cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1196134 - in /cxf/branches/2.4.x-fixes: rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/ systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/ systests/ws-security/src/test/java/org/apache/cxf/syst...
Date Tue, 01 Nov 2011 17:06:42 GMT
Author: coheigea
Date: Tue Nov  1 17:06:42 2011
New Revision: 1196134

URL: http://svn.apache.org/viewvc?rev=1196134&view=rev
Log:
[CXF-3225] - Add support for saml tokens in sp:InitiatorToken

Modified:
    cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
    cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
    cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
    cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java
    cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/server/CustomSaml2Validator.java
    cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
    cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
    cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl

Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1196134&r1=1196133&r2=1196134&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
(original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
Tue Nov  1 17:06:42 2011
@@ -859,6 +859,43 @@ public abstract class AbstractBindingBui
         return assertion;
     }
     
+    /**
+     * Store a SAML Assertion as a SecurityToken
+     */
+    protected void storeAssertionAsSecurityToken(AssertionWrapper assertion) {
+        String id = findIDFromSamlToken(assertion.getElement());
+        if (id == null) {
+            return;
+        }
+        SecurityToken secToken = new SecurityToken(id);
+        if (assertion.getSaml2() != null) {
+            secToken.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
+        } else {
+            secToken.setTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
+        }
+        secToken.setToken(assertion.getElement());
+        getTokenStore().add(secToken);
+        message.setContextualProperty(SecurityConstants.TOKEN, secToken);
+    }
+    
+    protected String findIDFromSamlToken(Element samlToken) {
+        String id = null;
+        if (samlToken != null) {
+            QName elName = DOMUtils.getElementQName(samlToken);
+            if (elName.equals(new QName(WSConstants.SAML_NS, "Assertion"))
+                && samlToken.hasAttributeNS(null, "AssertionID")) {
+                id = samlToken.getAttributeNS(null, "AssertionID");
+            } else if (elName.equals(new QName(WSConstants.SAML2_NS, "Assertion"))
+                && samlToken.hasAttributeNS(null, "ID")) {
+                id = samlToken.getAttributeNS(null, "ID");
+            }
+            if (id == null) {
+                id = samlToken.getAttributeNS(WSConstants.WSU_NS, "Id");
+            }
+        }
+        return id;
+    }
+    
     public String getPassword(String userName, Assertion info, int type) {
         //Then try to get the password from the given callback handler
         Object o = message.getContextualProperty(SecurityConstants.CALLBACK_HANDLER);
@@ -1508,7 +1545,7 @@ public abstract class AbstractBindingBui
     ) throws WSSecurityException {
         WSSecSignature sig = new WSSecSignature(wssConfig);
         checkForX509PkiPath(sig, token);
-        if (token instanceof IssuedToken) {
+        if (token instanceof IssuedToken || token instanceof SamlToken) {
             policyAsserted(token);
             policyAsserted(wrapper);
             SecurityToken securityToken = getSecurityToken();

Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=1196134&r1=1196133&r2=1196134&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
(original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
Tue Nov  1 17:06:42 2011
@@ -42,6 +42,7 @@ import org.apache.cxf.ws.security.policy
 import org.apache.cxf.ws.security.policy.model.AsymmetricBinding;
 import org.apache.cxf.ws.security.policy.model.IssuedToken;
 import org.apache.cxf.ws.security.policy.model.RecipientToken;
+import org.apache.cxf.ws.security.policy.model.SamlToken;
 import org.apache.cxf.ws.security.policy.model.Token;
 import org.apache.cxf.ws.security.policy.model.TokenWrapper;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
@@ -61,6 +62,7 @@ import org.apache.ws.security.message.WS
 import org.apache.ws.security.message.WSSecHeader;
 import org.apache.ws.security.message.WSSecSignature;
 import org.apache.ws.security.message.WSSecTimestamp;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
 
 /**
  * 
@@ -117,6 +119,15 @@ public class AsymmetricBindingHandler ex
                             attached = true;
                         } 
                     }
+                } else if (initiatorToken instanceof SamlToken) {
+                    AssertionWrapper assertionWrapper = addSamlToken((SamlToken)initiatorToken);
+                    if (assertionWrapper != null) {
+                        if (includeToken(initiatorToken.getInclusion())) {
+                            addSupportingElement(assertionWrapper.toDOM(saaj.getSOAPPart()));
+                            storeAssertionAsSecurityToken(assertionWrapper);
+                        }
+                        policyAsserted(initiatorToken);
+                    }
                 }
             }
             
@@ -206,6 +217,21 @@ public class AsymmetricBindingHandler ex
                         attached = true;
                     } 
                 }
+            } else if (initiatorToken instanceof SamlToken) {
+                try {
+                    AssertionWrapper assertionWrapper = addSamlToken((SamlToken)initiatorToken);
+                    if (assertionWrapper != null) {
+                        if (includeToken(initiatorToken.getInclusion())) {
+                            addSupportingElement(assertionWrapper.toDOM(saaj.getSOAPPart()));
+                            storeAssertionAsSecurityToken(assertionWrapper);
+                        }
+                        policyAsserted(initiatorToken);
+                    }
+                } catch (Exception e) {
+                    String reason = e.getMessage();
+                    LOG.log(Level.WARNING, "Encrypt before sign failed due to : " + reason);
+                    throw new Fault(e);
+                }
             }
         }
         

Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java?rev=1196134&r1=1196133&r2=1196134&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
(original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
Tue Nov  1 17:06:42 2011
@@ -253,8 +253,7 @@ public class SamlTokenTest extends Abstr
     }
     
     @org.junit.Test
-    @org.junit.Ignore
-    public void testSaml2OverSymmetricProtection() throws Exception {
+    public void testAsymmetricSamlInitiator() throws Exception {
 
         if (!unrestrictedPoliciesInstalled) {
             return;
@@ -268,11 +267,13 @@ public class SamlTokenTest extends Abstr
 
         DoubleItService service = new DoubleItService();
         
-        DoubleItPortType saml2Port = service.getDoubleItSaml2SymmetricProtectionPort();
+        DoubleItPortType saml2Port = service.getDoubleItAsymmetricSamlInitiatorPort();
         updateAddressPort(saml2Port, PORT);
         
+        SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY);
         ((BindingProvider)saml2Port).getRequestContext().put(
-            "ws-security.saml-callback-handler", new SamlCallbackHandler()
+            "ws-security.saml-callback-handler", callbackHandler
         );
         BigInteger result = saml2Port.doubleIt(BigInteger.valueOf(25));
         assertTrue(result.equals(BigInteger.valueOf(50)));

Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java?rev=1196134&r1=1196133&r2=1196134&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java
(original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java
Tue Nov  1 17:06:42 2011
@@ -20,15 +20,21 @@
 package org.apache.cxf.systest.ws.saml.client;
 
 import java.io.IOException;
+import java.security.cert.X509Certificate;
 import java.util.Collections;
 
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.callback.UnsupportedCallbackException;
 
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.components.crypto.CryptoType;
 import org.apache.ws.security.saml.ext.SAMLCallback;
 import org.apache.ws.security.saml.ext.bean.AttributeBean;
 import org.apache.ws.security.saml.ext.bean.AttributeStatementBean;
+import org.apache.ws.security.saml.ext.bean.KeyInfoBean;
+import org.apache.ws.security.saml.ext.bean.KeyInfoBean.CERT_IDENTIFIER;
 import org.apache.ws.security.saml.ext.bean.SubjectBean;
 import org.apache.ws.security.saml.ext.builder.SAML1Constants;
 import org.apache.ws.security.saml.ext.builder.SAML2Constants;
@@ -72,6 +78,15 @@ public class SamlCallbackHandler impleme
                     new SubjectBean(
                         subjectName, subjectQualifier, confirmationMethod
                     );
+                if (SAML2Constants.CONF_HOLDER_KEY.equals(confirmationMethod)
+                    || SAML1Constants.CONF_HOLDER_KEY.equals(confirmationMethod)) {
+                    try {
+                        KeyInfoBean keyInfo = createKeyInfo();
+                        subjectBean.setKeyInfo(keyInfo);
+                    } catch (Exception ex) {
+                        throw new IOException("Problem creating KeyInfo: " +  ex.getMessage());
+                    }
+                }
                 callback.setSubject(subjectBean);
                 
                 AttributeStatementBean attrBean = new AttributeStatementBean();
@@ -86,4 +101,18 @@ public class SamlCallbackHandler impleme
         }
     }
     
+    protected KeyInfoBean createKeyInfo() throws Exception {
+        Crypto crypto = 
+            CryptoFactory.getInstance("org/apache/cxf/systest/ws/wssec10/client/alice.properties");
+        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+        cryptoType.setAlias("alice");
+        X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
+        
+        KeyInfoBean keyInfo = new KeyInfoBean();
+        keyInfo.setCertificate(certs[0]);
+        keyInfo.setCertIdentifer(CERT_IDENTIFIER.X509_CERT);
+        
+        return keyInfo;
+    }
+    
 }

Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/server/CustomSaml2Validator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/server/CustomSaml2Validator.java?rev=1196134&r1=1196133&r2=1196134&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/server/CustomSaml2Validator.java
(original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/server/CustomSaml2Validator.java
Tue Nov  1 17:06:42 2011
@@ -46,7 +46,8 @@ public class CustomSaml2Validator extend
         }
         
         String confirmationMethod = assertion.getConfirmationMethods().get(0);
-        if (!OpenSAMLUtil.isMethodSenderVouches(confirmationMethod)) {
+        if (!(OpenSAMLUtil.isMethodSenderVouches(confirmationMethod)
+            || OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod))) {
             throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
         }
         

Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml?rev=1196134&r1=1196133&r2=1196134&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
(original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
Tue Nov  1 17:06:42 2011
@@ -107,7 +107,7 @@
        </jaxws:properties>
     </jaxws:client>  
    
-    <jaxws:client name="{http://WSSec/saml}DoubleItSaml2SymmetricProtectionPort" 
+    <jaxws:client name="{http://WSSec/saml}DoubleItAsymmetricSamlInitiatorPort" 
                   createdFromAPI="true">
        <jaxws:properties>
            <entry key="ws-security.callback-handler" 
@@ -115,8 +115,12 @@
            <entry key="ws-security.encryption.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
            <entry key="ws-security.encryption.username" value="bob"/>
+           <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+           <entry key="ws-security.signature.username" value="alice"/> 
+           <entry key="ws-security.self-sign-saml-assertion" value="true"/>
        </jaxws:properties>
-    </jaxws:client>  
+    </jaxws:client> 
     
     <jaxws:client name="{http://WSSec/saml}DoubleItSaml2SymmetricSignedElementsPort" 
                   createdFromAPI="true">

Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml?rev=1196134&r1=1196133&r2=1196134&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
(original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
Tue Nov  1 17:06:42 2011
@@ -167,20 +167,24 @@
      
     </jaxws:endpoint> 
     
-    <jaxws:endpoint 
-       id="Saml2TokenOverSymmetricProtection"
-       address="http://localhost:${testutil.ports.Server}/DoubleItSaml2SymmetricProtection"

+     <jaxws:endpoint 
+       id="AsymmetricSamlInitiatorPort"
+       address="http://localhost:${testutil.ports.Server}/DoubleItAsymmetricSamlInitiator"

        serviceName="s:DoubleItService"
-       endpointName="s:DoubleItSaml2SymmetricProtectionPort"
+       endpointName="s:DoubleItAsymmetricSamlInitiatorPort"
        xmlns:s="http://WSSec/saml"
        implementor="org.apache.cxf.systest.ws.saml.server.DoubleItImpl"
        wsdlLocation="wsdl_systest_wssec/saml/DoubleItSaml.wsdl">
         
        <jaxws:properties>
+           <entry key="ws-security.username" value="bob"/>
            <entry key="ws-security.callback-handler" 
                   value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
            <entry key="ws-security.signature.properties" 
-                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+           <entry key="ws-security.encryption.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>

+           <entry key="ws-security.encryption.username" value="alice"/>
            <entry key="ws-security.saml2.validator" 
                   value="org.apache.cxf.systest.ws.saml.server.CustomSaml2Validator"/>
        </jaxws:properties> 

Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl?rev=1196134&r1=1196133&r2=1196134&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl
(original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl
Tue Nov  1 17:06:42 2011
@@ -206,8 +206,8 @@
             </wsdl:fault>
         </wsdl:operation>
     </wsdl:binding>
-    <wsdl:binding name="DoubleItSaml2SymmetricProtectionBinding" type="tns:DoubleItPortType">
-        <wsp:PolicyReference URI="#DoubleItSaml2SymmetricProtectionPolicy" />
+    <wsdl:binding name="DoubleItAsymmetricSamlInitiatorBinding" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#DoubleItAsymmetricSamlInitiatorPolicy" />
         <soap:binding style="document"
             transport="http://schemas.xmlsoap.org/soap/http" />
         <wsdl:operation name="DoubleIt">
@@ -248,9 +248,9 @@
                    binding="tns:DoubleItSaml2EndorsingTransportBinding">
             <soap:address location="https://localhost:9009/DoubleItSaml2EndorsingTransport"
/>
         </wsdl:port>
-        <wsdl:port name="DoubleItSaml2SymmetricProtectionPort" 
-                   binding="tns:DoubleItSaml2SymmetricProtectionBinding">
-            <soap:address location="http://localhost:9001/DoubleItSaml2SymmetricProtection"
/>
+        <wsdl:port name="DoubleItAsymmetricSamlInitiatorPort" 
+                   binding="tns:DoubleItAsymmetricSamlInitiatorBinding">
+            <soap:address location="http://localhost:9001/DoubleItAsymmetricSamlInitiator"
/>
         </wsdl:port>
         <wsdl:port name="DoubleItSaml2SymmetricSignedElementsPort" 
                    binding="tns:DoubleItSaml2SymmetricSignedElementsBinding">
@@ -580,12 +580,12 @@
          </wsp:All>
       </wsp:ExactlyOne>
     </wsp:Policy>
-    <wsp:Policy wsu:Id="DoubleItSaml2SymmetricProtectionPolicy">
+    <wsp:Policy wsu:Id="DoubleItAsymmetricSamlInitiatorPolicy">
       <wsp:ExactlyOne>
          <wsp:All>
-            <sp:SymmetricBinding>
+             <sp:AsymmetricBinding>
                <wsp:Policy>
-                  <sp:ProtectionToken>
+                  <sp:InitiatorToken>
                      <wsp:Policy>
                         <sp:SamlToken
                            sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
@@ -594,7 +594,18 @@
                            </wsp:Policy>
                        </sp:SamlToken>
                      </wsp:Policy>
-                  </sp:ProtectionToken>
+                  </sp:InitiatorToken>
+                  <sp:RecipientToken>
+                     <wsp:Policy>
+                        <sp:X509Token
+                           sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+                           <wsp:Policy>
+                              <sp:WssX509V3Token10 />
+                              <sp:RequireIssuerSerialReference />
+                           </wsp:Policy>
+                        </sp:X509Token>
+                     </wsp:Policy>
+                  </sp:RecipientToken>
                   <sp:Layout>
                      <wsp:Policy>
                         <sp:Lax/>
@@ -608,7 +619,7 @@
                      </wsp:Policy>
                   </sp:AlgorithmSuite>
                </wsp:Policy>
-            </sp:SymmetricBinding>
+            </sp:AsymmetricBinding>
             <sp:Wss11>
                <wsp:Policy>
                   <sp:MustSupportRefIssuerSerial/>



Mime
View raw message