cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject svn commit: r1178771 - in /cxf/trunk: rt/core/src/main/java/org/apache/cxf/interceptor/security/ rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/ rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/ rt/rs/security/xml/src/mai...
Date Tue, 04 Oct 2011 12:57:34 GMT
Author: sergeyb
Date: Tue Oct  4 12:57:34 2011
New Revision: 1178771

URL: http://svn.apache.org/viewvc?rev=1178771&view=rev
Log:
[CXF-3844] Adding jaxrs saml authorization test

Added:
    cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingFilter.java   (with props)
    cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/CustomSecurityContextProvider.java   (with props)
    cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlAuthorizationTest.java   (with props)
    cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookServerSaml.java   (with props)
    cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookStore.java   (with props)
    cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureClaimBookStore.java   (with props)
    cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/secureServer.xml   (with props)
Modified:
    cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java
    cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java
    cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/SimpleAuthorizingFilter.java
    cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
    cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Claims.java
    cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Subject.java
    cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/Claims.java
    cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SAMLSecurityContext.java
    cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java
    cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SubjectPrincipal.java
    cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/beans.xml
    cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java

Modified: cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java?rev=1178771&r1=1178770&r2=1178771&view=diff
==============================================================================
--- cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java (original)
+++ cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java Tue Oct  4 12:57:34 2011
@@ -90,7 +90,7 @@ public abstract class AbstractAuthorizin
         return false;
     }
     
-    private boolean isUserInRole(SecurityContext sc, List<String> roles, boolean deny) {
+    protected boolean isUserInRole(SecurityContext sc, List<String> roles, boolean deny) {
         
         if (roles.size() == 1 && ALL_ROLES.equals(roles.get(0))) {
             return !deny;
@@ -120,4 +120,5 @@ public abstract class AbstractAuthorizin
     protected List<String> getDenyRoles(Method method) {
         return Collections.emptyList();
     }
+    
 }

Modified: cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java?rev=1178771&r1=1178770&r2=1178771&view=diff
==============================================================================
--- cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java (original)
+++ cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java Tue Oct  4 12:57:34 2011
@@ -25,12 +25,36 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
+import org.apache.cxf.security.SecurityContext;
+
 
 public class SimpleAuthorizingInterceptor extends AbstractAuthorizingInInterceptor {
 
-    private Map<String, List<String>> methodRolesMap = Collections.emptyMap();
+    private Map<String, List<String>> methodRolesMap = new HashMap<String, List<String>>();
+    private Map<String, List<String>> userRolesMap = Collections.emptyMap();
     private List<String> globalRoles = Collections.emptyList();
     
+    @Override 
+    protected boolean isUserInRole(SecurityContext sc, List<String> roles, boolean deny) {
+        if (!super.isUserInRole(sc, roles, deny)) {
+            return false;
+        }
+        // Additional check.
+        if (!userRolesMap.isEmpty()) {
+            List<String> userRoles = userRolesMap.get(sc.getUserPrincipal().getName());    
+            if (userRoles == null) {
+                return false;
+            }
+            for (String role : roles) {
+                if (userRoles.contains(role)) {
+                    return true;
+                }
+            }
+            return false;
+        } else {
+            return true;
+        }
+    }
     
     @Override
     protected List<String> getExpectedRoles(Method method) {
@@ -42,20 +66,23 @@ public class SimpleAuthorizingIntercepto
     }
 
 
-
     public void setMethodRolesMap(Map<String, String> rolesMap) {
-        methodRolesMap = new HashMap<String, List<String>>();
-        for (Map.Entry<String, String> entry : rolesMap.entrySet()) {
-            methodRolesMap.put(entry.getKey(), Arrays.asList(entry.getValue().split(" ")));
-        }
+        methodRolesMap.putAll(parseRolesMap(rolesMap)); 
+    }
+    
+    public void setUserRolesMap(Map<String, String> rolesMap) {
+        userRolesMap = parseRolesMap(rolesMap);
     }
     
     public void setGlobalRoles(String roles) {
         globalRoles = Arrays.asList(roles.split(" "));
     }
-
-
-
     
-
+    private static Map<String, List<String>> parseRolesMap(Map<String, String> rolesMap) {
+        Map<String, List<String>> map = new HashMap<String, List<String>>();
+        for (Map.Entry<String, String> entry : rolesMap.entrySet()) {
+            map.put(entry.getKey(), Arrays.asList(entry.getValue().split(" ")));
+        }
+        return map;
+    }
 }

Modified: cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/SimpleAuthorizingFilter.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/SimpleAuthorizingFilter.java?rev=1178771&r1=1178770&r2=1178771&view=diff
==============================================================================
--- cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/SimpleAuthorizingFilter.java (original)
+++ cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/SimpleAuthorizingFilter.java Tue Oct  4 12:57:34 2011
@@ -18,14 +18,10 @@
  */
 package org.apache.cxf.jaxrs.security;
 
-import java.util.Map;
-
 import javax.ws.rs.core.Response;
 
 import org.apache.cxf.interceptor.security.AbstractAuthorizingInInterceptor;
 import org.apache.cxf.interceptor.security.AccessDeniedException;
-import org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor;
-import org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor;
 import org.apache.cxf.jaxrs.ext.RequestHandler;
 import org.apache.cxf.jaxrs.model.ClassResourceInfo;
 import org.apache.cxf.message.Message;
@@ -43,23 +39,7 @@ public class SimpleAuthorizingFilter imp
         }
     }
 
-    public void setMethodRolesMap(Map<String, String> rolesMap) {
-        checkInterceptor();
-        SimpleAuthorizingInterceptor simple = new SimpleAuthorizingInterceptor();
-        simple.setMethodRolesMap(rolesMap);
-        interceptor = simple; 
-    }
-    
-    public void setSecuredObject(Object securedObject) {
-        checkInterceptor();
-        SecureAnnotationsInterceptor simple = new SecureAnnotationsInterceptor();
-        simple.setSecuredObject(securedObject);
-        interceptor = simple; 
-    }
-    
-    private void checkInterceptor() {
-        if (interceptor != null) {
-            throw new IllegalStateException("Filter has already been initialized");
-        }
+    public void setInterceptor(AbstractAuthorizingInInterceptor in) {
+        interceptor = in;
     }
 }

Modified: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java?rev=1178771&r1=1178770&r2=1178771&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java (original)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java Tue Oct  4 12:57:34 2011
@@ -144,7 +144,7 @@ public abstract class AbstractSamlInHand
     protected void setSecurityContext(Message message, AssertionWrapper wrapper) {
         if (scProvider != null) {
             SecurityContext sc = scProvider.getSecurityContext(message, wrapper);
-            message.setContent(SecurityContext.class, sc);
+            message.put(SecurityContext.class, sc);
         }
     }
     

Modified: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Claims.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Claims.java?rev=1178771&r1=1178770&r2=1178771&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Claims.java (original)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Claims.java Tue Oct  4 12:57:34 2011
@@ -23,11 +23,20 @@ import java.util.List;
 public class Claims {
 
     private List<Claim> claims;
+    private String realm;
     
     public Claims(List<Claim> claims) {
         this.claims = claims;
     }
+    
+    public Claims(List<Claim> claims, String realm) {
+        this.claims = claims;
+        this.realm = realm;
+    }
 
+    public String getRealm() {
+        return realm;
+    }
     public List<Claim> getClaims() {
         return claims;
     }

Modified: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Subject.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Subject.java?rev=1178771&r1=1178770&r2=1178771&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Subject.java (original)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Subject.java Tue Oct  4 12:57:34 2011
@@ -25,8 +25,6 @@ public class Subject {
     private String spQualifier;
     private String spId;
     
-    private String alternateName;
-    
     public Subject() {
         
     }
@@ -74,12 +72,4 @@ public class Subject {
     public String getSpQualifier() {
         return spQualifier;
     }
-
-    public void setAlternateName(String alternateName) {
-        this.alternateName = alternateName;
-    }
-
-    public String getAlternateName() {
-        return alternateName;
-    }
 }

Modified: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/Claims.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/Claims.java?rev=1178771&r1=1178770&r2=1178771&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/Claims.java (original)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/Claims.java Tue Oct  4 12:57:34 2011
@@ -28,5 +28,6 @@ import java.lang.annotation.Target;
 @Target({ElementType.TYPE, ElementType.METHOD })
 @Retention(RetentionPolicy.RUNTIME)
 public @interface Claims {
+    String realm() default "";
     Claim[] value();
 }

Added: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingFilter.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingFilter.java?rev=1178771&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingFilter.java (added)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingFilter.java Tue Oct  4 12:57:34 2011
@@ -0,0 +1,63 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.saml.authorization;
+
+import java.util.List;
+import java.util.Map;
+
+import javax.ws.rs.core.Response;
+
+import org.apache.cxf.interceptor.security.AccessDeniedException;
+import org.apache.cxf.jaxrs.ext.RequestHandler;
+import org.apache.cxf.jaxrs.model.ClassResourceInfo;
+import org.apache.cxf.message.Message;
+
+public class ClaimsAuthorizingFilter implements RequestHandler {
+
+    private ClaimsAuthorizingInterceptor interceptor;
+    
+    public Response handleRequest(Message m, ClassResourceInfo resourceClass) {
+        try {
+            interceptor.handleMessage(m);
+            return null;
+        } catch (AccessDeniedException ex) {
+            return Response.status(Response.Status.FORBIDDEN).build();
+        }
+    }
+
+    public void setClaims(Map<String, List<ClaimBean>> claimsMap) {
+        checkInterceptor();
+        ClaimsAuthorizingInterceptor simple = new ClaimsAuthorizingInterceptor();
+        simple.setClaims(claimsMap);
+        interceptor = simple; 
+    }
+    
+    public void setSecuredObject(Object securedObject) {
+        checkInterceptor();
+        ClaimsAuthorizingInterceptor simple = new ClaimsAuthorizingInterceptor();
+        simple.setSecuredObject(securedObject);
+        interceptor = simple; 
+    }
+    
+    private void checkInterceptor() {
+        if (interceptor != null) {
+            throw new IllegalStateException("Filter has already been initialized");
+        }
+    }
+}

Propchange: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingFilter.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingFilter.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Modified: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SAMLSecurityContext.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SAMLSecurityContext.java?rev=1178771&r1=1178770&r2=1178771&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SAMLSecurityContext.java (original)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SAMLSecurityContext.java Tue Oct  4 12:57:34 2011
@@ -33,7 +33,7 @@ public class SAMLSecurityContext impleme
     private Claim rolesClaim;
     
     public SAMLSecurityContext(Subject subject, List<Claim> claims) {
-        this(new SubjectPrincipal(subject), new Claims(claims));
+        this(new SubjectPrincipal(subject.getName(), subject), new Claims(claims));
     }
     
     public SAMLSecurityContext(SubjectPrincipal p, Claims claims) {

Modified: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java?rev=1178771&r1=1178770&r2=1178771&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java (original)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java Tue Oct  4 12:57:34 2011
@@ -28,21 +28,14 @@ import org.apache.ws.security.saml.ext.A
 
 public class SecurityContextProviderImpl implements SecurityContextProvider {
 
-    private static final String DEFAULT_NAME_ROLE_PROPERTY = "org.apache.cxf.saml.claims.role";
-    private static final String DEFAULT_NAMEFORMAT_PROPERTY = "org.apache.cxf.saml.claims.format";
+    private static final String ROLE_QUALIFIER_PROPERTY = "org.apache.cxf.saml.claims.role.qualifier";
+    private static final String ROLE_NAMEFORMAT_PROPERTY = "org.apache.cxf.saml.claims.role.nameformat";
     
     public SecurityContext getSecurityContext(Message message,
             AssertionWrapper wrapper) {
         Claims claims = getClaims(wrapper);
         Subject subject = getSubject(message, wrapper, claims);
-        
-        String defaultName = (String)message.getContextualProperty(DEFAULT_NAME_ROLE_PROPERTY);
-        String defaultNameFormat = (String)message.getContextualProperty(DEFAULT_NAMEFORMAT_PROPERTY);
-        SecurityContext sc = new SAMLSecurityContext(new SubjectPrincipal(subject),
-                claims,
-                defaultName == null ? Claim.DEFAULT_ROLE_NAME : defaultName,
-                defaultNameFormat == null ? Claim.DEFAULT_NAME_FORMAT : defaultNameFormat);
-        return sc;
+        return doGetSecurityContext(message, subject, claims);
     }
 
     protected Claims getClaims(AssertionWrapper wrapper) {
@@ -50,15 +43,33 @@ public class SecurityContextProviderImpl
     }
     
     protected Subject getSubject(Message message, AssertionWrapper wrapper, Claims claims) {
-        Subject subj = SAMLUtils.getSubject(message, wrapper);
-        setSubjectPrincipalName(subj, claims);
-        return subj;
+        return SAMLUtils.getSubject(message, wrapper);
     }
     
-    protected void setSubjectPrincipalName(Subject sub, Claims claims) {
-        // parse/decipher subject name id, or check attributes like 
-        // givenName, email, firstName, etc
+    protected SecurityContext doGetSecurityContext(Message message, Subject subject, Claims claims) {
+        String defaultRoleName = (String)message.getContextualProperty(ROLE_QUALIFIER_PROPERTY);
+        String defaultNameFormat = (String)message.getContextualProperty(ROLE_NAMEFORMAT_PROPERTY);
+        
+        String subjectPrincipalName = getSubjectPrincipalName(subject, claims);
+        SubjectPrincipal subjectPrincipal = 
+            new SubjectPrincipal(subjectPrincipalName, subject);
         
-        // this can be overridden, but consider also introducing dedicated handlers 
+        SecurityContext sc = new SAMLSecurityContext(subjectPrincipal,
+                claims,
+                defaultRoleName == null ? Claim.DEFAULT_ROLE_NAME : defaultRoleName,
+                defaultNameFormat == null ? Claim.DEFAULT_NAME_FORMAT : defaultNameFormat);
+        return sc;
+    }
+    
+    //TODO: This can be overridden, but consider also introducing dedicated handlers
+    protected String getSubjectPrincipalName(Subject subject, Claims claims) {
+        // parse/decipher subject name, or check claims such as 
+        // givenName, email, firstName
+        // and use it to authenticate with the external system if needed
+
+        // Or if STS has been used to validate the SAML token on the server side then
+        // whatever name the subject has provided can probably be used as a principal name
+        // as IDP must've confirmed that this subject indeed got authenticated and such... 
+        return subject.getName();
     }
 }

Modified: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SubjectPrincipal.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SubjectPrincipal.java?rev=1178771&r1=1178770&r2=1178771&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SubjectPrincipal.java (original)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SubjectPrincipal.java Tue Oct  4 12:57:34 2011
@@ -23,8 +23,8 @@ import org.apache.cxf.rs.security.saml.a
 
 public class SubjectPrincipal extends SimplePrincipal {
     private Subject subject;
-    public SubjectPrincipal(Subject subject) {
-        super(subject.getAlternateName() == null ? subject.getName() : subject.getAlternateName());
+    public SubjectPrincipal(String principalName, Subject subject) {
+        super(principalName);
         this.subject = subject;
     }
     

Modified: cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/beans.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/beans.xml?rev=1178771&r1=1178770&r2=1178771&view=diff
==============================================================================
--- cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/beans.xml (original)
+++ cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/beans.xml Tue Oct  4 12:57:34 2011
@@ -75,7 +75,7 @@ http://cxf.apache.org/schemas/jaxrs.xsd"
   </bean>
   
   <bean id="authorizationFilter" class="org.apache.cxf.jaxrs.security.SimpleAuthorizingFilter">
-        <property name="methodRolesMap" ref="rolesMap"/>
+        <property name="interceptor" ref="authorizationInterceptor"/>
   </bean>
   
   <util:map id="rolesMap">

Added: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/CustomSecurityContextProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/CustomSecurityContextProvider.java?rev=1178771&view=auto
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/CustomSecurityContextProvider.java (added)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/CustomSecurityContextProvider.java Tue Oct  4 12:57:34 2011
@@ -0,0 +1,34 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.jaxrs.security.saml;
+
+import org.apache.cxf.rs.security.saml.assertion.Claims;
+import org.apache.cxf.rs.security.saml.assertion.Subject;
+import org.apache.cxf.rs.security.saml.authorization.SecurityContextProviderImpl;
+
+public class CustomSecurityContextProvider extends SecurityContextProviderImpl {
+    @Override
+    protected String getSubjectPrincipalName(Subject subject, Claims claims) {
+        int index = subject.getName().indexOf("@");
+        return index == -1 
+            ? super.getSubjectPrincipalName(subject, claims)
+            : subject.getName().substring(0, index);    
+    }
+    
+}

Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/CustomSecurityContextProvider.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/CustomSecurityContextProvider.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Added: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlAuthorizationTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlAuthorizationTest.java?rev=1178771&view=auto
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlAuthorizationTest.java (added)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlAuthorizationTest.java Tue Oct  4 12:57:34 2011
@@ -0,0 +1,168 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.jaxrs.security.saml;
+
+import java.net.URL;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.ws.rs.core.MediaType;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.jaxrs.client.JAXRSClientFactoryBean;
+import org.apache.cxf.jaxrs.client.ServerWebApplicationException;
+import org.apache.cxf.jaxrs.client.WebClient;
+import org.apache.cxf.rs.security.saml.SamlEnvelopedOutInterceptor;
+import org.apache.cxf.systest.jaxrs.security.Book;
+import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+public class JAXRSSamlAuthorizationTest extends AbstractBusClientServerTestBase {
+    public static final String PORT = BookServerSaml.PORT;
+
+    @BeforeClass
+    public static void startServers() throws Exception {
+        assertTrue("server did not launch correctly", 
+                   launchServer(SecureBookServerSaml.class, true));
+    }
+    
+    @Test
+    public void testPostBookUserRole() throws Exception {
+        String address = "https://localhost:" + PORT + "/saml-roles/bookstore/books";
+        WebClient wc = createWebClient(address, null);
+        wc.type(MediaType.APPLICATION_XML).accept(MediaType.APPLICATION_XML);
+        try {
+            wc.post(new Book("CXF", 125L), Book.class);
+            fail("403 is expected");
+        } catch (ServerWebApplicationException ex) {
+            assertEquals(403, ex.getStatus());
+        }
+    }
+    
+    @Test
+    public void testPostBookAdminRole() throws Exception {
+        String address = "https://localhost:" + PORT + "/saml-roles/bookstore/books";
+        WebClient wc = createWebClient(address, 
+                                       Collections.<String, Object>singletonMap("saml.roles", 
+                                       Collections.singletonList("admin")));
+        wc.type(MediaType.APPLICATION_XML).accept(MediaType.APPLICATION_XML);
+        Book book = wc.post(new Book("CXF", 125L), Book.class);                
+        assertEquals(125L, book.getId());
+    }
+    
+    @Test
+    public void testPostBookAdminRoleWithWrongSubjectNameFormat() throws Exception {
+        String address = "https://localhost:" + PORT + "/saml-roles2/bookstore/books";
+        WebClient wc = createWebClient(address, 
+                                       Collections.<String, Object>singletonMap("saml.roles", 
+                                        Collections.singletonList("admin")));
+        wc.type(MediaType.APPLICATION_XML).accept(MediaType.APPLICATION_XML);
+        try {
+            wc.post(new Book("CXF", 125L), Book.class);                
+            fail("403 is expected");
+        } catch (ServerWebApplicationException ex) {
+            assertEquals(403, ex.getStatus());
+        }
+    }
+    
+    @Test
+    public void testPostBookAdminRoleWithGoodSubjectName() throws Exception {
+        String address = "https://localhost:" + PORT + "/saml-roles2/bookstore/books";
+
+        Map<String, Object> props = new HashMap<String, Object>();
+        props.put("saml.roles", Collections.singletonList("admin"));
+        props.put("saml.subject.name", "bob@mycompany.com");
+        WebClient wc = createWebClient(address, props);
+        wc.type(MediaType.APPLICATION_XML).accept(MediaType.APPLICATION_XML);
+        Book book = wc.post(new Book("CXF", 125L), Book.class);                
+        assertEquals(125L, book.getId());
+    }
+    
+    @Test
+    public void testPostBookAdminWithWeakClaims() throws Exception {
+        String address = "https://localhost:" + PORT + "/saml-claims/bookstore/books";
+
+        Map<String, Object> props = new HashMap<String, Object>();
+        WebClient wc = createWebClient(address, props);
+        wc.type(MediaType.APPLICATION_XML).accept(MediaType.APPLICATION_XML);
+        try {
+            wc.post(new Book("CXF", 125L), Book.class);                
+            fail("403 is expected");
+        } catch (ServerWebApplicationException ex) {
+            assertEquals(403, ex.getStatus());
+        }
+    }
+
+    @Test
+    public void testPostBookAdminWithWeakClaims2() throws Exception {
+        String address = "https://localhost:" + PORT + "/saml-claims/bookstore/books";
+
+        Map<String, Object> props = new HashMap<String, Object>();
+        props.put("saml.roles", Collections.singletonList("admin"));
+        props.put("saml.auth", Collections.singletonList("password"));
+        WebClient wc = createWebClient(address, props);
+        wc.type(MediaType.APPLICATION_XML).accept(MediaType.APPLICATION_XML);
+        try {
+            wc.post(new Book("CXF", 125L), Book.class);                
+            fail("403 is expected");
+        } catch (ServerWebApplicationException ex) {
+            assertEquals(403, ex.getStatus());
+        }
+    }
+    
+    @Test
+    public void testPostBookAdminWithClaims() throws Exception {
+        String address = "https://localhost:" + PORT + "/saml-claims/bookstore/books";
+
+        Map<String, Object> props = new HashMap<String, Object>();
+        props.put("saml.roles", Collections.singletonList("admin"));
+        props.put("saml.auth", Collections.singletonList("smartcard"));
+        WebClient wc = createWebClient(address, props);
+        wc.type(MediaType.APPLICATION_XML).accept(MediaType.APPLICATION_XML);
+        Book book = wc.post(new Book("CXF", 125L), Book.class);                
+        assertEquals(125L, book.getId());
+    }
+    
+    private WebClient createWebClient(String address, Map<String, Object> extraProperties) {
+        JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
+        bean.setAddress(address);
+        
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = JAXRSSamlAuthorizationTest.class.getResource("client.xml");
+        Bus springBus = bf.createBus(busFile.toString());
+        bean.setBus(springBus);
+
+        Map<String, Object> properties = new HashMap<String, Object>();
+        properties.put("ws-security.saml-callback-handler", 
+                       "org.apache.cxf.systest.jaxrs.security.saml.SamlCallbackHandler");
+        if (extraProperties != null) {
+            properties.putAll(extraProperties);
+        }
+        bean.setProperties(properties);
+        
+        bean.getOutInterceptors().add(new SamlEnvelopedOutInterceptor());
+        
+        return bean.createWebClient();
+    }
+}

Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlAuthorizationTest.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlAuthorizationTest.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Modified: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java?rev=1178771&r1=1178770&r2=1178771&view=diff
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java (original)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java Tue Oct  4 12:57:34 2011
@@ -21,16 +21,20 @@ package org.apache.cxf.systest.jaxrs.sec
 
 import java.io.IOException;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
 import java.util.Collections;
+import java.util.List;
 
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.callback.UnsupportedCallbackException;
 
+import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.phase.PhaseInterceptorChain;
 import org.apache.cxf.rs.security.common.CryptoLoader;
 import org.apache.cxf.rs.security.common.SecurityUtils;
+import org.apache.cxf.rs.security.saml.assertion.Claim;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.ws.security.components.crypto.Crypto;
 import org.apache.ws.security.saml.ext.SAMLCallback;
@@ -67,6 +71,8 @@ public class SamlCallbackHandler impleme
     }
     
     public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
+        Message m = PhaseInterceptorChain.getCurrentMessage();
+        
         for (int i = 0; i < callbacks.length; i++) {
             if (callbacks[i] instanceof SAMLCallback) {
                 SAMLCallback callback = (SAMLCallback) callbacks[i];
@@ -77,7 +83,10 @@ public class SamlCallbackHandler impleme
                 }
                 callback.setIssuer("https://idp.example.org/SAML2");
                 
-                String subjectName = "uid=sts-client,o=mock-sts.com";
+                String subjectName = (String)m.getContextualProperty("saml.subject.name");
+                if (subjectName == null) {
+                    subjectName = "uid=sts-client,o=mock-sts.com";
+                }
                 String subjectQualifier = "www.mock-sts.com";
                 if (!saml2 && SAML2Constants.CONF_SENDER_VOUCHES.equals(confirmationMethod)) {
                     confirmationMethod = SAML1Constants.CONF_SENDER_VOUCHES;
@@ -88,7 +97,6 @@ public class SamlCallbackHandler impleme
                     );
                 if (SAML2Constants.CONF_HOLDER_KEY.equals(confirmationMethod)) {
                     
-                    Message m = PhaseInterceptorChain.getCurrentMessage();
                     try {
                         CryptoLoader loader = new CryptoLoader();
                         Crypto crypto = loader.getCrypto(m, 
@@ -128,11 +136,30 @@ public class SamlCallbackHandler impleme
                 AttributeStatementBean attrBean = new AttributeStatementBean();
                 attrBean.setSubject(subjectBean);
                 
-                AttributeBean attributeBean = new AttributeBean();
-                attributeBean.setSimpleName("subject-role");
-                attributeBean.setQualifiedName("urn:oid:1.3.6.1.4.1.5923.1.1.1.1");
-                attributeBean.setAttributeValues(Collections.singletonList("system-user"));
-                attrBean.setSamlAttributes(Collections.singletonList(attributeBean));
+                List<String> roles = CastUtils.cast((List)m.getContextualProperty("saml.roles"));
+                if (roles == null) {
+                    roles = Collections.singletonList("user");
+                }
+                List<AttributeBean> claims = new ArrayList<AttributeBean>();
+                AttributeBean roleClaim = new AttributeBean();
+                roleClaim.setSimpleName("subject-role");
+                roleClaim.setQualifiedName(Claim.DEFAULT_ROLE_NAME);
+                roleClaim.setNameFormat(Claim.DEFAULT_NAME_FORMAT);
+                roleClaim.setAttributeValues(roles);
+                claims.add(roleClaim);
+                
+                List<String> authMethods = CastUtils.cast((List)m.getContextualProperty("saml.auth"));
+                if (authMethods == null) {
+                    authMethods = Collections.singletonList("password");
+                }
+                
+                AttributeBean authClaim = new AttributeBean();
+                authClaim.setQualifiedName("http://claims/authentication");
+                authClaim.setNameFormat("http://claims/authentication-format");
+                authClaim.setAttributeValues(authMethods);
+                claims.add(authClaim);
+                
+                attrBean.setSamlAttributes(claims);
                 callback.setAttributeStatementData(Collections.singletonList(attrBean));
             }
         }

Added: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookServerSaml.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookServerSaml.java?rev=1178771&view=auto
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookServerSaml.java (added)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookServerSaml.java Tue Oct  4 12:57:34 2011
@@ -0,0 +1,57 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.jaxrs.security.saml;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
+import org.apache.cxf.testutil.common.TestUtil;
+    
+public class SecureBookServerSaml extends AbstractBusTestServerBase {
+    public static final String PORT = TestUtil.getPortNumber("jaxrs-saml");
+    private static final String SERVER_CONFIG_FILE =
+        "org/apache/cxf/systest/jaxrs/security/saml/secureServer.xml";
+    
+    protected void run() {
+        SpringBusFactory bf = new SpringBusFactory();
+        Bus springBus = bf.createBus(SERVER_CONFIG_FILE);
+        BusFactory.setDefaultBus(springBus);
+        setBus(springBus);
+        
+        try {
+            new SecureBookServerSaml();
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }        
+    }
+
+    public static void main(String[] args) {
+        try {
+            SecureBookServerSaml s = new SecureBookServerSaml();
+            s.start();
+        } catch (Exception ex) {
+            ex.printStackTrace();
+            System.exit(-1);
+        } finally {
+            System.out.println("done!");
+        }
+    }
+}

Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookServerSaml.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookServerSaml.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Added: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookStore.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookStore.java?rev=1178771&view=auto
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookStore.java (added)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookStore.java Tue Oct  4 12:57:34 2011
@@ -0,0 +1,48 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.jaxrs.security.saml;
+
+
+import javax.annotation.security.RolesAllowed;
+import javax.ws.rs.Consumes;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+
+import org.apache.cxf.systest.jaxrs.security.Book;
+
+@Path("/bookstore")
+public class SecureBookStore {
+    
+    public SecureBookStore() {
+    }
+    
+    @POST
+    @Path("/books")
+    @Produces("application/xml")
+    @Consumes("application/xml")
+    @RolesAllowed({"admin" })
+    public Book addBook(Book book) {
+        return book;
+    }
+    
+}
+
+

Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookStore.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureBookStore.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Added: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureClaimBookStore.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureClaimBookStore.java?rev=1178771&view=auto
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureClaimBookStore.java (added)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureClaimBookStore.java Tue Oct  4 12:57:34 2011
@@ -0,0 +1,54 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.jaxrs.security.saml;
+
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+
+import org.apache.cxf.rs.security.saml.authorization.Claim;
+import org.apache.cxf.rs.security.saml.authorization.Claims;
+import org.apache.cxf.systest.jaxrs.security.Book;
+
+@Path("/bookstore")
+public class SecureClaimBookStore {
+    
+    public SecureClaimBookStore() {
+    }
+    
+    @POST
+    @Path("/books")
+    @Produces("application/xml")
+    @Consumes("application/xml")
+    @Claims({ 
+        @Claim({"admin" }),
+        @Claim(name = "http://claims/authentication", 
+               format = "http://claims/authentication-format", 
+               value = {"fingertip", "smartcard" })
+    })
+    public Book addBook(Book book) {
+        return book;
+    }
+    
+}
+
+

Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureClaimBookStore.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SecureClaimBookStore.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Added: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/secureServer.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/secureServer.xml?rev=1178771&view=auto
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/secureServer.xml (added)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/secureServer.xml Tue Oct  4 12:57:34 2011
@@ -0,0 +1,149 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns:http="http://cxf.apache.org/transports/http/configuration"
+       xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
+       xmlns:sec="http://cxf.apache.org/configuration/security"
+       xmlns:cxf="http://cxf.apache.org/core"
+       xmlns:jaxrs="http://cxf.apache.org/jaxrs"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xsi:schemaLocation="
+        http://www.springframework.org/schema/util 
+        http://www.springframework.org/schema/util/spring-util.xsd
+        http://cxf.apache.org/jaxrs http://cxf.apache.org/schemas/jaxrs.xsd
+        http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
+        http://www.springframework.org/schema/beans                 http://www.springframework.org/schema/beans/spring-beans.xsd
+        http://cxf.apache.org/transports/http/configuration         http://cxf.apache.org/schemas/configuration/http-conf.xsd
+        http://cxf.apache.org/transports/http-jetty/configuration   http://cxf.apache.org/schemas/configuration/http-jetty.xsd
+        http://cxf.apache.org/configuration/security                http://cxf.apache.org/schemas/configuration/security.xsd
+        ">
+
+	<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+	
+	<cxf:bus>
+        <cxf:features>
+            <cxf:logging/>
+        </cxf:features>
+    </cxf:bus>
+
+    <httpj:engine-factory id="port-9095-tls-config">
+        <httpj:engine port="${testutil.ports.jaxrs-saml}">
+            <httpj:tlsServerParameters>
+               <sec:keyManagers keyPassword="password">
+	           <sec:keyStore type="JKS" password="password" 
+	                file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/>
+	      		</sec:keyManagers>
+	      		<sec:trustManagers>
+	          	<sec:keyStore type="JKS" password="password"
+	               file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
+	     		</sec:trustManagers>
+	     		<sec:cipherSuitesFilter>
+                    <sec:include>.*_EXPORT_.*</sec:include>
+                    <sec:include>.*_EXPORT1024_.*</sec:include>
+                    <sec:include>.*_WITH_DES_.*</sec:include>
+                    <sec:include>.*_WITH_NULL_.*</sec:include>
+                    <sec:exclude>.*_DH_anon_.*</sec:exclude>
+                </sec:cipherSuitesFilter>
+                <sec:clientAuthentication want="true" required="true"/>
+            </httpj:tlsServerParameters>
+        </httpj:engine>
+    </httpj:engine-factory>
+
+    <bean id="serviceBean" class="org.apache.cxf.systest.jaxrs.security.saml.SecureBookStore"/>
+    <bean id="serviceBeanClaims" class="org.apache.cxf.systest.jaxrs.security.saml.SecureClaimBookStore"/>
+    <bean id="samlEnvHandler" class="org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler"/>
+    
+    <bean id="claimsHandler" 
+          class="org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizingFilter">
+        <property name="securedObject" ref="serviceBeanClaims"/>   
+    </bean>      
+    
+    
+    <bean id="authorizationInterceptor" class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
+        <property name="securedObject" ref="serviceBean"/>
+    </bean>
+    
+    <bean id="rolesHandler" class="org.apache.cxf.jaxrs.security.SimpleAuthorizingFilter">
+        <property name="interceptor" ref="authorizationInterceptor"/>
+    </bean>
+    
+    <jaxrs:server 
+       address="https://localhost:${testutil.ports.jaxrs-saml}/saml-roles"> 
+       <jaxrs:serviceBeans>
+          <ref bean="serviceBean"/>
+       </jaxrs:serviceBeans>
+       <jaxrs:providers>
+          <ref bean="samlEnvHandler"/>
+          <ref bean="rolesHandler"/>
+       </jaxrs:providers>
+       <!-- If default role qualifier and format are not supported: 
+       
+       <jaxrs:properties>
+           <entry key="org.apache.cxf.saml.claims.role.nameformat" 
+                  value="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+           <entry key="org.apache.cxf.saml.claims.role.qualifier" 
+                  value="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"/>
+       </jaxrs:properties>
+       -->
+    </jaxrs:server>
+    
+    <util:map id="userRolesMap">
+      <entry key="bob" value="admin"/>
+      <entry key="fred" value="user"/>
+    </util:map>
+    
+    <bean id="authorizationInterceptorWithUserMap" class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
+        <property name="securedObject" ref="serviceBean"/>
+        <property name="userRolesMap" ref="userRolesMap"/>
+    </bean>
+    
+    <bean id="rolesHandlerWithUserMap" class="org.apache.cxf.jaxrs.security.SimpleAuthorizingFilter">
+        <property name="interceptor" ref="authorizationInterceptorWithUserMap"/>
+    </bean>
+    
+    <bean id="samlEnvHandlerWithCustomProvider" class="org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler">
+        <property name="securityContextProvider">
+            <bean class="org.apache.cxf.systest.jaxrs.security.saml.CustomSecurityContextProvider"/>
+        </property>
+    </bean>
+    
+    <jaxrs:server 
+       address="https://localhost:${testutil.ports.jaxrs-saml}/saml-roles2"> 
+       <jaxrs:serviceBeans>
+          <ref bean="serviceBean"/>
+       </jaxrs:serviceBeans>
+       <jaxrs:providers>
+          <ref bean="samlEnvHandlerWithCustomProvider"/>
+          <ref bean="rolesHandlerWithUserMap"/>
+       </jaxrs:providers>
+    </jaxrs:server>
+    
+    <jaxrs:server 
+       address="https://localhost:${testutil.ports.jaxrs-saml}/saml-claims"> 
+       <jaxrs:serviceBeans>
+          <ref bean="serviceBeanClaims"/>
+       </jaxrs:serviceBeans>
+       <jaxrs:providers>
+          <ref bean="samlEnvHandler"/>
+          <ref bean="claimsHandler"/>
+       </jaxrs:providers>
+    </jaxrs:server>
+</beans>

Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/secureServer.xml
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/secureServer.xml
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/secureServer.xml
------------------------------------------------------------------------------
    svn:mime-type = text/xml



Mime
View raw message