cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1309846 - in /cxf/trunk/services/sts: sts-core/src/main/java/org/apache/cxf/sts/token/provider/ sts-core/src/main/java/org/apache/cxf/sts/token/renewer/ sts-core/src/main/java/org/apache/cxf/sts/token/validator/ sts-core/src/test/java/org/...
Date Thu, 05 Apr 2012 13:31:44 GMT
Author: coheigea
Date: Thu Apr  5 13:31:43 2012
New Revision: 1309846

URL: http://svn.apache.org/viewvc?rev=1309846&view=rev
Log:
[CXF-4158] - Added an initial SAMLTokenRenewer & some tests.

Added:
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
    cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java
Removed:
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SCTRenewer.java
    cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/RenewSCTUnitTest.java
Modified:
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/ConditionsProvider.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewer.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewerParameters.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewerResponse.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SCTValidator.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/TokenValidatorResponse.java
    cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/secure_conv/cxf-sts.xml

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/ConditionsProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/ConditionsProvider.java?rev=1309846&r1=1309845&r2=1309846&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/ConditionsProvider.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/ConditionsProvider.java Thu Apr  5 13:31:43 2012
@@ -18,6 +18,7 @@
  */
 package org.apache.cxf.sts.token.provider;
 
+import org.apache.cxf.sts.request.Lifetime;
 import org.apache.ws.security.saml.ext.bean.ConditionsBean;
 
 /**
@@ -32,6 +33,11 @@ public interface ConditionsProvider {
     ConditionsBean getConditions(TokenProviderParameters providerParameters);
     
     /**
+     * Get a ConditionsBean object.
+     */
+    ConditionsBean getConditions(String appliesToAddress, Lifetime tokenLifetime);
+    
+    /**
      * Get the lifetime to use (in seconds)
      */
     long getLifetime();

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java?rev=1309846&r1=1309845&r2=1309846&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java Thu Apr  5 13:31:43 2012
@@ -114,9 +114,18 @@ public class DefaultConditionsProvider i
      * Get a ConditionsBean object.
      */
     public ConditionsBean getConditions(TokenProviderParameters providerParameters) {
+        return getConditions(
+            providerParameters.getAppliesToAddress(),
+            providerParameters.getTokenRequirements().getLifetime()
+        );
+    }
+    
+    /**
+     * Get a ConditionsBean object.
+     */
+    public ConditionsBean getConditions(String appliesToAddress, Lifetime tokenLifetime) {
         ConditionsBean conditions = new ConditionsBean();
         if (lifetime > 0) {
-            Lifetime tokenLifetime = providerParameters.getTokenRequirements().getLifetime();
             if (acceptClientLifetime && tokenLifetime != null) {
                 try {
                     XmlSchemaDateFormat fmt = new XmlSchemaDateFormat();
@@ -154,7 +163,7 @@ public class DefaultConditionsProvider i
         } else {
             conditions.setTokenPeriodMinutes(5);
         }
-        conditions.setAudienceURI(providerParameters.getAppliesToAddress());
+        conditions.setAudienceURI(appliesToAddress);
         
         return conditions;
     }

Added: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java?rev=1309846&view=auto
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java (added)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java Thu Apr  5 13:31:43 2012
@@ -0,0 +1,344 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.sts.token.renewer;
+
+import java.security.Principal;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+import javax.security.auth.callback.CallbackHandler;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.sts.STSConstants;
+import org.apache.cxf.sts.STSPropertiesMBean;
+import org.apache.cxf.sts.SignatureProperties;
+import org.apache.cxf.sts.request.ReceivedToken;
+import org.apache.cxf.sts.request.ReceivedToken.STATE;
+import org.apache.cxf.sts.token.provider.ConditionsProvider;
+import org.apache.cxf.sts.token.provider.DefaultConditionsProvider;
+import org.apache.cxf.sts.token.realm.SAMLRealm;
+import org.apache.cxf.ws.security.sts.provider.STSException;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.cxf.ws.security.tokenstore.TokenStore;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSPasswordCallback;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.ws.security.saml.ext.bean.ConditionsBean;
+import org.apache.ws.security.saml.ext.builder.SAML1ComponentBuilder;
+import org.apache.ws.security.saml.ext.builder.SAML2ComponentBuilder;
+import org.joda.time.DateTime;
+import org.opensaml.common.SAMLVersion;
+
+/**
+ * A TokenRenewer implementation that renews a (valid) SAML Token.
+ */
+public class SAMLTokenRenewer implements TokenRenewer {
+    
+    private static final Logger LOG = LogUtils.getL7dLogger(SAMLTokenRenewer.class);
+    private boolean signToken = true;
+    private ConditionsProvider conditionsProvider = new DefaultConditionsProvider();
+    private Map<String, SAMLRealm> realmMap = new HashMap<String, SAMLRealm>();
+    
+    /**
+     * Return true if this TokenRenewer implementation is able to renew a token.
+     */
+    public boolean canHandleToken(ReceivedToken renewTarget) {
+        Object token = renewTarget.getToken();
+        if (token instanceof Element) {
+            Element tokenElement = (Element)token;
+            String namespace = tokenElement.getNamespaceURI();
+            String localname = tokenElement.getLocalName();
+            if ((WSConstants.SAML_NS.equals(namespace) || WSConstants.SAML2_NS.equals(namespace))
+                && "Assertion".equals(localname)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    public void setVerifyProofOfPossession(boolean verifyProofOfPossession) {
+        //
+    }
+    
+    
+    /**
+     * Renew a token given a TokenRenewerParameters
+     */
+    public TokenRenewerResponse renewToken(TokenRenewerParameters tokenParameters) {
+        TokenRenewerResponse response = new TokenRenewerResponse();
+        ReceivedToken tokenToRenew = tokenParameters.getToken();
+        if (tokenToRenew == null || tokenToRenew.getToken() == null
+            || (tokenToRenew.getState() != STATE.EXPIRED && tokenToRenew.getState() != STATE.VALID)) {
+            LOG.log(Level.WARNING, "The token to renew is null or invalid");
+            throw new STSException(
+                "The token to renew is null or invalid", STSException.INVALID_REQUEST
+            );
+        }
+        
+        try {
+            AssertionWrapper assertion = new AssertionWrapper((Element)tokenToRenew.getToken());
+            
+            // Create new Conditions & sign the Assertion
+            createNewConditions(assertion, tokenParameters);
+            signAssertion(assertion, tokenParameters);
+            
+            Document doc = DOMUtils.createDocument();
+            Element token = assertion.toDOM(doc);
+            if (assertion.getSaml1() != null) {
+                token.setIdAttributeNS(null, "AssertionID", true);
+            } else {
+                token.setIdAttributeNS(null, "ID", true);
+            }
+            doc.appendChild(token);
+            
+            // Cache the token
+            String realm = tokenParameters.getRealm();
+            storeTokenInCache(
+                tokenParameters.getTokenStore(), assertion, tokenParameters.getPrincipal(), realm
+            );
+            
+            response.setToken(token);
+            response.setTokenId(assertion.getId());
+            
+            DateTime validFrom = null;
+            DateTime validTill = null;
+            long lifetime = 0;
+            if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
+                validFrom = assertion.getSaml2().getConditions().getNotBefore();
+                validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
+                lifetime = validTill.getMillis() - validFrom.getMillis();
+            } else {
+                validFrom = assertion.getSaml1().getConditions().getNotBefore();
+                validTill = assertion.getSaml1().getConditions().getNotOnOrAfter();
+                lifetime = validTill.getMillis() - validFrom.getMillis();
+            }
+            response.setLifetime(lifetime / 1000);
+            /*
+            response.setEntropy(entropyBytes);
+            if (keySize > 0) {
+                response.setKeySize(keySize);
+            }
+            response.setComputedKey(computedKey);
+            */
+            return response;
+            
+        } catch (Exception ex) {
+            LOG.log(Level.WARNING, "", ex);
+            throw new STSException("Can't renew SAML assertion", ex, STSException.REQUEST_FAILED);
+        }
+    }
+    
+    /**
+     * Set the ConditionsProvider
+     */
+    public void setConditionsProvider(ConditionsProvider conditionsProvider) {
+        this.conditionsProvider = conditionsProvider;
+    }
+    
+    /**
+     * Get the ConditionsProvider
+     */
+    public ConditionsProvider getConditionsProvider() {
+        return conditionsProvider;
+    }
+
+    /**
+     * Return whether the provided token will be signed or not. Default is true.
+     */
+    public boolean isSignToken() {
+        return signToken;
+    }
+
+    /**
+     * Set whether the provided token will be signed or not. Default is true.
+     */
+    public void setSignToken(boolean signToken) {
+        this.signToken = signToken;
+    }
+    
+    /**
+     * Set the map of realm->SAMLRealm for this token provider
+     * @param realms the map of realm->SAMLRealm for this token provider
+     */
+    public void setRealmMap(Map<String, SAMLRealm> realms) {
+        this.realmMap = realms;
+    }
+    
+    /**
+     * Get the map of realm->SAMLRealm for this token provider
+     * @return the map of realm->SAMLRealm for this token provider
+     */
+    public Map<String, SAMLRealm> getRealmMap() {
+        return realmMap;
+    }
+    
+    private void signAssertion(
+        AssertionWrapper assertion,
+        TokenRenewerParameters tokenParameters
+    ) throws Exception {
+        if (signToken) {
+            STSPropertiesMBean stsProperties = tokenParameters.getStsProperties();
+            
+            // Initialise signature objects with defaults of STSPropertiesMBean
+            Crypto signatureCrypto = stsProperties.getSignatureCrypto();
+            CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
+            SignatureProperties signatureProperties = stsProperties.getSignatureProperties();
+            String alias = stsProperties.getSignatureUsername();
+            
+            String realm = tokenParameters.getRealm();
+            SAMLRealm samlRealm = null;
+            if (realm != null && realmMap.containsKey(realm)) {
+                samlRealm = realmMap.get(realm);
+            }
+            if (samlRealm != null) {
+                // If SignatureCrypto configured in realm then
+                // callbackhandler and alias of STSPropertiesMBean is ignored
+                if (samlRealm.getSignatureCrypto() != null) {
+                    LOG.fine("SAMLRealm signature keystore used");
+                    signatureCrypto = samlRealm.getSignatureCrypto();
+                    callbackHandler = samlRealm.getCallbackHandler();
+                    alias = samlRealm.getSignatureAlias();
+                }
+                // SignatureProperties can be defined independently of SignatureCrypto
+                if (samlRealm.getSignatureProperties() != null) {
+                    signatureProperties = samlRealm.getSignatureProperties();
+                }
+            }
+            
+            // Get the signature algorithm to use
+            String signatureAlgorithm = tokenParameters.getKeyRequirements().getSignatureAlgorithm();
+            if (signatureAlgorithm == null) {
+                // If none then default to what is configured
+                signatureAlgorithm = signatureProperties.getSignatureAlgorithm();
+            } else {
+                List<String> supportedAlgorithms = 
+                    signatureProperties.getAcceptedSignatureAlgorithms();
+                if (!supportedAlgorithms.contains(signatureAlgorithm)) {
+                    signatureAlgorithm = signatureProperties.getSignatureAlgorithm();
+                    LOG.fine("SignatureAlgorithm not supported, defaulting to: " + signatureAlgorithm);
+                }
+            }
+            
+            // Get the c14n algorithm to use
+            String c14nAlgorithm = tokenParameters.getKeyRequirements().getC14nAlgorithm();
+            if (c14nAlgorithm == null) {
+                // If none then default to what is configured
+                c14nAlgorithm = signatureProperties.getC14nAlgorithm();
+            } else {
+                List<String> supportedAlgorithms = 
+                    signatureProperties.getAcceptedC14nAlgorithms();
+                if (!supportedAlgorithms.contains(c14nAlgorithm)) {
+                    c14nAlgorithm = signatureProperties.getC14nAlgorithm();
+                    LOG.fine("C14nAlgorithm not supported, defaulting to: " + c14nAlgorithm);
+                }
+            }
+            
+            // If alias not defined, get the default of the SignatureCrypto
+            if ((alias == null || "".equals(alias)) && (signatureCrypto != null)) {
+                alias = signatureCrypto.getDefaultX509Identifier();
+                LOG.fine("Signature alias is null so using default alias: " + alias);
+            }
+            // Get the password
+            WSPasswordCallback[] cb = {new WSPasswordCallback(alias, WSPasswordCallback.SIGNATURE)};
+            LOG.fine("Creating SAML Token");
+            callbackHandler.handle(cb);
+            String password = cb[0].getPassword();
+    
+            LOG.fine("Signing SAML Token");
+            boolean useKeyValue = signatureProperties.isUseKeyValue();
+            assertion.signAssertion(
+                alias, password, signatureCrypto, useKeyValue, c14nAlgorithm, signatureAlgorithm
+            );
+        }
+        
+    }
+    
+    private void createNewConditions(AssertionWrapper assertion, TokenRenewerParameters tokenParameters) {
+        ConditionsBean conditions = 
+            conditionsProvider.getConditions(
+                tokenParameters.getAppliesToAddress(),
+                tokenParameters.getTokenRequirements().getLifetime()
+            );
+        
+        if (assertion.getSaml1() != null) {
+            org.opensaml.saml1.core.Assertion saml1Assertion = assertion.getSaml1();
+            saml1Assertion.setIssueInstant(new DateTime());
+            
+            org.opensaml.saml1.core.Conditions saml1Conditions =
+                SAML1ComponentBuilder.createSamlv1Conditions(conditions);
+            
+            saml1Assertion.setConditions(saml1Conditions);
+        } else {
+            org.opensaml.saml2.core.Assertion saml2Assertion = assertion.getSaml2();
+            saml2Assertion.setIssueInstant(new DateTime());
+            
+            org.opensaml.saml2.core.Conditions saml2Conditions =
+                SAML2ComponentBuilder.createConditions(conditions);
+            
+            saml2Assertion.setConditions(saml2Conditions);
+        }
+    }
+    
+    private void storeTokenInCache(
+        TokenStore tokenStore, 
+        AssertionWrapper assertion, 
+        Principal principal,
+        String tokenRealm
+    ) throws WSSecurityException {
+        // Store the successfully renewed token in the cache
+        byte[] signatureValue = assertion.getSignatureValue();
+        if (tokenStore != null && signatureValue != null && signatureValue.length > 0) {
+            DateTime validTill = null;
+            if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
+                validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
+            } else {
+                validTill = assertion.getSaml1().getConditions().getNotOnOrAfter();
+            }
+
+            SecurityToken securityToken = new SecurityToken(assertion.getId(), null, validTill.toDate());
+            securityToken.setToken(assertion.getElement());
+            securityToken.setPrincipal(principal);
+            
+            if (tokenRealm != null) {
+                Properties props = new Properties();
+                props.setProperty(STSConstants.TOKEN_REALM, tokenRealm);
+                securityToken.setProperties(props);
+            }
+
+            int hash = Arrays.hashCode(signatureValue);
+            securityToken.setTokenHash(hash);
+            String identifier = Integer.toString(hash);
+            tokenStore.add(identifier, securityToken);
+        }
+    }
+
+
+}

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewer.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewer.java?rev=1309846&r1=1309845&r2=1309846&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewer.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewer.java Thu Apr  5 13:31:43 2012
@@ -25,7 +25,6 @@ import org.apache.cxf.sts.request.Receiv
 /**
  * An interface that can renew a security token.
  */
-
 public interface TokenRenewer {
 
     /**
@@ -34,10 +33,9 @@ public interface TokenRenewer {
     void setVerifyProofOfPossession(boolean verifyProofOfPossession);
     
     /**
-     * Return true if this TokenRenewer implementation is able to renew a token
-     * that corresponds to the given token.
+     * Return true if this TokenRenewer implementation is able to renew a token.
      */
-    boolean canHandleToken(ReceivedToken cancelTarget);
+    boolean canHandleToken(ReceivedToken renewTarget);
 
     /**
      * Renew a token given a TokenRenewerParameters

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewerParameters.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewerParameters.java?rev=1309846&r1=1309845&r2=1309846&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewerParameters.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewerParameters.java Thu Apr  5 13:31:43 2012
@@ -20,12 +20,15 @@
 package org.apache.cxf.sts.token.renewer;
 
 import java.security.Principal;
+import java.util.Map;
 
 import javax.xml.ws.WebServiceContext;
 
 import org.apache.cxf.sts.STSPropertiesMBean;
 import org.apache.cxf.sts.request.KeyRequirements;
+import org.apache.cxf.sts.request.ReceivedToken;
 import org.apache.cxf.sts.request.TokenRequirements;
+import org.apache.cxf.sts.service.EncryptionProperties;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
 
 /**
@@ -36,11 +39,25 @@ import org.apache.cxf.ws.security.tokens
 public class TokenRenewerParameters {
 
     private STSPropertiesMBean stsProperties;
+    private EncryptionProperties encryptionProperties;
     private Principal principal;
     private WebServiceContext webServiceContext;
     private KeyRequirements keyRequirements;
     private TokenRequirements tokenRequirements;
+    private String appliesToAddress;
+    private Map<String, Object> additionalProperties;
     private TokenStore tokenStore;
+    private String realm;
+    private ReceivedToken token;
+    
+    public ReceivedToken getToken() {
+        return token;
+    }
+
+    public void setToken(ReceivedToken token) {
+        this.token = token;
+    }
+
     
     public TokenStore getTokenStore() {
         return tokenStore;
@@ -49,7 +66,15 @@ public class TokenRenewerParameters {
     public void setTokenStore(TokenStore tokenStore) {
         this.tokenStore = tokenStore;
     }
-    
+
+    public String getAppliesToAddress() {
+        return appliesToAddress;
+    }
+
+    public void setAppliesToAddress(String appliesToAddress) {
+        this.appliesToAddress = appliesToAddress;
+    }
+
     public TokenRequirements getTokenRequirements() {
         return tokenRequirements;
     }
@@ -57,7 +82,7 @@ public class TokenRenewerParameters {
     public void setTokenRequirements(TokenRequirements tokenRequirements) {
         this.tokenRequirements = tokenRequirements;
     }
-
+    
     public KeyRequirements getKeyRequirements() {
         return keyRequirements;
     }
@@ -65,7 +90,7 @@ public class TokenRenewerParameters {
     public void setKeyRequirements(KeyRequirements keyRequirements) {
         this.keyRequirements = keyRequirements;
     }
-    
+
     public STSPropertiesMBean getStsProperties() {
         return stsProperties;
     }
@@ -74,6 +99,14 @@ public class TokenRenewerParameters {
         this.stsProperties = stsProperties;
     }
     
+    public EncryptionProperties getEncryptionProperties() {
+        return encryptionProperties;
+    }
+
+    public void setEncryptionProperties(EncryptionProperties encryptionProperties) {
+        this.encryptionProperties = encryptionProperties;
+    }
+    
     public WebServiceContext getWebServiceContext() {
         return webServiceContext;
     }
@@ -90,4 +123,20 @@ public class TokenRenewerParameters {
         return principal;
     }
     
+    public void setAdditionalProperties(Map<String, Object> additionalProperties) {
+        this.additionalProperties = additionalProperties;
+    }
+    
+    public Map<String, Object> getAdditionalProperties() {
+        return additionalProperties;
+    }
+    
+    public void setRealm(String realm) {
+        this.realm = realm;
+    }
+    
+    public String getRealm() {
+        return realm;
+    }
+    
 }

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewerResponse.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewerResponse.java?rev=1309846&r1=1309845&r2=1309846&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewerResponse.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewerResponse.java Thu Apr  5 13:31:43 2012
@@ -27,27 +27,73 @@ import org.apache.cxf.sts.token.provider
  */
 public class TokenRenewerResponse {
 
-    private boolean tokenRenewed;
-    private Element renewedToken;
+    private Element token;
     private String tokenId;
     private long lifetime;
+    private byte[] entropy;
+    private long keySize;
+    private boolean computedKey;
     private TokenReference attachedReference;
     private TokenReference unAttachedReference;
     
-    public void setTokenRenewed(boolean tokenRenewed) {
-        this.tokenRenewed = tokenRenewed;
+    /**
+     * Return true if the entropy represents a Computed Key.
+     */
+    public boolean isComputedKey() {
+        return computedKey;
     }
-    
-    public boolean isTokenRenewed() {
-        return tokenRenewed;
+
+    /**
+     * Set whether the entropy represents a Computed Key or not
+     */
+    public void setComputedKey(boolean computedKey) {
+        this.computedKey = computedKey;
+    }
+
+    /**
+     * Get the KeySize that the TokenProvider set
+     */
+    public long getKeySize() {
+        return keySize;
+    }
+
+    /**
+     * Set the KeySize
+     */
+    public void setKeySize(long keySize) {
+        this.keySize = keySize;
+    }
+
+    /**
+     * Set the token
+     * @param token the token to set
+     */
+    public void setToken(Element token) {
+        this.token = token;
     }
     
-    public void setRenewedToken(Element renewedToken) {
-        this.renewedToken = renewedToken;
+    /**
+     * Get the token
+     * @return the token to set
+     */
+    public Element getToken() {
+        return token;
+    }
+
+    /**
+     * Set the token Id
+     * @param tokenId the token Id
+     */
+    public void setTokenId(String tokenId) {
+        this.tokenId = tokenId;
     }
     
-    public Element getRenewedToken() {
-        return renewedToken;
+    /**
+     * Get the token Id
+     * @return the token Id
+     */
+    public String getTokenId() {
+        return tokenId;
     }
     
     /**
@@ -67,6 +113,22 @@ public class TokenRenewerResponse {
     }
     
     /**
+     * Set the entropy associated with the token.
+     * @param entropy the entropy associated with the token.
+     */
+    public void setEntropy(byte[] entropy) {
+        this.entropy = entropy;
+    }
+    
+    /**
+     * Get the entropy associated with the token.
+     * @return the entropy associated with the token.
+     */
+    public byte[] getEntropy() {
+        return entropy;
+    }
+    
+    /**
      * Set the attached TokenReference
      * @param attachtedReference the attached TokenReference
      */
@@ -97,21 +159,6 @@ public class TokenRenewerResponse {
     public TokenReference getUnAttachedReference() {
         return unAttachedReference;
     }
-    
-    /**
-     * Set the token Id
-     * @param tokenId the token Id
-     */
-    public void setTokenId(String tokenId) {
-        this.tokenId = tokenId;
-    }
-    
-    /**
-     * Get the token Id
-     * @return the token Id
-     */
-    public String getTokenId() {
-        return tokenId;
-    }
+
     
 }

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java?rev=1309846&r1=1309845&r2=1309846&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java Thu Apr  5 13:31:43 2012
@@ -155,7 +155,6 @@ public class SAMLTokenValidator implemen
                 if (secToken != null && secToken.getTokenHash() != hash) {
                     secToken = null;
                 }
-                response.setSecurityToken(secToken);
             }
             if (secToken != null && secToken.isExpired()) {
                 LOG.fine("Token: " + secToken.getId() + " is in the cache but expired - revalidating");
@@ -218,14 +217,14 @@ public class SAMLTokenValidator implemen
             }
             response.setTokenRealm(tokenRealm);
             
-            if (!validateConditions(assertion, validateTarget, secToken, tokenParameters.getTokenStore())) {
+            if (!validateConditions(assertion, validateTarget)) {
                 return response;
             }
             
             // Store the successfully validated token in the cache
             if (secToken == null) {
                 storeTokenInCache(
-                    tokenParameters.getTokenStore(), assertion, tokenParameters.getPrincipal()
+                    tokenParameters.getTokenStore(), assertion, tokenParameters.getPrincipal(), tokenRealm
                 );
             }
             
@@ -274,10 +273,7 @@ public class SAMLTokenValidator implemen
     }
     
     protected boolean validateConditions(
-        AssertionWrapper assertion,
-        ReceivedToken validateTarget,
-        SecurityToken secToken, 
-        TokenStore tokenStore
+        AssertionWrapper assertion, ReceivedToken validateTarget
     ) {
         DateTime validFrom = null;
         DateTime validTill = null;
@@ -290,25 +286,20 @@ public class SAMLTokenValidator implemen
         }
         if (validFrom.isAfterNow()) {
             LOG.log(Level.WARNING, "SAML Token condition not met");
-            if (secToken != null) {
-                tokenStore.remove(secToken.getId());
-            }
             return false;
         } else if (validTill.isBeforeNow()) {
             LOG.log(Level.WARNING, "SAML Token condition not met");
-            if (secToken != null) {
-                tokenStore.remove(secToken.getId());
-            }
             validateTarget.setState(STATE.EXPIRED);
             return false;
         }
         return true;
     }
     
-    protected void storeTokenInCache(
+    private void storeTokenInCache(
         TokenStore tokenStore, 
         AssertionWrapper assertion, 
-        Principal principal
+        Principal principal,
+        String tokenRealm
     ) throws WSSecurityException {
         // Store the successfully validated token in the cache
         byte[] signatureValue = assertion.getSignatureValue();
@@ -323,6 +314,12 @@ public class SAMLTokenValidator implemen
             SecurityToken securityToken = new SecurityToken(assertion.getId(), null, validTill.toDate());
             securityToken.setToken(assertion.getElement());
             securityToken.setPrincipal(principal);
+            
+            if (tokenRealm != null) {
+                Properties props = new Properties();
+                props.setProperty(STSConstants.TOKEN_REALM, tokenRealm);
+                securityToken.setProperties(props);
+            }
 
             int hash = Arrays.hashCode(signatureValue);
             securityToken.setTokenHash(hash);

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SCTValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SCTValidator.java?rev=1309846&r1=1309845&r2=1309846&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SCTValidator.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SCTValidator.java Thu Apr  5 13:31:43 2012
@@ -104,7 +104,6 @@ public class SCTValidator implements Tok
                     LOG.fine("Identifier: " + identifier + " is not found in the cache");
                     return response;
                 }
-                response.setSecurityToken(token);
                 if (token.isExpired()) {
                     validateTarget.setState(STATE.EXPIRED);
                     LOG.fine("Token: " + identifier + " is in the cache but expired");

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/TokenValidatorResponse.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/TokenValidatorResponse.java?rev=1309846&r1=1309845&r2=1309846&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/TokenValidatorResponse.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/TokenValidatorResponse.java Thu Apr  5 13:31:43 2012
@@ -22,7 +22,6 @@ import java.security.Principal;
 import java.util.Map;
 
 import org.apache.cxf.sts.request.ReceivedToken;
-import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 
 /**
  * This class encapsulates the response from a TokenValidator instance after validating a token.
@@ -33,19 +32,7 @@ public class TokenValidatorResponse {
     private Map<String, Object> additionalProperties;
     private String realm;
     private ReceivedToken token;
-    /**
-     * The SecurityToken corresponding to the ReceivedToken that was stored in the cache 
-     */
-    private SecurityToken securityToken;
     
-    public SecurityToken getSecurityToken() {
-        return securityToken;
-    }
-
-    public void setSecurityToken(SecurityToken securityToken) {
-        this.securityToken = securityToken;
-    }
-
     public ReceivedToken getToken() {
         return token;
     }

Added: cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java?rev=1309846&view=auto
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java (added)
+++ cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java Thu Apr  5 13:31:43 2012
@@ -0,0 +1,431 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.sts.token.renewer;
+
+import java.util.Date;
+import java.util.Properties;
+
+import javax.security.auth.callback.CallbackHandler;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import org.apache.cxf.jaxws.context.WebServiceContextImpl;
+import org.apache.cxf.jaxws.context.WrappedMessageContext;
+import org.apache.cxf.message.MessageImpl;
+import org.apache.cxf.sts.STSConstants;
+import org.apache.cxf.sts.StaticSTSProperties;
+import org.apache.cxf.sts.cache.DefaultInMemoryTokenStore;
+import org.apache.cxf.sts.common.PasswordCallbackHandler;
+import org.apache.cxf.sts.request.KeyRequirements;
+import org.apache.cxf.sts.request.Lifetime;
+import org.apache.cxf.sts.request.ReceivedToken;
+import org.apache.cxf.sts.request.ReceivedToken.STATE;
+import org.apache.cxf.sts.request.TokenRequirements;
+import org.apache.cxf.sts.service.EncryptionProperties;
+import org.apache.cxf.sts.token.provider.DefaultConditionsProvider;
+import org.apache.cxf.sts.token.provider.SAMLTokenProvider;
+import org.apache.cxf.sts.token.provider.TokenProviderParameters;
+import org.apache.cxf.sts.token.provider.TokenProviderResponse;
+import org.apache.cxf.sts.token.validator.SAMLTokenValidator;
+import org.apache.cxf.sts.token.validator.TokenValidator;
+import org.apache.cxf.sts.token.validator.TokenValidatorParameters;
+import org.apache.cxf.sts.token.validator.TokenValidatorResponse;
+import org.apache.cxf.ws.security.tokenstore.TokenStore;
+import org.apache.ws.security.CustomTokenPrincipal;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.util.XmlSchemaDateFormat;
+import org.junit.BeforeClass;
+
+/**
+ * Some unit tests for renewing a SAML token via the SAMLTokenRenewer.
+ */
+public class SAMLTokenRenewerTest extends org.junit.Assert {
+    
+    private static TokenStore tokenStore;
+    
+    @BeforeClass
+    public static void init() {
+        tokenStore = new DefaultInMemoryTokenStore();
+    }
+    
+    /**
+     * Renew an expired SAML1 Assertion
+     */
+    @org.junit.Test
+    public void renewExpiredSAML1Assertion() throws Exception {
+        // Create the Assertion
+        Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
+        CallbackHandler callbackHandler = new PasswordCallbackHandler();
+        Element samlToken = 
+            createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+        Document doc = samlToken.getOwnerDocument();
+        samlToken = (Element)doc.appendChild(samlToken);
+        // Sleep to expire the token
+        Thread.sleep(1000);
+        
+        // Validate the Assertion
+        TokenValidator samlTokenValidator = new SAMLTokenValidator();
+        TokenValidatorParameters validatorParameters = createValidatorParameters();
+        TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
+        ReceivedToken validateTarget = new ReceivedToken(samlToken);
+        tokenRequirements.setValidateTarget(validateTarget);
+        validatorParameters.setToken(validateTarget);
+        
+        assertTrue(samlTokenValidator.canHandleToken(validateTarget));
+        
+        TokenValidatorResponse validatorResponse = 
+                samlTokenValidator.validateToken(validatorParameters);
+        assertTrue(validatorResponse != null);
+        assertTrue(validatorResponse.getToken() != null);
+        assertTrue(validatorResponse.getToken().getState() == STATE.EXPIRED);
+        
+        // Renew the Assertion
+        TokenRenewerParameters renewerParameters = new TokenRenewerParameters();
+        renewerParameters.setAppliesToAddress("http://dummy-service.com/dummy");
+        renewerParameters.setStsProperties(validatorParameters.getStsProperties());
+        renewerParameters.setPrincipal(new CustomTokenPrincipal("alice"));
+        renewerParameters.setWebServiceContext(validatorParameters.getWebServiceContext());
+        renewerParameters.setKeyRequirements(validatorParameters.getKeyRequirements());
+        renewerParameters.setTokenRequirements(validatorParameters.getTokenRequirements());
+        renewerParameters.setTokenStore(validatorParameters.getTokenStore());
+        renewerParameters.setToken(validatorResponse.getToken());
+        
+        TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+        assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
+        
+        TokenRenewerResponse renewerResponse = 
+                samlTokenRenewer.renewToken(renewerParameters);
+        assertTrue(renewerResponse != null);
+        assertTrue(renewerResponse.getToken() != null);
+        
+        // Now validate it again
+        validateTarget = new ReceivedToken(renewerResponse.getToken());
+        tokenRequirements.setValidateTarget(validateTarget);
+        validatorParameters.setToken(validateTarget);
+        
+        validatorResponse = samlTokenValidator.validateToken(validatorParameters);
+        assertTrue(validatorResponse != null);
+        assertTrue(validatorResponse.getToken() != null);
+        assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
+    }
+    
+    /**
+     * Renew an expired SAML1 Assertion without using the cache
+     */
+    @org.junit.Test
+    public void renewExpiredSAML1AssertionNoCache() throws Exception {
+        // Create the Assertion
+        Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
+        CallbackHandler callbackHandler = new PasswordCallbackHandler();
+        Element samlToken = 
+            createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+        Document doc = samlToken.getOwnerDocument();
+        samlToken = (Element)doc.appendChild(samlToken);
+        // Sleep to expire the token
+        Thread.sleep(1000);
+        
+        // Validate the Assertion
+        TokenValidator samlTokenValidator = new SAMLTokenValidator();
+        TokenValidatorParameters validatorParameters = createValidatorParameters();
+        validatorParameters.setTokenStore(null);
+        TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
+        ReceivedToken validateTarget = new ReceivedToken(samlToken);
+        tokenRequirements.setValidateTarget(validateTarget);
+        validatorParameters.setToken(validateTarget);
+        
+        assertTrue(samlTokenValidator.canHandleToken(validateTarget));
+        
+        TokenValidatorResponse validatorResponse = 
+                samlTokenValidator.validateToken(validatorParameters);
+        assertTrue(validatorResponse != null);
+        assertTrue(validatorResponse.getToken() != null);
+        assertTrue(validatorResponse.getToken().getState() == STATE.EXPIRED);
+        
+        // Renew the Assertion
+        TokenRenewerParameters renewerParameters = new TokenRenewerParameters();
+        renewerParameters.setAppliesToAddress("http://dummy-service.com/dummy");
+        renewerParameters.setStsProperties(validatorParameters.getStsProperties());
+        renewerParameters.setPrincipal(new CustomTokenPrincipal("alice"));
+        renewerParameters.setWebServiceContext(validatorParameters.getWebServiceContext());
+        renewerParameters.setKeyRequirements(validatorParameters.getKeyRequirements());
+        renewerParameters.setTokenRequirements(validatorParameters.getTokenRequirements());
+        renewerParameters.setTokenStore(validatorParameters.getTokenStore());
+        renewerParameters.setToken(validatorResponse.getToken());
+        
+        TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+        assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
+        
+        TokenRenewerResponse renewerResponse = 
+                samlTokenRenewer.renewToken(renewerParameters);
+        assertTrue(renewerResponse != null);
+        assertTrue(renewerResponse.getToken() != null);
+        
+        // Now validate it again
+        validateTarget = new ReceivedToken(renewerResponse.getToken());
+        tokenRequirements.setValidateTarget(validateTarget);
+        validatorParameters.setToken(validateTarget);
+        
+        validatorResponse = samlTokenValidator.validateToken(validatorParameters);
+        assertTrue(validatorResponse != null);
+        assertTrue(validatorResponse.getToken() != null);
+        assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
+    }
+    
+    /**
+     * Renew an expired SAML2 Assertion
+     */
+    @org.junit.Test
+    public void renewExpiredSAML2Assertion() throws Exception {
+        // Create the Assertion
+        Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
+        CallbackHandler callbackHandler = new PasswordCallbackHandler();
+        Element samlToken = 
+            createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+        Document doc = samlToken.getOwnerDocument();
+        samlToken = (Element)doc.appendChild(samlToken);
+        // Sleep to expire the token
+        Thread.sleep(1000);
+        
+        // Validate the Assertion
+        TokenValidator samlTokenValidator = new SAMLTokenValidator();
+        TokenValidatorParameters validatorParameters = createValidatorParameters();
+        TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
+        ReceivedToken validateTarget = new ReceivedToken(samlToken);
+        tokenRequirements.setValidateTarget(validateTarget);
+        validatorParameters.setToken(validateTarget);
+        
+        assertTrue(samlTokenValidator.canHandleToken(validateTarget));
+        
+        TokenValidatorResponse validatorResponse = 
+                samlTokenValidator.validateToken(validatorParameters);
+        assertTrue(validatorResponse != null);
+        assertTrue(validatorResponse.getToken() != null);
+        assertTrue(validatorResponse.getToken().getState() == STATE.EXPIRED);
+        
+        // Renew the Assertion
+        TokenRenewerParameters renewerParameters = new TokenRenewerParameters();
+        renewerParameters.setAppliesToAddress("http://dummy-service.com/dummy");
+        renewerParameters.setStsProperties(validatorParameters.getStsProperties());
+        renewerParameters.setPrincipal(new CustomTokenPrincipal("alice"));
+        renewerParameters.setWebServiceContext(validatorParameters.getWebServiceContext());
+        renewerParameters.setKeyRequirements(validatorParameters.getKeyRequirements());
+        renewerParameters.setTokenRequirements(validatorParameters.getTokenRequirements());
+        renewerParameters.setTokenStore(validatorParameters.getTokenStore());
+        renewerParameters.setToken(validatorResponse.getToken());
+        
+        TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+        assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
+        
+        TokenRenewerResponse renewerResponse = 
+                samlTokenRenewer.renewToken(renewerParameters);
+        assertTrue(renewerResponse != null);
+        assertTrue(renewerResponse.getToken() != null);
+        
+        // Now validate it again
+        validateTarget = new ReceivedToken(renewerResponse.getToken());
+        tokenRequirements.setValidateTarget(validateTarget);
+        validatorParameters.setToken(validateTarget);
+        
+        validatorResponse = samlTokenValidator.validateToken(validatorParameters);
+        assertTrue(validatorResponse != null);
+        assertTrue(validatorResponse.getToken() != null);
+        assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
+    }
+    
+    /**
+     * Renew an expired SAML2 Assertion without using the cache
+     */
+    @org.junit.Test
+    public void renewExpiredSAML2AssertionNoCache() throws Exception {
+        // Create the Assertion
+        Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
+        CallbackHandler callbackHandler = new PasswordCallbackHandler();
+        Element samlToken = 
+            createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+        Document doc = samlToken.getOwnerDocument();
+        samlToken = (Element)doc.appendChild(samlToken);
+        // Sleep to expire the token
+        Thread.sleep(1000);
+        
+        // Validate the Assertion
+        TokenValidator samlTokenValidator = new SAMLTokenValidator();
+        TokenValidatorParameters validatorParameters = createValidatorParameters();
+        validatorParameters.setTokenStore(null);
+        TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
+        ReceivedToken validateTarget = new ReceivedToken(samlToken);
+        tokenRequirements.setValidateTarget(validateTarget);
+        validatorParameters.setToken(validateTarget);
+        
+        assertTrue(samlTokenValidator.canHandleToken(validateTarget));
+        
+        TokenValidatorResponse validatorResponse = 
+                samlTokenValidator.validateToken(validatorParameters);
+        assertTrue(validatorResponse != null);
+        assertTrue(validatorResponse.getToken() != null);
+        assertTrue(validatorResponse.getToken().getState() == STATE.EXPIRED);
+        
+        // Renew the Assertion
+        TokenRenewerParameters renewerParameters = new TokenRenewerParameters();
+        renewerParameters.setAppliesToAddress("http://dummy-service.com/dummy");
+        renewerParameters.setStsProperties(validatorParameters.getStsProperties());
+        renewerParameters.setPrincipal(new CustomTokenPrincipal("alice"));
+        renewerParameters.setWebServiceContext(validatorParameters.getWebServiceContext());
+        renewerParameters.setKeyRequirements(validatorParameters.getKeyRequirements());
+        renewerParameters.setTokenRequirements(validatorParameters.getTokenRequirements());
+        renewerParameters.setTokenStore(validatorParameters.getTokenStore());
+        renewerParameters.setToken(validatorResponse.getToken());
+        
+        TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+        assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
+        
+        TokenRenewerResponse renewerResponse = 
+                samlTokenRenewer.renewToken(renewerParameters);
+        assertTrue(renewerResponse != null);
+        assertTrue(renewerResponse.getToken() != null);
+        
+        // Now validate it again
+        validateTarget = new ReceivedToken(renewerResponse.getToken());
+        tokenRequirements.setValidateTarget(validateTarget);
+        validatorParameters.setToken(validateTarget);
+        
+        validatorResponse = samlTokenValidator.validateToken(validatorParameters);
+        assertTrue(validatorResponse != null);
+        assertTrue(validatorResponse.getToken() != null);
+        assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
+    }
+    
+
+    private TokenValidatorParameters createValidatorParameters() throws WSSecurityException {
+        TokenValidatorParameters parameters = new TokenValidatorParameters();
+        
+        TokenRequirements tokenRequirements = new TokenRequirements();
+        parameters.setTokenRequirements(tokenRequirements);
+        
+        KeyRequirements keyRequirements = new KeyRequirements();
+        parameters.setKeyRequirements(keyRequirements);
+        
+        parameters.setPrincipal(new CustomTokenPrincipal("alice"));
+        // Mock up message context
+        MessageImpl msg = new MessageImpl();
+        WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
+        WebServiceContextImpl webServiceContext = new WebServiceContextImpl(msgCtx);
+        parameters.setWebServiceContext(webServiceContext);
+        
+        // Add STSProperties object
+        StaticSTSProperties stsProperties = new StaticSTSProperties();
+        Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
+        stsProperties.setEncryptionCrypto(crypto);
+        stsProperties.setSignatureCrypto(crypto);
+        stsProperties.setEncryptionUsername("myservicekey");
+        stsProperties.setSignatureUsername("mystskey");
+        stsProperties.setCallbackHandler(new PasswordCallbackHandler());
+        stsProperties.setIssuer("STS");
+        parameters.setStsProperties(stsProperties);
+        parameters.setTokenStore(tokenStore);
+        
+        return parameters;
+    }
+    
+    private Element createSAMLAssertion(
+            String tokenType, Crypto crypto, String signatureUsername,
+            CallbackHandler callbackHandler, long ttlMs
+    ) throws WSSecurityException {
+        SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
+        DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
+        conditionsProvider.setAcceptClientLifetime(true);
+        samlTokenProvider.setConditionsProvider(conditionsProvider);
+        TokenProviderParameters providerParameters = 
+            createProviderParameters(
+                    tokenType, STSConstants.BEARER_KEY_KEYTYPE, crypto, signatureUsername, callbackHandler
+            );
+
+        if (ttlMs != 0) {
+            Lifetime lifetime = new Lifetime();
+            Date creationTime = new Date();
+            Date expirationTime = new Date();
+            expirationTime.setTime(creationTime.getTime() + ttlMs);
+
+            XmlSchemaDateFormat fmt = new XmlSchemaDateFormat();
+            lifetime.setCreated(fmt.format(creationTime));
+            lifetime.setExpires(fmt.format(expirationTime));
+
+            providerParameters.getTokenRequirements().setLifetime(lifetime);
+        }
+
+        TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
+        assertTrue(providerResponse != null);
+        assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
+
+        return providerResponse.getToken();
+    }    
+    
+    private TokenProviderParameters createProviderParameters(
+        String tokenType, String keyType, Crypto crypto, 
+        String signatureUsername, CallbackHandler callbackHandler
+    ) throws WSSecurityException {
+        TokenProviderParameters parameters = new TokenProviderParameters();
+
+        TokenRequirements tokenRequirements = new TokenRequirements();
+        tokenRequirements.setTokenType(tokenType);
+        parameters.setTokenRequirements(tokenRequirements);
+
+        KeyRequirements keyRequirements = new KeyRequirements();
+        keyRequirements.setKeyType(keyType);
+        parameters.setKeyRequirements(keyRequirements);
+
+        parameters.setPrincipal(new CustomTokenPrincipal("alice"));
+        // Mock up message context
+        MessageImpl msg = new MessageImpl();
+        WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
+        WebServiceContextImpl webServiceContext = new WebServiceContextImpl(msgCtx);
+        parameters.setWebServiceContext(webServiceContext);
+
+        parameters.setAppliesToAddress("http://dummy-service.com/dummy");
+
+        // Add STSProperties object
+        StaticSTSProperties stsProperties = new StaticSTSProperties();
+        stsProperties.setSignatureCrypto(crypto);
+        stsProperties.setSignatureUsername(signatureUsername);
+        stsProperties.setCallbackHandler(callbackHandler);
+        stsProperties.setIssuer("STS");
+        parameters.setStsProperties(stsProperties);
+
+        parameters.setEncryptionProperties(new EncryptionProperties());
+        parameters.setTokenStore(tokenStore);
+        
+        return parameters;
+    }
+    
+    private Properties getEncryptionProperties() {
+        Properties properties = new Properties();
+        properties.put(
+            "org.apache.ws.security.crypto.provider", "org.apache.ws.security.components.crypto.Merlin"
+        );
+        properties.put("org.apache.ws.security.crypto.merlin.keystore.password", "stsspass");
+        properties.put("org.apache.ws.security.crypto.merlin.keystore.file", "stsstore.jks");
+        
+        return properties;
+    }
+    
+    
+}

Modified: cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/secure_conv/cxf-sts.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/secure_conv/cxf-sts.xml?rev=1309846&r1=1309845&r2=1309846&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/secure_conv/cxf-sts.xml (original)
+++ cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/secure_conv/cxf-sts.xml Thu Apr  5 13:31:43 2012
@@ -53,7 +53,6 @@
 	    <property name="issueOperation" ref="transportIssueDelegate" />
 	    <property name="validateOperation" ref="transportValidateDelegate" />
 	    <property name="cancelOperation" ref="transportCancelDelegate" />
-	    <property name="renewOperation" ref="transportRenewDelegate" />
     </bean>
 
 	<bean id="transportSTSEncryptedProviderBean"
@@ -90,12 +89,6 @@
 		<property name="tokenStore" ref="defaultTokenStore" />
 	</bean>
 	
-	<bean id="transportRenewDelegate" class="org.apache.cxf.sts.operation.TokenRenewOperation">
-        <property name="tokenRenewers" ref="transportTokenRenewers" />
-        <property name="stsProperties" ref="transportSTSProperties" />
-        <property name="tokenStore" ref="defaultTokenStore" />
-    </bean>
-
 	<bean id="defaultTokenStore" class="org.apache.cxf.sts.cache.DefaultInMemoryTokenStore">
 	</bean>
 
@@ -111,10 +104,6 @@
 	<util:list id="transportTokenCancellers">
 		<ref bean="transportSCTCanceller" />
 	</util:list>
-	
-	<util:list id="transportTokenRenewers">
-        <ref bean="transportSCTRenewer" />
-    </util:list>
 
 	<bean id="transportSCTProvider" class="org.apache.cxf.sts.token.provider.SCTProvider">
 	</bean>
@@ -129,9 +118,6 @@
 	<bean id="transportSCTCanceller" class="org.apache.cxf.sts.token.canceller.SCTCanceller">
 	</bean>
 	
-	<bean id="transportSCTRenewer" class="org.apache.cxf.sts.token.renewer.SCTRenewer">
-    </bean>
-
 	<bean id="transportService" class="org.apache.cxf.sts.service.StaticService">
 		<property name="endpoints" ref="transportEndpoints" />
 	</bean>



Mime
View raw message