, false);
-                addSupportingElement(secRef.getElement());
-                part = new WSEncryptionPart("STRTransform", null, "Element");
-                part.setId(secRef.getID());
-                part.setElement(secRef.getElement());
+                boolean selfSignAssertion = 
+                    MessageUtils.getContextualBoolean(
+                        message, SecurityConstants.SELF_SIGN_SAML_ASSERTION, false
+                    );
+                if (!selfSignAssertion) {
+                    AssertionWrapper assertionWrapper = (AssertionWrapper)tempTok;
+                    part = new WSEncryptionPart(assertionWrapper.getId());
+                    part.setElement(assertionWrapper.getElement());
+                    
+                    // TODO We only support using a KeyIdentifier for the moment
+                    SecurityTokenReference secRef = 
+                        createSTRForSamlAssertion(assertionWrapper, false);
+                    addSupportingElement(secRef.getElement());
+                    part = new WSEncryptionPart("STRTransform", null, "Element");
+                    part.setId(secRef.getID());
+                    part.setElement(secRef.getElement());
+                }
             } else {
                 policyNotAsserted(entry.getKey(), "UnsupportedTokenInSupportingToken: " +
tempTok);  
             }
@@ -771,7 +777,39 @@ public abstract class AbstractBindingBui
         SAMLParms samlParms = new SAMLParms();
         samlParms.setCallbackHandler(handler);
         info.setAsserted(true);
-        return new AssertionWrapper(samlParms);
+        AssertionWrapper assertion = new AssertionWrapper(samlParms);
+        
+        boolean selfSignAssertion = 
+            MessageUtils.getContextualBoolean(
+                message, SecurityConstants.SELF_SIGN_SAML_ASSERTION, false
+            );
+        if (selfSignAssertion) {
+            Crypto crypto = getSignatureCrypto(null);
+            
+            String userNameKey = SecurityConstants.SIGNATURE_USERNAME;
+            String user = (String)message.getContextualProperty(userNameKey);
+            if (crypto != null && StringUtils.isEmpty(user)) {
+                try {
+                    user = crypto.getDefaultX509Identifier();
+                } catch (WSSecurityException e1) {
+                    throw new Fault(e1);
+                }
+            }
+            if (StringUtils.isEmpty(user)) {
+                policyNotAsserted(token, "No username found.");
+                return null;
+            }
+    
+            String password = getPassword(user, token, WSPasswordCallback.SIGNATURE);
+            if (password == null) {
+                password = "";
+            }
+         
+            // TODO configure using a KeyValue here
+            assertion.signAssertion(user, password, crypto, false);
+        }
+        
+        return assertion;
     }
     
     public String getPassword(String userName, Assertion info, int type) {
@@ -1224,11 +1262,13 @@ public abstract class AbstractBindingBui
                     properties = new Properties();
                     properties.load(ins);
                     ins.close();
-                } else {
+                } else if (wrapper != null) {
                     policyNotAsserted(wrapper, "Could not find properties file " + o);
                 }
             } catch (IOException e) {
-                policyNotAsserted(wrapper, e);
+                if (wrapper != null) {
+                    policyNotAsserted(wrapper, e);
+                }
             }
         } else if (o instanceof URL) {
             properties = new Properties();
@@ -1237,7 +1277,9 @@ public abstract class AbstractBindingBui
                 properties.load(ins);
                 ins.close();
             } catch (IOException e) {
-                policyNotAsserted(wrapper, e);
+                if (wrapper != null) {
+                    policyNotAsserted(wrapper, e);
+                }
             }            
         }
         

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java?rev=1088679&r1=1088678&r2=1088679&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
Mon Apr  4 16:31:40 2011
@@ -50,6 +50,7 @@ public class SamlTokenPolicyValidator {
 
                 if (!checkVersion(samlToken, assertionWrapper)) {
                     ai.setNotAsserted("Wrong SAML Version");
+                    return;
                 }
                 /*
                 if (!checkIssuerName(samlToken, assertionWrapper)) {

Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java?rev=1088679&r1=1088678&r2=1088679&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
(original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
Mon Apr  4 16:31:40 2011
@@ -158,6 +158,7 @@ public class SamlTokenTest extends Abstr
             saml2Port.doubleIt(BigInteger.valueOf(25));
             fail("Expected failure on an invocation with a SAML1 Assertion");
         } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+            ex.printStackTrace();
             assert ex.getMessage().contains("Wrong SAML Version");
         }
         
@@ -169,4 +170,26 @@ public class SamlTokenTest extends Abstr
         assert result.equals(BigInteger.valueOf(50));
     }
     
+    @org.junit.Test
+    public void testSaml1SelfSignedOverTransport() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SamlTokenTest.class.getResource("client/client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        DoubleItService service = new DoubleItService();
+        
+        DoubleItPortType saml1Port = service.getDoubleItSaml1SelfSignedTransportPort();
+        
+        ((BindingProvider)saml1Port).getRequestContext().put(
+            "ws-security.saml-callback-handler",
+            new org.apache.cxf.systest.ws.saml.client.SamlCallbackHandler(false)
+        );
+        BigInteger result = saml1Port.doubleIt(BigInteger.valueOf(25));
+        assert result.equals(BigInteger.valueOf(50));
+    }
+    
 }

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml?rev=1088679&r1=1088678&r2=1088679&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
(original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
Mon Apr  4 16:31:40 2011
@@ -39,7 +39,7 @@
         </cxf:features>
     </cxf:bus>
     
-    <http:conduit name="https://localhost:9009/DoubleItSaml1Transport">
+    <http:conduit name="https://localhost:9009/.*">
         <http:tlsClientParameters disableCNCheck="true">
             <sec:keyManagers keyPassword="password">
                 <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Morpit.jks"/>
@@ -73,6 +73,18 @@
            <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>

        </jaxws:properties>
+   </jaxws:client> 
+
+   <jaxws:client name="{http://WSSec/saml}DoubleItSaml1SelfSignedTransportPort" 
+                  createdFromAPI="true">
+       <jaxws:properties>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+           <entry key="ws-security.signature.username" value="alice"/>
+           <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>

+           <entry key="ws-security.self-sign-saml-assertion" value="true"/>
+       </jaxws:properties>
    </jaxws:client>  
     
 </beans>

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml?rev=1088679&r1=1088678&r2=1088679&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
(original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
Mon Apr  4 16:31:40 2011
@@ -126,4 +126,22 @@
      
     </jaxws:endpoint> 
     
+    <jaxws:endpoint 
+       id="Saml1SelfSignedTokenOverTransport"
+       address="https://localhost:9009/DoubleItSaml1SelfSignedTransport" 
+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItSaml1SelfSignedTransportPort"
+       xmlns:s="http://WSSec/saml"
+       implementor="org.apache.cxf.systest.ws.saml.server.DoubleItImpl"
+       wsdlLocation="wsdl_systest_wssec/saml/DoubleItSaml.wsdl">
+        
+       <jaxws:properties>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+           <entry key="ws-security.encryption.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>

+       </jaxws:properties> 
+     
+    </jaxws:endpoint> 
+    
 </beans>

Modified: cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl?rev=1088679&r1=1088678&r2=1088679&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl
(original)
+++ cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl
Mon Apr  4 16:31:40 2011
@@ -87,6 +87,25 @@
             </wsdl:fault>
 		</wsdl:operation>
 	</wsdl:binding>
+	<wsdl:binding name="DoubleItSaml1SelfSignedTransportBinding" type="tns:DoubleItPortType">
+		<wsp:PolicyReference URI="#DoubleItSaml1SelfSignedTransportPolicy" />
+		<soap:binding style="document"
+			transport="http://schemas.xmlsoap.org/soap/http" />
+		<wsdl:operation name="DoubleIt">
+			<soap:operation soapAction="" />
+			<wsdl:input>
+				<soap:body use="literal" />
+				<wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+			</wsdl:input>
+			<wsdl:output>
+				<soap:body use="literal" />
+				<wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+			</wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault" />
+            </wsdl:fault>
+		</wsdl:operation>
+	</wsdl:binding>
 	<wsdl:binding name="DoubleItSaml2SymmetricBinding" type="tns:DoubleItPortType">
 		<wsp:PolicyReference URI="#DoubleItSaml2SymmetricPolicy" />
 		<soap:binding style="document"
@@ -136,6 +155,10 @@
 		<wsdl:port name="DoubleItSaml2AsymmetricPort" binding="tns:DoubleItSaml2AsymmetricBinding">
 			<soap:address location="http://localhost:9001/DoubleItSaml2Asymmetric" />
 		</wsdl:port>
+		<wsdl:port name="DoubleItSaml1SelfSignedTransportPort" 
+		           binding="tns:DoubleItSaml1SelfSignedTransportBinding">
+			<soap:address location="https://localhost:9009/DoubleItSaml1SelfSignedTransport" />
+		</wsdl:port>
 	</wsdl:service>
 
 	<wsp:Policy wsu:Id="DoubleItSaml1TransportPolicy">
@@ -174,6 +197,42 @@
 			</wsp:All>
 		</wsp:ExactlyOne>
 	</wsp:Policy>
+	<wsp:Policy wsu:Id="DoubleItSaml1SelfSignedTransportPolicy">
+		<wsp:ExactlyOne>
+			<wsp:All>
+				<sp:TransportBinding>
+					<wsp:Policy>
+						<sp:TransportToken>
+							<wsp:Policy>
+								<sp:HttpsToken RequireClientCertificate="false" />
+							</wsp:Policy>
+						</sp:TransportToken>
+						<sp:Layout>
+							<wsp:Policy>
+								<sp:Lax />
+							</wsp:Policy>
+						</sp:Layout>
+						<sp:IncludeTimestamp />
+						<sp:AlgorithmSuite>
+							<wsp:Policy>
+								<sp:Basic128 />
+							</wsp:Policy>
+						</sp:AlgorithmSuite>
+					</wsp:Policy>
+				</sp:TransportBinding>
+				<sp:SignedSupportingTokens>
+					<wsp:Policy>
+						<sp:SamlToken
+						    sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+				            <wsp:Policy>
+				                <sp:WssSamlV11Token11/>
+				            </wsp:Policy>
+				        </sp:SamlToken>
+					</wsp:Policy>
+				</sp:SignedSupportingTokens>
+			</wsp:All>
+		</wsp:ExactlyOne>
+	</wsp:Policy>
 	<wsp:Policy wsu:Id="DoubleItSaml2SymmetricPolicy">
       <wsp:ExactlyOne>
          <wsp:All>



Mime
View raw message