cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1325061 - in /cxf/trunk: rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/ services/sts/sts-core/src/main/java/org/apache/cxf/sts/ services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/ services/sts/sts-core/src/mai...
Date Wed, 11 Apr 2012 23:21:02 GMT
Author: coheigea
Date: Wed Apr 11 23:21:01 2012
New Revision: 1325061

URL: http://svn.apache.org/viewvc?rev=1325061&view=rev
Log:
Added support for wst:Renewing semantics in the STS & STSClient

Added:
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/Renewing.java
Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/QNameConstants.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/STSConstants.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenRenewOperation.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/RequestParser.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/TokenRequirements.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SCTProvider.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewer.java
    cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/RenewSamlUnitTest.java
    cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerLifetimeTest.java
    cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerRealmTest.java
    cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java
    cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/SAMLRenewUnitTest.java
    cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-client.xml
    cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-sts.xml

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java Wed Apr 11 23:21:01 2012
@@ -165,6 +165,8 @@ public class STSClient implements Config
     protected boolean isSpnego;
     protected boolean enableLifetime;
     protected int ttl = 300;
+    protected boolean allowRenewing = true;
+    protected boolean allowRenewingAfterExpiry;
     
     protected Object actAs;
     protected String tokenType;
@@ -292,6 +294,22 @@ public class STSClient implements Config
         this.isSpnego = spnego;
     }
     
+    public boolean isAllowRenewing() {
+        return allowRenewing;
+    }
+
+    public void setAllowRenewing(boolean allowRenewing) {
+        this.allowRenewing = allowRenewing;
+    }
+
+    public boolean isAllowRenewingAfterExpiry() {
+        return allowRenewingAfterExpiry;
+    }
+
+    public void setAllowRenewingAfterExpiry(boolean allowRenewingAfterExpiry) {
+        this.allowRenewingAfterExpiry = allowRenewingAfterExpiry;
+    }
+    
     public boolean isEnableAppliesTo() {
         return enableAppliesTo;
     }
@@ -581,16 +599,12 @@ public class STSClient implements Config
         if (isSecureConv) {
             action = namespace + "/RST/SCT";
         }
-        return requestSecurityToken(appliesTo, action, "/Issue", null, binaryExchange);
+        return requestSecurityToken(appliesTo, action, "/Issue", binaryExchange);
     }
     
-    public SecurityToken requestSecurityToken(String appliesTo, String action, String requestType,
-            SecurityToken target) throws Exception {
-        return requestSecurityToken(appliesTo, action, requestType, target, null);
-    }
-
-    public SecurityToken requestSecurityToken(String appliesTo, String action, String requestType,
-                                              SecurityToken target, String binaryExchange) throws Exception {
+    public SecurityToken requestSecurityToken(
+        String appliesTo, String action, String requestType, String binaryExchange
+    ) throws Exception {
         createClient();
         BindingOperationInfo boi = findOperation("/RST/Issue");
 
@@ -682,13 +696,6 @@ public class STSClient implements Config
             addKeySize(keySize, writer);
         }
         
-        if (target != null) {
-            writer.writeStartElement("wst", "RenewTarget", namespace);
-            client.getRequestContext().put(SecurityConstants.TOKEN, target);
-            StaxUtils.copy(target.getToken(), writer);
-            writer.writeEndElement();
-        }
-        
         if (binaryExchange != null) {
             addBinaryExchange(binaryExchange, writer);
         }
@@ -700,6 +707,16 @@ public class STSClient implements Config
             writer.writeEndElement();
         }
         
+        // Write out renewal semantics
+        writer.writeStartElement("wst", "Renewing", namespace);
+        if (!allowRenewing) {
+            writer.writeAttribute(null, "Allow", "false");
+        }
+        if (allowRenewing && allowRenewingAfterExpiry) {
+            writer.writeAttribute(null, "OK", "true");
+        }
+        writer.writeEndElement();
+        
         writer.writeEndElement();
 
         Object obj[] = client.invoke(boi, new DOMSource(writer.getDocument().getDocumentElement()));

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/QNameConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/QNameConstants.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/QNameConstants.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/QNameConstants.java Wed Apr 11 23:21:01 2012
@@ -58,6 +58,8 @@ public final class QNameConstants {
         WS_TRUST_FACTORY.createRequestType("").getName();
     public static final QName CLAIMS = 
         WS_TRUST_FACTORY.createClaims(null).getName();
+    public static final QName RENEWING = 
+        WS_TRUST_FACTORY.createRenewing(null).getName();
     
     //
     // Key Requirement QNames

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/STSConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/STSConstants.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/STSConstants.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/STSConstants.java Wed Apr 11 23:21:01 2012
@@ -129,6 +129,19 @@ public final class STSConstants {
      */
     public static final String TOKEN_REALM = "org.apache.cxf.sts.token.realm";
     
+    /**
+     * Constant to store whether the token is allowed to be renewed or not in the cached Security
+     * Token properties.
+     */
+    public static final String TOKEN_RENEWING_ALLOW = "org.apache.cxf.sts.token.renewing.allow";
+    
+    /**
+     * Constant to store whether the token is allowed to be renewed after it has expired or not 
+     * in the cached Security Token properties.
+     */
+    public static final String TOKEN_RENEWING_ALLOW_AFTER_EXPIRY = 
+        "org.apache.cxf.sts.token.renewing.allow.after.expiry";
+    
     private STSConstants() {
         // complete
     }

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenRenewOperation.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenRenewOperation.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenRenewOperation.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenRenewOperation.java Wed Apr 11 23:21:01 2012
@@ -62,15 +62,6 @@ public class TokenRenewOperation extends
     private static final Logger LOG = LogUtils.getL7dLogger(TokenRenewOperation.class);
 
     private List<TokenRenewer> tokenRenewers = new ArrayList<TokenRenewer>();
-    private boolean allowRenewalBeforeExpiry;
-    
-    public boolean isAllowRenewalBeforeExpiry() {
-        return allowRenewalBeforeExpiry;
-    }
-
-    public void setAllowRenewalBeforeExpiry(boolean allowRenewalBeforeExpiry) {
-        this.allowRenewalBeforeExpiry = allowRenewalBeforeExpiry;
-    }
 
     public void setTokenRenewers(List<TokenRenewer> tokenRenewerList) {
         this.tokenRenewers = tokenRenewerList;
@@ -129,10 +120,10 @@ public class TokenRenewOperation extends
             );
         }
         
-        // Reject a non-expired token (valid or invalid) by default
+        // Reject an invalid token
         if (tokenResponse.getToken().getState() != STATE.EXPIRED
-            && !(allowRenewalBeforeExpiry && tokenResponse.getToken().getState() == STATE.VALID)) {
-            LOG.fine("The token is not expired, and so it cannot be renewed");
+            && tokenResponse.getToken().getState() != STATE.VALID) {
+            LOG.fine("The token is not valid or expired, and so it cannot be renewed");
             throw new STSException(
                 "No Token Validator has been found that can handle this token" 
                 + tokenRequirements.getTokenType(), 

Added: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/Renewing.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/Renewing.java?rev=1325061&view=auto
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/Renewing.java (added)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/Renewing.java Wed Apr 11 23:21:01 2012
@@ -0,0 +1,43 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.sts.request;
+
+/**
+ * This class contains values that have been extracted from an Renewing structure.
+ */
+public class Renewing {
+    private boolean allowRenewing = true;
+    private boolean allowRenewingAfterExpiry;
+    
+    public boolean isAllowRenewing() {
+        return allowRenewing;
+    }
+
+    public void setAllowRenewing(boolean allowRenewing) {
+        this.allowRenewing = allowRenewing;
+    }
+
+    public boolean isAllowRenewingAfterExpiry() {
+        return allowRenewingAfterExpiry;
+    }
+
+    public void setAllowRenewingAfterExpiry(boolean allowRenewingAfterExpiry) {
+        this.allowRenewingAfterExpiry = allowRenewingAfterExpiry;
+    }
+}
\ No newline at end of file

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/RequestParser.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/RequestParser.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/RequestParser.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/RequestParser.java Wed Apr 11 23:21:01 2012
@@ -64,6 +64,7 @@ import org.apache.cxf.ws.security.sts.pr
 import org.apache.cxf.ws.security.sts.provider.model.LifetimeType;
 import org.apache.cxf.ws.security.sts.provider.model.OnBehalfOfType;
 import org.apache.cxf.ws.security.sts.provider.model.RenewTargetType;
+import org.apache.cxf.ws.security.sts.provider.model.RenewingType;
 import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType;
 import org.apache.cxf.ws.security.sts.provider.model.UseKeyType;
 import org.apache.cxf.ws.security.sts.provider.model.ValidateTargetType;
@@ -108,16 +109,24 @@ public class RequestParser {
             // JAXB types
             if (requestObject instanceof JAXBElement<?>) {
                 JAXBElement<?> jaxbElement = (JAXBElement<?>) requestObject;
-                boolean found = 
-                    parseTokenRequirements(jaxbElement, tokenRequirements, wsContext, claimsParsers);
-                if (!found) {
-                    found = parseKeyRequirements(jaxbElement, keyRequirements, wsContext, stsProperties);
-                }
-                if (!found) {
-                    LOG.log(Level.WARNING, "Found a JAXB object of unknown type: " + jaxbElement.getName());
-                    throw new STSException(
-                        "An unknown element was received", STSException.BAD_REQUEST
-                    );
+                try {
+                    boolean found = 
+                        parseTokenRequirements(jaxbElement, tokenRequirements, wsContext, claimsParsers);
+                    if (!found) {
+                        found = parseKeyRequirements(jaxbElement, keyRequirements, wsContext, stsProperties);
+                    }
+                    if (!found) {
+                        LOG.log(Level.WARNING, "Found a JAXB object of unknown type: " + jaxbElement.getName());
+                        throw new STSException(
+                            "An unknown element was received", STSException.BAD_REQUEST
+                        );
+                    }
+                } catch (STSException ex) {
+                    LOG.log(Level.WARNING, "", ex);
+                    throw ex;
+                } catch (RuntimeException ex) {
+                    LOG.log(Level.WARNING, "", ex);
+                    throw ex;
                 }
             // SecondaryParameters/AppliesTo
             } else if (requestObject instanceof Element) {
@@ -280,6 +289,17 @@ public class RequestParser {
             RequestClaimCollection requestedClaims = parseClaims(claimsType, claimsParsers);
             tokenRequirements.setClaims(requestedClaims);
             LOG.fine("Found Claims token");
+        } else if (QNameConstants.RENEWING.equals(jaxbElement.getName())) {
+            RenewingType renewingType = (RenewingType)jaxbElement.getValue();
+            Renewing renewing = new Renewing();
+            if (renewingType.isAllow() != null) {
+                renewing.setAllowRenewing(renewingType.isAllow());
+            }
+            if (renewingType.isOK() != null) {
+                renewing.setAllowRenewingAfterExpiry(renewingType.isOK());
+            }
+            tokenRequirements.setRenewing(renewing);
+            LOG.fine("Found Renewing token");
         } else {
             return false;
         }

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/TokenRequirements.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/TokenRequirements.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/TokenRequirements.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/TokenRequirements.java Wed Apr 11 23:21:01 2012
@@ -37,7 +37,16 @@ public class TokenRequirements {
     private ReceivedToken renewTarget;
     private Lifetime lifetime;
     private RequestClaimCollection claims;
+    private Renewing renewing;
     
+    public Renewing getRenewing() {
+        return renewing;
+    }
+
+    public void setRenewing(Renewing renewing) {
+        this.renewing = renewing;
+    }
+
     public String getTokenType() {
         return tokenType;
     }

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java Wed Apr 11 23:21:01 2012
@@ -40,6 +40,7 @@ import org.apache.cxf.sts.STSConstants;
 import org.apache.cxf.sts.STSPropertiesMBean;
 import org.apache.cxf.sts.SignatureProperties;
 import org.apache.cxf.sts.request.KeyRequirements;
+import org.apache.cxf.sts.request.Renewing;
 import org.apache.cxf.sts.request.TokenRequirements;
 import org.apache.cxf.sts.token.realm.SAMLRealm;
 import org.apache.cxf.ws.security.sts.provider.STSException;
@@ -135,14 +136,32 @@ public class SAMLTokenProvider implement
                 SecurityToken securityToken = new SecurityToken(assertion.getId(), null, expires);
                 securityToken.setToken(token);
                 securityToken.setPrincipal(tokenParameters.getPrincipal());
+
+                Properties props = securityToken.getProperties();
+                if (props == null) {
+                    props = new Properties();
+                }
+                securityToken.setProperties(props);
                 if (tokenParameters.getRealm() != null) {
-                    Properties props = securityToken.getProperties();
-                    if (props == null) {
-                        props = new Properties();
-                    }
                     props.setProperty(STSConstants.TOKEN_REALM, tokenParameters.getRealm());
-                    securityToken.setProperties(props);
                 }
+
+                // Handle Renewing logic
+                Renewing renewing = tokenParameters.getTokenRequirements().getRenewing();
+                if (renewing != null) {
+                    props.put(
+                        STSConstants.TOKEN_RENEWING_ALLOW, 
+                        String.valueOf(renewing.isAllowRenewing())
+                    );
+                    props.put(
+                        STSConstants.TOKEN_RENEWING_ALLOW_AFTER_EXPIRY, 
+                        String.valueOf(renewing.isAllowRenewingAfterExpiry())
+                    );
+                } else {
+                    props.setProperty(STSConstants.TOKEN_RENEWING_ALLOW, "true");
+                    props.setProperty(STSConstants.TOKEN_RENEWING_ALLOW_AFTER_EXPIRY, "false");
+                }
+                    
                 int hash = Arrays.hashCode(signatureValue);
                 securityToken.setTokenHash(hash);
                 String identifier = Integer.toString(hash);

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SCTProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SCTProvider.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SCTProvider.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SCTProvider.java Wed Apr 11 23:21:01 2012
@@ -29,6 +29,7 @@ import org.w3c.dom.Document;
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.sts.STSConstants;
+import org.apache.cxf.sts.request.Renewing;
 import org.apache.cxf.sts.request.TokenRequirements;
 import org.apache.cxf.ws.security.sts.provider.STSException;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
@@ -141,14 +142,32 @@ public class SCTProvider implements Toke
             SecurityToken token = new SecurityToken(sct.getIdentifier(), null, expires);
             token.setSecret(keyHandler.getSecret());
             token.setPrincipal(tokenParameters.getPrincipal());
+            
+            Properties props = token.getProperties();
+            if (props == null) {
+                props = new Properties();
+            }
+            token.setProperties(props);
             if (tokenParameters.getRealm() != null) {
-                Properties props = token.getProperties();
-                if (props == null) {
-                    props = new Properties();
-                }
                 props.setProperty(STSConstants.TOKEN_REALM, tokenParameters.getRealm());
-                token.setProperties(props);
             }
+
+            // Handle Renewing logic
+            Renewing renewing = tokenParameters.getTokenRequirements().getRenewing();
+            if (renewing != null) {
+                props.put(
+                    STSConstants.TOKEN_RENEWING_ALLOW, 
+                    String.valueOf(renewing.isAllowRenewing())
+                );
+                props.put(
+                    STSConstants.TOKEN_RENEWING_ALLOW_AFTER_EXPIRY, 
+                    String.valueOf(renewing.isAllowRenewingAfterExpiry())
+                );
+            } else {
+                props.setProperty(STSConstants.TOKEN_RENEWING_ALLOW, "true");
+                props.setProperty(STSConstants.TOKEN_RENEWING_ALLOW_AFTER_EXPIRY, "false");
+            }
+            
             tokenParameters.getTokenStore().add(token);
 
             // Create the references

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java Wed Apr 11 23:21:01 2012
@@ -87,6 +87,7 @@ public class SAMLTokenRenewer implements
     private long maxExpiry = DEFAULT_MAX_EXPIRY;
     // boolean to enable/disable the check of proof of possession
     private boolean verifyProofOfPossession = true;
+    private boolean allowRenewalAfterExpiry;
     
     /**
      * Return true if this TokenRenewer implementation is able to renew a token.
@@ -123,6 +124,20 @@ public class SAMLTokenRenewer implements
     }
     
     /**
+     * Get whether we allow renewal after expiry. The default is false.
+     */
+    public boolean isAllowRenewalAfterExpiry() {
+        return allowRenewalAfterExpiry;
+    }
+
+    /**
+     * Set whether we allow renewal after expiry. The default is false.
+     */
+    public void setAllowRenewalAfterExpiry(boolean allowRenewalAfterExpiry) {
+        this.allowRenewalAfterExpiry = allowRenewalAfterExpiry;
+    }
+    
+    /**
      * Set a new value (in seconds) for how long a token is allowed to be expired for before renewal. 
      * The default is 30 minutes.
      */
@@ -152,15 +167,33 @@ public class SAMLTokenRenewer implements
             );
         }
         
+        TokenStore tokenStore = tokenParameters.getTokenStore();
+        if (tokenStore == null) {
+            LOG.log(Level.FINE, "A cache must be configured to use the SAMLTokenRenewer");
+            throw new STSException("Can't renew SAML assertion", STSException.REQUEST_FAILED);
+        }
+        
         try {
             AssertionWrapper assertion = new AssertionWrapper((Element)tokenToRenew.getToken());
             
-            validateAssertion(assertion, tokenToRenew, tokenParameters);
+            byte[] oldSignature = assertion.getSignatureValue();
+            // Remove the previous token (now expired) from the cache
+            int hash = Arrays.hashCode(oldSignature);
+            SecurityToken cachedToken = tokenStore.getToken(Integer.toString(hash));
+            if (cachedToken == null) {
+                LOG.log(Level.FINE, "The token to be renewed must be stored in the cache");
+                throw new STSException("Can't renew SAML assertion", STSException.REQUEST_FAILED);
+            }
+            
+            // Validate the Assertion
+            validateAssertion(assertion, tokenToRenew, cachedToken, tokenParameters);
+            
+            String oldId = createNewId(assertion);
+            tokenStore.remove(oldId);
+            tokenStore.remove(Integer.toString(hash));
             
             // Create new Conditions & sign the Assertion
-            byte[] oldSignature = assertion.getSignatureValue();
             createNewConditions(assertion, tokenParameters);
-            String oldId = createNewId(assertion);
             signAssertion(assertion, tokenParameters);
             
             Document doc = DOMUtils.createDocument();
@@ -172,17 +205,9 @@ public class SAMLTokenRenewer implements
             }
             doc.appendChild(token);
             
-            // Remove the previous token (now expired) from the cache
-            if (tokenParameters.getTokenStore() != null) {
-                tokenParameters.getTokenStore().remove(oldId);
-                int hash = Arrays.hashCode(oldSignature);
-                tokenParameters.getTokenStore().remove(Integer.toString(hash));
-            }
-            
             // Cache the token
-            String realm = tokenParameters.getRealm();
             storeTokenInCache(
-                tokenParameters.getTokenStore(), assertion, tokenParameters.getPrincipal(), realm
+                tokenStore, assertion, tokenParameters.getPrincipal(), tokenParameters.getRealm()
             );
             
             response.setToken(token);
@@ -257,10 +282,37 @@ public class SAMLTokenRenewer implements
     private void validateAssertion(
         AssertionWrapper assertion,
         ReceivedToken tokenToRenew,
+        SecurityToken token,
         TokenRenewerParameters tokenParameters
     ) {
+        // Check the cached renewal properties
+        Properties props = token.getProperties();
+        if (props == null) {
+            LOG.log(Level.WARNING, "Error in getting properties from cached token");
+            throw new STSException("Error in getting properties from cached token", STSException.REQUEST_FAILED);
+        }
+        String isAllowRenewal = (String)props.get(STSConstants.TOKEN_RENEWING_ALLOW);
+        String isAllowRenewalAfterExpiry = 
+            (String)props.get(STSConstants.TOKEN_RENEWING_ALLOW_AFTER_EXPIRY);
+        if (isAllowRenewal == null || isAllowRenewalAfterExpiry == null) {
+            LOG.log(Level.WARNING, "One of isAllowRenewal or isAllowRenewalAfterExpiry not set");
+            throw new STSException("Error with cached token", STSException.REQUEST_FAILED);
+        }
+        
+        if (isAllowRenewal == null || !Boolean.valueOf(isAllowRenewal)) {
+            LOG.log(Level.WARNING, "The token is not allowed to be renewed");
+            throw new STSException("The token is not allowed to be renewed", STSException.REQUEST_FAILED);
+        }
+        
         // Check to see whether the token has expired greater than the configured max expiry time
         if (tokenToRenew.getState() == STATE.EXPIRED) {
+            if (!allowRenewalAfterExpiry || isAllowRenewalAfterExpiry == null
+                || !Boolean.valueOf(isAllowRenewalAfterExpiry)) {
+                LOG.log(Level.WARNING, "Renewal after expiry is not allowed");
+                throw new STSException(
+                    "Renewal after expiry is not allowed", STSException.REQUEST_FAILED
+                );
+            }
             DateTime expiryDate = getExpiryDate(assertion);
             DateTime currentDate = new DateTime();
             if ((currentDate.getMillis() - expiryDate.getMillis()) > (maxExpiry * 1000L)) {

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewer.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewer.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewer.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewer.java Wed Apr 11 23:21:01 2012
@@ -33,6 +33,11 @@ public interface TokenRenewer {
     void setVerifyProofOfPossession(boolean verifyProofOfPossession);
     
     /**
+     * boolean for enabling/disabling renewal after expiry.
+     */
+    void setAllowRenewalAfterExpiry(boolean allowRenewalAfterExpiry);
+    
+    /**
      * Return true if this TokenRenewer implementation is able to renew a token.
      */
     boolean canHandleToken(ReceivedToken renewTarget);

Modified: cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/RenewSamlUnitTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/RenewSamlUnitTest.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/RenewSamlUnitTest.java (original)
+++ cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/RenewSamlUnitTest.java Wed Apr 11 23:21:01 2012
@@ -43,6 +43,7 @@ import org.apache.cxf.sts.cache.DefaultI
 import org.apache.cxf.sts.common.PasswordCallbackHandler;
 import org.apache.cxf.sts.request.KeyRequirements;
 import org.apache.cxf.sts.request.Lifetime;
+import org.apache.cxf.sts.request.Renewing;
 import org.apache.cxf.sts.request.TokenRequirements;
 import org.apache.cxf.sts.service.EncryptionProperties;
 import org.apache.cxf.sts.token.provider.DefaultConditionsProvider;
@@ -53,7 +54,6 @@ import org.apache.cxf.sts.token.renewer.
 import org.apache.cxf.sts.token.renewer.TokenRenewer;
 import org.apache.cxf.sts.token.validator.SAMLTokenValidator;
 import org.apache.cxf.sts.token.validator.TokenValidator;
-import org.apache.cxf.ws.security.sts.provider.STSException;
 import org.apache.cxf.ws.security.sts.provider.model.RenewTargetType;
 import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType;
 import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType;
@@ -86,10 +86,10 @@ public class RenewSamlUnitTest extends o
     }
     
     /**
-     * Test to successfully renew an expired Saml 1.1 token (using the cache)
+     * Test to successfully renew a valid Saml 1.1 token
      */
     @org.junit.Test
-    public void testRenewExpiredSaml1Token() throws Exception {
+    public void testRenewValidSaml1Token() throws Exception {
         TokenRenewOperation renewOperation = new TokenRenewOperation();
         renewOperation.setTokenStore(tokenStore);
         
@@ -127,9 +127,9 @@ public class RenewSamlUnitTest extends o
         // Get a SAML Token via the SAMLTokenProvider
         CallbackHandler callbackHandler = new PasswordCallbackHandler();
         Element samlToken = 
-            createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
-        // Sleep to expire the token
-        Thread.sleep(1000);
+            createSAMLAssertion(
+                WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50000, true, false
+            );
         
         Document doc = samlToken.getOwnerDocument();
         samlToken = (Element)doc.appendChild(samlToken);
@@ -151,10 +151,9 @@ public class RenewSamlUnitTest extends o
         );
         WebServiceContextImpl webServiceContext = new WebServiceContextImpl(msgCtx);
         
-        // Validate a token
+        // Renew a token
         RequestSecurityTokenResponseType response = 
             renewOperation.renew(request, webServiceContext);
-        
         assertTrue(response != null && response.getAny() != null && !response.getAny().isEmpty());
         
         // Test the generated token.
@@ -176,17 +175,20 @@ public class RenewSamlUnitTest extends o
         assertTrue(tokenString.contains(SAML1Constants.CONF_BEARER));
     }
     
+    
     /**
-     * Test to successfully renew an expired Saml 1.1 token without using the cache
+     * Test to successfully renew an expired Saml 1.1 token.
      */
     @org.junit.Test
-    public void testRenewExpiredSaml1TokenNoCache() throws Exception {
+    public void testRenewExpiredSaml1Token() throws Exception {
         TokenRenewOperation renewOperation = new TokenRenewOperation();
+        renewOperation.setTokenStore(tokenStore);
         
         // Add Token Renewer
         List<TokenRenewer> renewerList = new ArrayList<TokenRenewer>();
         TokenRenewer tokenRenewer = new SAMLTokenRenewer();
         tokenRenewer.setVerifyProofOfPossession(false);
+        tokenRenewer.setAllowRenewalAfterExpiry(true);
         renewerList.add(tokenRenewer);
         renewOperation.setTokenRenewers(renewerList);
         
@@ -217,7 +219,9 @@ public class RenewSamlUnitTest extends o
         // Get a SAML Token via the SAMLTokenProvider
         CallbackHandler callbackHandler = new PasswordCallbackHandler();
         Element samlToken = 
-            createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+            createSAMLAssertion(
+                WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50, true, true
+            );
         // Sleep to expire the token
         Thread.sleep(1000);
         
@@ -267,7 +271,7 @@ public class RenewSamlUnitTest extends o
     }
     
     /**
-     * Test to successfully renew an expired Saml 2 token (using the cache)
+     * Test to successfully renew an expired Saml 2 token.
      */
     @org.junit.Test
     public void testRenewExpiredSaml2Token() throws Exception {
@@ -278,6 +282,7 @@ public class RenewSamlUnitTest extends o
         List<TokenRenewer> renewerList = new ArrayList<TokenRenewer>();
         TokenRenewer tokenRenewer = new SAMLTokenRenewer();
         tokenRenewer.setVerifyProofOfPossession(false);
+        tokenRenewer.setAllowRenewalAfterExpiry(true);
         renewerList.add(tokenRenewer);
         renewOperation.setTokenRenewers(renewerList);
         
@@ -308,97 +313,9 @@ public class RenewSamlUnitTest extends o
         // Get a SAML Token via the SAMLTokenProvider
         CallbackHandler callbackHandler = new PasswordCallbackHandler();
         Element samlToken = 
-            createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
-        // Sleep to expire the token
-        Thread.sleep(1000);
-        
-        Document doc = samlToken.getOwnerDocument();
-        samlToken = (Element)doc.appendChild(samlToken);
-        RenewTargetType renewTarget = new RenewTargetType();
-        renewTarget.setAny(samlToken);
-        
-        JAXBElement<RenewTargetType> renewTargetType = 
-            new JAXBElement<RenewTargetType>(
-                QNameConstants.RENEW_TARGET, RenewTargetType.class, renewTarget
-            );
-        request.getAny().add(renewTargetType);
-        
-        // Mock up message context
-        MessageImpl msg = new MessageImpl();
-        WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
-        msgCtx.put(
-            SecurityContext.class.getName(), 
-            createSecurityContext(new CustomTokenPrincipal("alice"))
-        );
-        WebServiceContextImpl webServiceContext = new WebServiceContextImpl(msgCtx);
-        
-        // Validate a token
-        RequestSecurityTokenResponseType response = 
-            renewOperation.renew(request, webServiceContext);
-        
-        assertTrue(response != null && response.getAny() != null && !response.getAny().isEmpty());
-        
-        // Test the generated token.
-        Element assertion = null;
-        for (Object tokenObject : response.getAny()) {
-            if (tokenObject instanceof JAXBElement<?>
-                && REQUESTED_SECURITY_TOKEN.equals(((JAXBElement<?>)tokenObject).getName())) {
-                RequestedSecurityTokenType rstType = 
-                    (RequestedSecurityTokenType)((JAXBElement<?>)tokenObject).getValue();
-                assertion = (Element)rstType.getAny();
-                break;
-            }
-        }
-        
-        assertNotNull(assertion);
-        String tokenString = DOM2Writer.nodeToString(assertion);
-        assertTrue(tokenString.contains("AttributeStatement"));
-        assertTrue(tokenString.contains("alice"));
-        assertTrue(tokenString.contains(SAML2Constants.CONF_BEARER));
-    }
-    
-    /**
-     * Test to successfully renew an expired Saml 2 token without using the cache
-     */
-    @org.junit.Test
-    public void testRenewExpiredSaml2TokenNoCache() throws Exception {
-        TokenRenewOperation renewOperation = new TokenRenewOperation();
-        
-        // Add Token Renewer
-        List<TokenRenewer> renewerList = new ArrayList<TokenRenewer>();
-        TokenRenewer tokenRenewer = new SAMLTokenRenewer();
-        tokenRenewer.setVerifyProofOfPossession(false);
-        renewerList.add(tokenRenewer);
-        renewOperation.setTokenRenewers(renewerList);
-        
-        // Add Token Validator
-        List<TokenValidator> validatorList = new ArrayList<TokenValidator>();
-        validatorList.add(new SAMLTokenValidator());
-        renewOperation.setTokenValidators(validatorList);
-        
-        // Add STSProperties object
-        STSPropertiesMBean stsProperties = new StaticSTSProperties();
-        Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
-        stsProperties.setEncryptionCrypto(crypto);
-        stsProperties.setSignatureCrypto(crypto);
-        stsProperties.setEncryptionUsername("myservicekey");
-        stsProperties.setSignatureUsername("mystskey");
-        stsProperties.setCallbackHandler(new PasswordCallbackHandler());
-        stsProperties.setIssuer("STS");
-        renewOperation.setStsProperties(stsProperties);
-        
-        // Mock up a request
-        RequestSecurityTokenType request = new RequestSecurityTokenType();
-        JAXBElement<String> tokenType = 
-            new JAXBElement<String>(
-                QNameConstants.TOKEN_TYPE, String.class, STSConstants.BEARER_KEY_KEYTYPE
+            createSAMLAssertion(
+                WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50, true, true
             );
-        request.getAny().add(tokenType);
-        
-        // Get a SAML Token via the SAMLTokenProvider
-        CallbackHandler callbackHandler = new PasswordCallbackHandler();
-        Element samlToken = 
-            createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
         // Sleep to expire the token
         Thread.sleep(1000);
         
@@ -448,113 +365,18 @@ public class RenewSamlUnitTest extends o
     }
     
     /**
-     * Test to successfully renew a valid Saml 1.1 token
-     */
-    @org.junit.Test
-    public void testRenewValidSaml1Token() throws Exception {
-        TokenRenewOperation renewOperation = new TokenRenewOperation();
-        
-        // Add Token Renewer
-        List<TokenRenewer> renewerList = new ArrayList<TokenRenewer>();
-        TokenRenewer tokenRenewer = new SAMLTokenRenewer();
-        tokenRenewer.setVerifyProofOfPossession(false);
-        renewerList.add(tokenRenewer);
-        renewOperation.setTokenRenewers(renewerList);
-        
-        // Add Token Validator
-        List<TokenValidator> validatorList = new ArrayList<TokenValidator>();
-        validatorList.add(new SAMLTokenValidator());
-        renewOperation.setTokenValidators(validatorList);
-        
-        // Add STSProperties object
-        STSPropertiesMBean stsProperties = new StaticSTSProperties();
-        Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
-        stsProperties.setEncryptionCrypto(crypto);
-        stsProperties.setSignatureCrypto(crypto);
-        stsProperties.setEncryptionUsername("myservicekey");
-        stsProperties.setSignatureUsername("mystskey");
-        stsProperties.setCallbackHandler(new PasswordCallbackHandler());
-        stsProperties.setIssuer("STS");
-        renewOperation.setStsProperties(stsProperties);
-        
-        // Mock up a request
-        RequestSecurityTokenType request = new RequestSecurityTokenType();
-        JAXBElement<String> tokenType = 
-            new JAXBElement<String>(
-                QNameConstants.TOKEN_TYPE, String.class, STSConstants.BEARER_KEY_KEYTYPE
-            );
-        request.getAny().add(tokenType);
-        
-        // Get a SAML Token via the SAMLTokenProvider
-        CallbackHandler callbackHandler = new PasswordCallbackHandler();
-        Element samlToken = 
-            createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50000);
-        
-        Document doc = samlToken.getOwnerDocument();
-        samlToken = (Element)doc.appendChild(samlToken);
-        RenewTargetType renewTarget = new RenewTargetType();
-        renewTarget.setAny(samlToken);
-        
-        JAXBElement<RenewTargetType> renewTargetType = 
-            new JAXBElement<RenewTargetType>(
-                QNameConstants.RENEW_TARGET, RenewTargetType.class, renewTarget
-            );
-        request.getAny().add(renewTargetType);
-        
-        // Mock up message context
-        MessageImpl msg = new MessageImpl();
-        WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
-        msgCtx.put(
-            SecurityContext.class.getName(), 
-            createSecurityContext(new CustomTokenPrincipal("alice"))
-        );
-        WebServiceContextImpl webServiceContext = new WebServiceContextImpl(msgCtx);
-        
-        // Validate a token
-        try {
-            renewOperation.renew(request, webServiceContext);
-            fail("Failure expected on trying to renew a valid token");
-        } catch (STSException ex) {
-            // expected
-        }
-            
-        renewOperation.setAllowRenewalBeforeExpiry(true);
-        RequestSecurityTokenResponseType response = 
-            renewOperation.renew(request, webServiceContext);
-        
-        assertTrue(response != null && response.getAny() != null && !response.getAny().isEmpty());
-        
-        // Test the generated token.
-        Element assertion = null;
-        for (Object tokenObject : response.getAny()) {
-            if (tokenObject instanceof JAXBElement<?>
-                && REQUESTED_SECURITY_TOKEN.equals(((JAXBElement<?>)tokenObject).getName())) {
-                RequestedSecurityTokenType rstType = 
-                    (RequestedSecurityTokenType)((JAXBElement<?>)tokenObject).getValue();
-                assertion = (Element)rstType.getAny();
-                break;
-            }
-        }
-        
-        assertNotNull(assertion);
-        String tokenString = DOM2Writer.nodeToString(assertion);
-        assertTrue(tokenString.contains("AttributeStatement"));
-        assertTrue(tokenString.contains("alice"));
-        assertTrue(tokenString.contains(SAML1Constants.CONF_BEARER));
-    }
-    
-    /**
-     * Test to successfully renew an expired Saml 2 token without using the cache, and sending
-     * no TokenType.
+     * Test to successfully renew an expired Saml 2 token and sending no TokenType.
      */
     @org.junit.Test
     public void testRenewExpiredSaml2TokenNoCacheNoTokenType() throws Exception {
         TokenRenewOperation renewOperation = new TokenRenewOperation();
+        renewOperation.setTokenStore(tokenStore);
         
         // Add Token Renewer
         List<TokenRenewer> renewerList = new ArrayList<TokenRenewer>();
         TokenRenewer tokenRenewer = new SAMLTokenRenewer();
         tokenRenewer.setVerifyProofOfPossession(false);
+        tokenRenewer.setAllowRenewalAfterExpiry(true);
         renewerList.add(tokenRenewer);
         renewOperation.setTokenRenewers(renewerList);
         
@@ -580,7 +402,9 @@ public class RenewSamlUnitTest extends o
         // Get a SAML Token via the SAMLTokenProvider
         CallbackHandler callbackHandler = new PasswordCallbackHandler();
         Element samlToken = 
-            createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+            createSAMLAssertion(
+                WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50, true, true
+            );
         // Sleep to expire the token
         Thread.sleep(1000);
         
@@ -628,6 +452,7 @@ public class RenewSamlUnitTest extends o
         assertTrue(tokenString.contains("alice"));
         assertTrue(tokenString.contains(SAML2Constants.CONF_BEARER));
     }
+
     
     /*
      * Create a security context object
@@ -656,7 +481,8 @@ public class RenewSamlUnitTest extends o
     
     private Element createSAMLAssertion(
         String tokenType, Crypto crypto, String signatureUsername, 
-        CallbackHandler callbackHandler, long ttlMs
+        CallbackHandler callbackHandler, long ttlMs, boolean allowRenewing,
+        boolean allowRenewingAfterExpiry
     ) throws WSSecurityException {
         SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
         DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
@@ -668,6 +494,11 @@ public class RenewSamlUnitTest extends o
                 tokenType, STSConstants.BEARER_KEY_KEYTYPE, crypto, signatureUsername, callbackHandler
             );
         
+        Renewing renewing = new Renewing();
+        renewing.setAllowRenewing(allowRenewing);
+        renewing.setAllowRenewingAfterExpiry(allowRenewingAfterExpiry);
+        providerParameters.getTokenRequirements().setRenewing(renewing);
+        
         if (ttlMs != 0) {
             Lifetime lifetime = new Lifetime();
             Date creationTime = new Date();
@@ -720,6 +551,7 @@ public class RenewSamlUnitTest extends o
         parameters.setStsProperties(stsProperties);
 
         parameters.setEncryptionProperties(new EncryptionProperties());
+        parameters.setTokenStore(tokenStore);
 
         return parameters;
     }

Modified: cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerLifetimeTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerLifetimeTest.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerLifetimeTest.java (original)
+++ cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerLifetimeTest.java Wed Apr 11 23:21:01 2012
@@ -30,11 +30,13 @@ import org.apache.cxf.jaxws.context.Wrap
 import org.apache.cxf.message.MessageImpl;
 import org.apache.cxf.sts.STSConstants;
 import org.apache.cxf.sts.StaticSTSProperties;
+import org.apache.cxf.sts.cache.DefaultInMemoryTokenStore;
 import org.apache.cxf.sts.common.PasswordCallbackHandler;
 import org.apache.cxf.sts.request.KeyRequirements;
 import org.apache.cxf.sts.request.Lifetime;
 import org.apache.cxf.sts.request.ReceivedToken;
 import org.apache.cxf.sts.request.ReceivedToken.STATE;
+import org.apache.cxf.sts.request.Renewing;
 import org.apache.cxf.sts.request.TokenRequirements;
 import org.apache.cxf.sts.service.EncryptionProperties;
 import org.apache.cxf.sts.token.provider.DefaultConditionsProvider;
@@ -42,12 +44,14 @@ import org.apache.cxf.sts.token.provider
 import org.apache.cxf.sts.token.provider.TokenProviderParameters;
 import org.apache.cxf.sts.token.provider.TokenProviderResponse;
 import org.apache.cxf.ws.security.sts.provider.STSException;
+import org.apache.cxf.ws.security.tokenstore.TokenStore;
 import org.apache.ws.security.CustomTokenPrincipal;
 import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSSecurityException;
 import org.apache.ws.security.components.crypto.Crypto;
 import org.apache.ws.security.components.crypto.CryptoFactory;
 import org.apache.ws.security.util.XmlSchemaDateFormat;
+import org.junit.BeforeClass;
 
 
 /**
@@ -55,6 +59,13 @@ import org.apache.ws.security.util.XmlSc
  */
 public class SAMLTokenRenewerLifetimeTest extends org.junit.Assert {
     
+    private static TokenStore tokenStore;
+    
+    @BeforeClass
+    public static void init() {
+        tokenStore = new DefaultInMemoryTokenStore();
+    }
+    
     /**
      * Renew SAML 2 token with a valid requested lifetime
      */
@@ -63,6 +74,8 @@ public class SAMLTokenRenewerLifetimeTes
         int requestedLifetime = 60;
         SAMLTokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
         samlTokenRenewer.setVerifyProofOfPossession(false);
+        samlTokenRenewer.setAllowRenewalAfterExpiry(true);
+        
         DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
         conditionsProvider.setAcceptClientLifetime(true);
         samlTokenRenewer.setConditionsProvider(conditionsProvider);
@@ -83,7 +96,9 @@ public class SAMLTokenRenewerLifetimeTes
         Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
         // Create token.
         Element samlToken = 
-            createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+            createSAMLAssertion(
+                WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50, true, true
+            );
         // Sleep to expire the token
         Thread.sleep(1000);
         
@@ -108,6 +123,7 @@ public class SAMLTokenRenewerLifetimeTes
     public void testSaml2ProviderLifetime() throws Exception {
         SAMLTokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
         samlTokenRenewer.setVerifyProofOfPossession(false);
+        samlTokenRenewer.setAllowRenewalAfterExpiry(true);
         
         long providerLifetime = 10 * 600L;
         DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
@@ -120,7 +136,9 @@ public class SAMLTokenRenewerLifetimeTes
         Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
         // Create token.
         Element samlToken = 
-            createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+            createSAMLAssertion(
+                WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50, true, true
+            );
         // Sleep to expire the token
         Thread.sleep(1000);
         
@@ -146,6 +164,8 @@ public class SAMLTokenRenewerLifetimeTes
         long maxLifetime = 30 * 60L;  // 30 minutes
         SAMLTokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
         samlTokenRenewer.setVerifyProofOfPossession(false);
+        samlTokenRenewer.setAllowRenewalAfterExpiry(true);
+        
         DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
         conditionsProvider.setMaxLifetime(maxLifetime);
         conditionsProvider.setAcceptClientLifetime(true);
@@ -168,7 +188,9 @@ public class SAMLTokenRenewerLifetimeTes
         Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
         // Create token.
         Element samlToken = 
-            createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+            createSAMLAssertion(
+                WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50, true, true
+            );
         // Sleep to expire the token
         Thread.sleep(1000);
         
@@ -194,6 +216,8 @@ public class SAMLTokenRenewerLifetimeTes
     public void testSaml2ExceededDefaultMaxLifetime() throws Exception {
         SAMLTokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
         samlTokenRenewer.setVerifyProofOfPossession(false);
+        samlTokenRenewer.setAllowRenewalAfterExpiry(true);
+        
         DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
         conditionsProvider.setAcceptClientLifetime(true);
         samlTokenRenewer.setConditionsProvider(conditionsProvider);
@@ -215,7 +239,9 @@ public class SAMLTokenRenewerLifetimeTes
         Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
         // Create token.
         Element samlToken = 
-            createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+            createSAMLAssertion(
+                WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50, true, true
+            );
         // Sleep to expire the token
         Thread.sleep(1000);
         
@@ -244,6 +270,8 @@ public class SAMLTokenRenewerLifetimeTes
         long maxLifetime = 30 * 60L;  // 30 minutes
         SAMLTokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
         samlTokenRenewer.setVerifyProofOfPossession(false);
+        samlTokenRenewer.setAllowRenewalAfterExpiry(true);
+        
         DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
         conditionsProvider.setMaxLifetime(maxLifetime);
         conditionsProvider.setFailLifetimeExceedance(false);
@@ -267,7 +295,9 @@ public class SAMLTokenRenewerLifetimeTes
         Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
         // Create token.
         Element samlToken = 
-            createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+            createSAMLAssertion(
+                WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50, true, true
+            );
         // Sleep to expire the token
         Thread.sleep(1000);
         
@@ -312,13 +342,16 @@ public class SAMLTokenRenewerLifetimeTes
         parameters.setStsProperties(stsProperties);
 
         parameters.setEncryptionProperties(new EncryptionProperties());
+        
+        parameters.setTokenStore(tokenStore);
 
         return parameters;
     }
     
     private Element createSAMLAssertion(
         String tokenType, Crypto crypto, String signatureUsername,
-         CallbackHandler callbackHandler, long ttlMs
+         CallbackHandler callbackHandler, long ttlMs, boolean allowRenewing,
+         boolean allowRenewingAfterExpiry
     ) throws WSSecurityException {
         SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
         DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
@@ -329,6 +362,11 @@ public class SAMLTokenRenewerLifetimeTes
                 tokenType, STSConstants.BEARER_KEY_KEYTYPE, crypto, signatureUsername, callbackHandler
             );
 
+        Renewing renewing = new Renewing();
+        renewing.setAllowRenewing(allowRenewing);
+        renewing.setAllowRenewingAfterExpiry(allowRenewingAfterExpiry);
+        providerParameters.getTokenRequirements().setRenewing(renewing);
+        
         if (ttlMs != 0) {
             Lifetime lifetime = new Lifetime();
             Date creationTime = new Date();
@@ -381,6 +419,7 @@ public class SAMLTokenRenewerLifetimeTes
         parameters.setStsProperties(stsProperties);
 
         parameters.setEncryptionProperties(new EncryptionProperties());
+        parameters.setTokenStore(tokenStore);
 
         return parameters;
     }

Modified: cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerRealmTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerRealmTest.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerRealmTest.java (original)
+++ cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerRealmTest.java Wed Apr 11 23:21:01 2012
@@ -33,11 +33,13 @@ import org.apache.cxf.jaxws.context.Wrap
 import org.apache.cxf.message.MessageImpl;
 import org.apache.cxf.sts.STSConstants;
 import org.apache.cxf.sts.StaticSTSProperties;
+import org.apache.cxf.sts.cache.DefaultInMemoryTokenStore;
 import org.apache.cxf.sts.common.PasswordCallbackHandler;
 import org.apache.cxf.sts.request.KeyRequirements;
 import org.apache.cxf.sts.request.Lifetime;
 import org.apache.cxf.sts.request.ReceivedToken;
 import org.apache.cxf.sts.request.ReceivedToken.STATE;
+import org.apache.cxf.sts.request.Renewing;
 import org.apache.cxf.sts.request.TokenRequirements;
 import org.apache.cxf.sts.service.EncryptionProperties;
 import org.apache.cxf.sts.token.provider.DefaultConditionsProvider;
@@ -52,18 +54,27 @@ import org.apache.cxf.sts.token.validato
 import org.apache.cxf.sts.token.validator.TokenValidator;
 import org.apache.cxf.sts.token.validator.TokenValidatorParameters;
 import org.apache.cxf.sts.token.validator.TokenValidatorResponse;
+import org.apache.cxf.ws.security.tokenstore.TokenStore;
 import org.apache.ws.security.CustomTokenPrincipal;
 import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSSecurityException;
 import org.apache.ws.security.components.crypto.Crypto;
 import org.apache.ws.security.components.crypto.CryptoFactory;
 import org.apache.ws.security.util.XmlSchemaDateFormat;
+import org.junit.BeforeClass;
 
 /**
  * Some unit tests for renewing a SAML token in different realms.
  */
 public class SAMLTokenRenewerRealmTest extends org.junit.Assert {
     
+    private static TokenStore tokenStore;
+    
+    @BeforeClass
+    public static void init() {
+        tokenStore = new DefaultInMemoryTokenStore();
+    }
+    
     /**
      * Test a SAML 1.1 Assertion created in realm "A".
      */
@@ -72,10 +83,14 @@ public class SAMLTokenRenewerRealmTest e
         // Create a RenewTarget consisting of a SAML Assertion
         Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
         CallbackHandler callbackHandler = new PasswordCallbackHandler();
-        Element samlToken = 
-            createSAMLAssertion(
-                WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, "A", 50
+        
+        TokenProviderParameters providerParameters = 
+            createProviderParameters(
+                WSConstants.WSS_SAML_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE, crypto, "mystskey", 
+                callbackHandler
             );
+        
+        Element samlToken = createSAMLAssertion(providerParameters, "A", 50, true, true);
         // Sleep to expire the token
         Thread.sleep(1000);
         Document doc = samlToken.getOwnerDocument();
@@ -112,6 +127,7 @@ public class SAMLTokenRenewerRealmTest e
         
         TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
         samlTokenRenewer.setVerifyProofOfPossession(false);
+        samlTokenRenewer.setAllowRenewalAfterExpiry(true);
         Map<String, SAMLRealm> samlRealms = getSamlRealms();
         ((SAMLTokenRenewer)samlTokenRenewer).setRealmMap(samlRealms);
         String realm = validatorResponse.getTokenRealm();
@@ -140,10 +156,14 @@ public class SAMLTokenRenewerRealmTest e
         // Create a RenewTarget consisting of a SAML Assertion
         Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
         CallbackHandler callbackHandler = new PasswordCallbackHandler();
-        Element samlToken = 
-            createSAMLAssertion(
-                WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, "B", 50
+        
+        TokenProviderParameters providerParameters = 
+            createProviderParameters(
+                WSConstants.WSS_SAML_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE, crypto, "mystskey", 
+                callbackHandler
             );
+        
+        Element samlToken = createSAMLAssertion(providerParameters, "B", 50, true, true);
         // Sleep to expire the token
         Thread.sleep(1000);
         Document doc = samlToken.getOwnerDocument();
@@ -180,6 +200,7 @@ public class SAMLTokenRenewerRealmTest e
         
         TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
         samlTokenRenewer.setVerifyProofOfPossession(false);
+        samlTokenRenewer.setAllowRenewalAfterExpiry(true);
         Map<String, SAMLRealm> samlRealms = getSamlRealms();
         ((SAMLTokenRenewer)samlTokenRenewer).setRealmMap(samlRealms);
         String realm = validatorResponse.getTokenRealm();
@@ -228,26 +249,30 @@ public class SAMLTokenRenewerRealmTest e
         stsProperties.setIssuer("STS-2");
         parameters.setStsProperties(stsProperties);
         
+        parameters.setTokenStore(tokenStore);
+        
         return parameters;
     }
     
     private Element createSAMLAssertion(
-        String tokenType, 
-        Crypto crypto, 
-        String signatureUsername, 
-        CallbackHandler callbackHandler,
+        TokenProviderParameters providerParameters,
         String realm,
-        long ttlMs
+        long ttlMs,
+        boolean allowRenewing,
+        boolean allowRenewingAfterExpiry
     ) throws WSSecurityException {
         TokenProvider samlTokenProvider = new SAMLTokenProvider();
         DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
         conditionsProvider.setAcceptClientLifetime(true);
         ((SAMLTokenProvider)samlTokenProvider).setConditionsProvider(conditionsProvider);
-        TokenProviderParameters providerParameters = 
-            createProviderParameters(
-                tokenType, STSConstants.BEARER_KEY_KEYTYPE, crypto, signatureUsername, callbackHandler
-            );
+
         providerParameters.setRealm(realm);
+        
+        Renewing renewing = new Renewing();
+        renewing.setAllowRenewing(allowRenewing);
+        renewing.setAllowRenewingAfterExpiry(allowRenewingAfterExpiry);
+        providerParameters.getTokenRequirements().setRenewing(renewing);
+        
         if (ttlMs != 0) {
             Lifetime lifetime = new Lifetime();
             Date creationTime = new Date();
@@ -316,6 +341,8 @@ public class SAMLTokenRenewerRealmTest e
         parameters.setStsProperties(stsProperties);
 
         parameters.setEncryptionProperties(new EncryptionProperties());
+        
+        parameters.setTokenStore(tokenStore);
 
         return parameters;
     }

Modified: cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java (original)
+++ cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java Wed Apr 11 23:21:01 2012
@@ -37,6 +37,7 @@ import org.apache.cxf.sts.request.KeyReq
 import org.apache.cxf.sts.request.Lifetime;
 import org.apache.cxf.sts.request.ReceivedToken;
 import org.apache.cxf.sts.request.ReceivedToken.STATE;
+import org.apache.cxf.sts.request.Renewing;
 import org.apache.cxf.sts.request.TokenRequirements;
 import org.apache.cxf.sts.service.EncryptionProperties;
 import org.apache.cxf.sts.token.provider.DefaultConditionsProvider;
@@ -71,19 +72,19 @@ public class SAMLTokenRenewerTest extend
     }
     
     /**
-     * Renew an expired SAML1 Assertion
+     * Renew a valid SAML1 Assertion
      */
     @org.junit.Test
-    public void renewExpiredSAML1Assertion() throws Exception {
+    public void renewValidSAML1Assertion() throws Exception {
         // Create the Assertion
         Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
         CallbackHandler callbackHandler = new PasswordCallbackHandler();
         Element samlToken = 
-            createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+            createSAMLAssertion(
+                WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50000, true, false
+            );
         Document doc = samlToken.getOwnerDocument();
         samlToken = (Element)doc.appendChild(samlToken);
-        // Sleep to expire the token
-        Thread.sleep(1000);
         
         // Validate the Assertion
         TokenValidator samlTokenValidator = new SAMLTokenValidator();
@@ -99,7 +100,7 @@ public class SAMLTokenRenewerTest extend
                 samlTokenValidator.validateToken(validatorParameters);
         assertTrue(validatorResponse != null);
         assertTrue(validatorResponse.getToken() != null);
-        assertTrue(validatorResponse.getToken().getState() == STATE.EXPIRED);
+        assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
         
         // Renew the Assertion
         TokenRenewerParameters renewerParameters = new TokenRenewerParameters();
@@ -137,24 +138,23 @@ public class SAMLTokenRenewerTest extend
     }
     
     /**
-     * Renew an expired SAML1 Assertion without using the cache
+     * Renew a valid SAML1 Assertion. However, the issuer does not allow renewal
      */
     @org.junit.Test
-    public void renewExpiredSAML1AssertionNoCache() throws Exception {
+    public void renewNotAllowedOfValidSAML1Assertion() throws Exception {
         // Create the Assertion
         Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
         CallbackHandler callbackHandler = new PasswordCallbackHandler();
         Element samlToken = 
-            createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+            createSAMLAssertion(
+                WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50000, false, false
+            );
         Document doc = samlToken.getOwnerDocument();
         samlToken = (Element)doc.appendChild(samlToken);
-        // Sleep to expire the token
-        Thread.sleep(1000);
         
         // Validate the Assertion
         TokenValidator samlTokenValidator = new SAMLTokenValidator();
         TokenValidatorParameters validatorParameters = createValidatorParameters();
-        validatorParameters.setTokenStore(null);
         TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
         ReceivedToken validateTarget = new ReceivedToken(samlToken);
         tokenRequirements.setValidateTarget(validateTarget);
@@ -166,7 +166,7 @@ public class SAMLTokenRenewerTest extend
                 samlTokenValidator.validateToken(validatorParameters);
         assertTrue(validatorResponse != null);
         assertTrue(validatorResponse.getToken() != null);
-        assertTrue(validatorResponse.getToken().getState() == STATE.EXPIRED);
+        assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
         
         // Renew the Assertion
         TokenRenewerParameters renewerParameters = new TokenRenewerParameters();
@@ -183,36 +183,26 @@ public class SAMLTokenRenewerTest extend
         samlTokenRenewer.setVerifyProofOfPossession(false);
         assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
         
-        TokenRenewerResponse renewerResponse = 
-                samlTokenRenewer.renewToken(renewerParameters);
-        assertTrue(renewerResponse != null);
-        assertTrue(renewerResponse.getToken() != null);
-        
-        String oldId = new AssertionWrapper(samlToken).getId();
-        String newId = new AssertionWrapper((Element)renewerResponse.getToken()).getId();
-        assertFalse(oldId.equals(newId));
-        
-        // Now validate it again
-        validateTarget = new ReceivedToken(renewerResponse.getToken());
-        tokenRequirements.setValidateTarget(validateTarget);
-        validatorParameters.setToken(validateTarget);
-        
-        validatorResponse = samlTokenValidator.validateToken(validatorParameters);
-        assertTrue(validatorResponse != null);
-        assertTrue(validatorResponse.getToken() != null);
-        assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
+        try {
+            samlTokenRenewer.renewToken(renewerParameters);
+            fail("Failure expected on attempting to renew a token that was not allowed to be renewed");
+        } catch (Exception ex) {
+            // expected
+        }
     }
     
     /**
-     * Renew an expired SAML2 Assertion
+     * Renew an expired SAML1 Assertion
      */
     @org.junit.Test
-    public void renewExpiredSAML2Assertion() throws Exception {
+    public void renewExpiredSAML1Assertion() throws Exception {
         // Create the Assertion
         Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
         CallbackHandler callbackHandler = new PasswordCallbackHandler();
         Element samlToken = 
-            createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+            createSAMLAssertion(
+                WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50, true, true
+            );
         Document doc = samlToken.getOwnerDocument();
         samlToken = (Element)doc.appendChild(samlToken);
         // Sleep to expire the token
@@ -249,6 +239,14 @@ public class SAMLTokenRenewerTest extend
         samlTokenRenewer.setVerifyProofOfPossession(false);
         assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
         
+        try {
+            samlTokenRenewer.renewToken(renewerParameters);
+            fail("Failure expected on an expired token, which is not allowed by default");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        samlTokenRenewer.setAllowRenewalAfterExpiry(true);
         TokenRenewerResponse renewerResponse = 
                 samlTokenRenewer.renewToken(renewerParameters);
         assertTrue(renewerResponse != null);
@@ -270,15 +268,17 @@ public class SAMLTokenRenewerTest extend
     }
     
     /**
-     * Renew an expired SAML2 Assertion without using the cache
+     * Renew an expired SAML2 Assertion
      */
     @org.junit.Test
-    public void renewExpiredSAML2AssertionNoCache() throws Exception {
+    public void renewExpiredSAML2Assertion() throws Exception {
         // Create the Assertion
         Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
         CallbackHandler callbackHandler = new PasswordCallbackHandler();
         Element samlToken = 
-            createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+            createSAMLAssertion(
+                WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50, true, true
+            );
         Document doc = samlToken.getOwnerDocument();
         samlToken = (Element)doc.appendChild(samlToken);
         // Sleep to expire the token
@@ -287,7 +287,6 @@ public class SAMLTokenRenewerTest extend
         // Validate the Assertion
         TokenValidator samlTokenValidator = new SAMLTokenValidator();
         TokenValidatorParameters validatorParameters = createValidatorParameters();
-        validatorParameters.setTokenStore(null);
         TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
         ReceivedToken validateTarget = new ReceivedToken(samlToken);
         tokenRequirements.setValidateTarget(validateTarget);
@@ -315,7 +314,15 @@ public class SAMLTokenRenewerTest extend
         TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
         samlTokenRenewer.setVerifyProofOfPossession(false);
         assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
+
+        try {
+            samlTokenRenewer.renewToken(renewerParameters);
+            fail("Failure expected on an expired token, which is not allowed by default");
+        } catch (Exception ex) {
+            // expected
+        }
         
+        samlTokenRenewer.setAllowRenewalAfterExpiry(true);
         TokenRenewerResponse renewerResponse = 
                 samlTokenRenewer.renewToken(renewerParameters);
         assertTrue(renewerResponse != null);
@@ -337,17 +344,22 @@ public class SAMLTokenRenewerTest extend
     }
     
     /**
-     * Renew a valid SAML1 Assertion
+     * Renew an expired SAML2 Assertion. However the issuer does not allow the renewal of expired 
+     * tokens.
      */
     @org.junit.Test
-    public void renewValidSAML1Assertion() throws Exception {
+    public void renewExpiredNotAllowedSAML2Assertion() throws Exception {
         // Create the Assertion
         Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
         CallbackHandler callbackHandler = new PasswordCallbackHandler();
         Element samlToken = 
-            createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50000);
+            createSAMLAssertion(
+                WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50, true, false
+            );
         Document doc = samlToken.getOwnerDocument();
         samlToken = (Element)doc.appendChild(samlToken);
+        // Sleep to expire the token
+        Thread.sleep(1000);
         
         // Validate the Assertion
         TokenValidator samlTokenValidator = new SAMLTokenValidator();
@@ -363,7 +375,7 @@ public class SAMLTokenRenewerTest extend
                 samlTokenValidator.validateToken(validatorParameters);
         assertTrue(validatorResponse != null);
         assertTrue(validatorResponse.getToken() != null);
-        assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
+        assertTrue(validatorResponse.getToken().getState() == STATE.EXPIRED);
         
         // Renew the Assertion
         TokenRenewerParameters renewerParameters = new TokenRenewerParameters();
@@ -378,26 +390,15 @@ public class SAMLTokenRenewerTest extend
         
         TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
         samlTokenRenewer.setVerifyProofOfPossession(false);
+        samlTokenRenewer.setAllowRenewalAfterExpiry(true);
         assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
         
-        TokenRenewerResponse renewerResponse = 
-                samlTokenRenewer.renewToken(renewerParameters);
-        assertTrue(renewerResponse != null);
-        assertTrue(renewerResponse.getToken() != null);
-        
-        String oldId = new AssertionWrapper(samlToken).getId();
-        String newId = new AssertionWrapper((Element)renewerResponse.getToken()).getId();
-        assertFalse(oldId.equals(newId));
-        
-        // Now validate it again
-        validateTarget = new ReceivedToken(renewerResponse.getToken());
-        tokenRequirements.setValidateTarget(validateTarget);
-        validatorParameters.setToken(validateTarget);
-        
-        validatorResponse = samlTokenValidator.validateToken(validatorParameters);
-        assertTrue(validatorResponse != null);
-        assertTrue(validatorResponse.getToken() != null);
-        assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
+        try {
+            samlTokenRenewer.renewToken(renewerParameters);
+            fail("Failure on attempting to renew an expired token, which is not allowed");
+        } catch (Exception ex) {
+            // expected
+        }
     }
     
     
@@ -411,7 +412,9 @@ public class SAMLTokenRenewerTest extend
         Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
         CallbackHandler callbackHandler = new PasswordCallbackHandler();
         Element samlToken = 
-            createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+            createSAMLAssertion(
+                WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50, true, true
+            );
         Document doc = samlToken.getOwnerDocument();
         samlToken = (Element)doc.appendChild(samlToken);
         // Sleep to expire the token
@@ -446,6 +449,7 @@ public class SAMLTokenRenewerTest extend
         
         TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
         samlTokenRenewer.setVerifyProofOfPossession(false);
+        samlTokenRenewer.setAllowRenewalAfterExpiry(true);
         ((SAMLTokenRenewer)samlTokenRenewer).setMaxExpiry(1L);
         assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
         
@@ -466,7 +470,9 @@ public class SAMLTokenRenewerTest extend
         Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
         CallbackHandler callbackHandler = new PasswordCallbackHandler();
         Element samlToken = 
-            createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50000);
+            createSAMLAssertion(
+                WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50000, true, false
+            );
         Document doc = samlToken.getOwnerDocument();
         samlToken = (Element)doc.appendChild(samlToken);
         
@@ -509,6 +515,7 @@ public class SAMLTokenRenewerTest extend
         }
     }
 
+    
     private TokenValidatorParameters createValidatorParameters() throws WSSecurityException {
         TokenValidatorParameters parameters = new TokenValidatorParameters();
         
@@ -542,7 +549,8 @@ public class SAMLTokenRenewerTest extend
     
     private Element createSAMLAssertion(
             String tokenType, Crypto crypto, String signatureUsername,
-            CallbackHandler callbackHandler, long ttlMs
+            CallbackHandler callbackHandler, long ttlMs, boolean allowRenewing,
+            boolean allowRenewingAfterExpiry
     ) throws WSSecurityException {
         SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
         DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
@@ -552,6 +560,11 @@ public class SAMLTokenRenewerTest extend
             createProviderParameters(
                     tokenType, STSConstants.BEARER_KEY_KEYTYPE, crypto, signatureUsername, callbackHandler
             );
+        
+        Renewing renewing = new Renewing();
+        renewing.setAllowRenewing(allowRenewing);
+        renewing.setAllowRenewingAfterExpiry(allowRenewingAfterExpiry);
+        providerParameters.getTokenRequirements().setRenewing(renewing);
 
         if (ttlMs != 0) {
             Lifetime lifetime = new Lifetime();

Modified: cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/SAMLRenewUnitTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/SAMLRenewUnitTest.java?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/SAMLRenewUnitTest.java (original)
+++ cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/SAMLRenewUnitTest.java Wed Apr 11 23:21:01 2012
@@ -68,7 +68,8 @@ public class SAMLRenewUnitTest extends A
             "https://localhost:" + STSPORT + "/SecurityTokenService/Transport?wsdl";
         
         // Request the token
-        SecurityToken token = requestSecurityToken(bus, wsdlLocation, WSConstants.WSS_SAML_TOKEN_TYPE, 5);
+        SecurityToken token = 
+            requestSecurityToken(bus, wsdlLocation, WSConstants.WSS_SAML_TOKEN_TYPE, 5, true);
         assertNotNull(token);
         // Sleep to expire the token
         Thread.sleep(5000);
@@ -102,7 +103,8 @@ public class SAMLRenewUnitTest extends A
             "https://localhost:" + STSPORT + "/SecurityTokenService/Transport?wsdl";
         
         // Request the token
-        SecurityToken token = requestSecurityToken(bus, wsdlLocation, WSConstants.WSS_SAML2_TOKEN_TYPE, 5);
+        SecurityToken token = 
+            requestSecurityToken(bus, wsdlLocation, WSConstants.WSS_SAML2_TOKEN_TYPE, 5, true);
         assertNotNull(token);
         // Sleep to expire the token
         Thread.sleep(5000);
@@ -124,6 +126,34 @@ public class SAMLRenewUnitTest extends A
     }
     
     @org.junit.Test
+    public void testRenewSAML2TokenFail() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SAMLRenewUnitTest.class.getResource("cxf-client-unit.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        String wsdlLocation = 
+            "https://localhost:" + STSPORT + "/SecurityTokenService/Transport?wsdl";
+        
+        // Request the token
+        SecurityToken token = 
+            requestSecurityToken(bus, wsdlLocation, WSConstants.WSS_SAML2_TOKEN_TYPE, 5, false);
+        assertNotNull(token);
+        // Sleep to expire the token
+        Thread.sleep(5000);
+        
+        // Renew the token - this will fail as we didn't send a Renewing @OK attribute
+        try {
+            renewSecurityToken(bus, wsdlLocation, token, false);
+            fail("Failure expected on a different AppliesTo address");
+        } catch (Exception ex) {
+            // expected
+        }
+    }
+    
+    @org.junit.Test
     public void testRenewValidSAML1Token() throws Exception {
         SpringBusFactory bf = new SpringBusFactory();
         URL busFile = SAMLRenewUnitTest.class.getResource("cxf-client-unit.xml");
@@ -136,7 +166,8 @@ public class SAMLRenewUnitTest extends A
             "https://localhost:" + STSPORT + "/SecurityTokenService/Transport?wsdl";
         
         // Request the token
-        SecurityToken token = requestSecurityToken(bus, wsdlLocation, WSConstants.WSS_SAML_TOKEN_TYPE, 300);
+        SecurityToken token = 
+            requestSecurityToken(bus, wsdlLocation, WSConstants.WSS_SAML_TOKEN_TYPE, 300, false);
         assertNotNull(token);
         
         // Validate the token
@@ -144,14 +175,12 @@ public class SAMLRenewUnitTest extends A
         assertFalse(validatedTokens.isEmpty());
         assertTrue(validatedTokens.get(0).equals(token));
 
-        // Renew the token - this should fail as the STS will reject an attempt to renew a valid token
-        // unless it has been configured otherwise
-        try {
-            renewSecurityToken(bus, wsdlLocation, token, true);
-            fail("Failure expected on trying to renew a valid token");
-        } catch (Exception ex) {
-            // expected
-        }
+        // Renew the token
+        SecurityToken renewedToken = renewSecurityToken(bus, wsdlLocation, token, false);
+        assertFalse(token.equals(renewedToken));
+        
+        // Validate the renewed token
+        validateSecurityToken(bus, wsdlLocation, renewedToken);
     }
     
     @org.junit.Test
@@ -167,7 +196,8 @@ public class SAMLRenewUnitTest extends A
             "https://localhost:" + STSPORT + "/SecurityTokenService/Transport?wsdl";
         
         // Request the token
-        SecurityToken token = requestSecurityToken(bus, wsdlLocation, WSConstants.WSS_SAML2_TOKEN_TYPE, 5);
+        SecurityToken token = 
+            requestSecurityToken(bus, wsdlLocation, WSConstants.WSS_SAML2_TOKEN_TYPE, 5, true);
         assertNotNull(token);
         // Sleep to expire the token
         Thread.sleep(5000);
@@ -182,8 +212,9 @@ public class SAMLRenewUnitTest extends A
         }
     }
     
+    
     private SecurityToken requestSecurityToken(
-        Bus bus, String wsdlLocation, String tokenType, int ttl
+        Bus bus, String wsdlLocation, String tokenType, int ttl, boolean allowExpired
     ) throws Exception {
         STSClient stsClient = new STSClient(bus);
         stsClient.setWsdlLocation(wsdlLocation);
@@ -201,6 +232,7 @@ public class SAMLRenewUnitTest extends A
         properties.put(SecurityConstants.STS_TOKEN_PROPERTIES, "serviceKeystore.properties");
         
         stsClient.setTtl(ttl);
+        stsClient.setAllowRenewingAfterExpiry(allowExpired);
         stsClient.setEnableLifetime(true);
 
         stsClient.setProperties(properties);

Modified: cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-client.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-client.xml?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-client.xml (original)
+++ cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-client.xml Wed Apr 11 23:21:01 2012
@@ -53,6 +53,7 @@ http://cxf.apache.org/configuration/secu
                              value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port"/>
                    <property name="ttl" value="8"/>
                    <property name="enableLifetime" value="true"/>
+                   <property name="allowRenewingAfterExpiry" value="true"/>
                    <property name="properties">
                        <map>
                            <entry key="ws-security.sts.token.username" value="myclientkey"/>

Modified: cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-sts.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-sts.xml?rev=1325061&r1=1325060&r2=1325061&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-sts.xml (original)
+++ cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-sts.xml Wed Apr 11 23:21:01 2012
@@ -130,6 +130,7 @@
 	
 	<bean id="transportSamlTokenRenewer" class="org.apache.cxf.sts.token.renewer.SAMLTokenRenewer">
 	    <property name="verifyProofOfPossession" value="false"/>
+	    <property name="allowRenewalAfterExpiry" value="true"/>
 	    <property name="conditionsProvider" ref="SAMLConditionsProvider"/>
     </bean>
     



Mime
View raw message