Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 36EDA95AE for ; Thu, 5 Apr 2012 13:32:09 +0000 (UTC) Received: (qmail 84353 invoked by uid 500); 5 Apr 2012 13:32:09 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 84305 invoked by uid 500); 5 Apr 2012 13:32:09 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 84296 invoked by uid 99); 5 Apr 2012 13:32:09 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 Apr 2012 13:32:09 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 Apr 2012 13:32:05 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 3B1E22388980; Thu, 5 Apr 2012 13:31:45 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1309846 - in /cxf/trunk/services/sts: sts-core/src/main/java/org/apache/cxf/sts/token/provider/ sts-core/src/main/java/org/apache/cxf/sts/token/renewer/ sts-core/src/main/java/org/apache/cxf/sts/token/validator/ sts-core/src/test/java/org/... Date: Thu, 05 Apr 2012 13:31:44 -0000 To: commits@cxf.apache.org From: coheigea@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20120405133145.3B1E22388980@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: coheigea Date: Thu Apr 5 13:31:43 2012 New Revision: 1309846 URL: http://svn.apache.org/viewvc?rev=1309846&view=rev Log: [CXF-4158] - Added an initial SAMLTokenRenewer & some tests. Added: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java Removed: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SCTRenewer.java cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/RenewSCTUnitTest.java Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/ConditionsProvider.java cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewer.java cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewerParameters.java cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewerResponse.java cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SCTValidator.java cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/TokenValidatorResponse.java cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/secure_conv/cxf-sts.xml Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/ConditionsProvider.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/ConditionsProvider.java?rev=1309846&r1=1309845&r2=1309846&view=diff ============================================================================== --- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/ConditionsProvider.java (original) +++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/ConditionsProvider.java Thu Apr 5 13:31:43 2012 @@ -18,6 +18,7 @@ */ package org.apache.cxf.sts.token.provider; +import org.apache.cxf.sts.request.Lifetime; import org.apache.ws.security.saml.ext.bean.ConditionsBean; /** @@ -32,6 +33,11 @@ public interface ConditionsProvider { ConditionsBean getConditions(TokenProviderParameters providerParameters); /** + * Get a ConditionsBean object. + */ + ConditionsBean getConditions(String appliesToAddress, Lifetime tokenLifetime); + + /** * Get the lifetime to use (in seconds) */ long getLifetime(); Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java?rev=1309846&r1=1309845&r2=1309846&view=diff ============================================================================== --- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java (original) +++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java Thu Apr 5 13:31:43 2012 @@ -114,9 +114,18 @@ public class DefaultConditionsProvider i * Get a ConditionsBean object. */ public ConditionsBean getConditions(TokenProviderParameters providerParameters) { + return getConditions( + providerParameters.getAppliesToAddress(), + providerParameters.getTokenRequirements().getLifetime() + ); + } + + /** + * Get a ConditionsBean object. + */ + public ConditionsBean getConditions(String appliesToAddress, Lifetime tokenLifetime) { ConditionsBean conditions = new ConditionsBean(); if (lifetime > 0) { - Lifetime tokenLifetime = providerParameters.getTokenRequirements().getLifetime(); if (acceptClientLifetime && tokenLifetime != null) { try { XmlSchemaDateFormat fmt = new XmlSchemaDateFormat(); @@ -154,7 +163,7 @@ public class DefaultConditionsProvider i } else { conditions.setTokenPeriodMinutes(5); } - conditions.setAudienceURI(providerParameters.getAppliesToAddress()); + conditions.setAudienceURI(appliesToAddress); return conditions; } Added: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java?rev=1309846&view=auto ============================================================================== --- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java (added) +++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java Thu Apr 5 13:31:43 2012 @@ -0,0 +1,344 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.sts.token.renewer; + +import java.security.Principal; +import java.util.Arrays; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Properties; +import java.util.logging.Level; +import java.util.logging.Logger; + +import javax.security.auth.callback.CallbackHandler; + +import org.w3c.dom.Document; +import org.w3c.dom.Element; + +import org.apache.cxf.common.logging.LogUtils; +import org.apache.cxf.helpers.DOMUtils; +import org.apache.cxf.sts.STSConstants; +import org.apache.cxf.sts.STSPropertiesMBean; +import org.apache.cxf.sts.SignatureProperties; +import org.apache.cxf.sts.request.ReceivedToken; +import org.apache.cxf.sts.request.ReceivedToken.STATE; +import org.apache.cxf.sts.token.provider.ConditionsProvider; +import org.apache.cxf.sts.token.provider.DefaultConditionsProvider; +import org.apache.cxf.sts.token.realm.SAMLRealm; +import org.apache.cxf.ws.security.sts.provider.STSException; +import org.apache.cxf.ws.security.tokenstore.SecurityToken; +import org.apache.cxf.ws.security.tokenstore.TokenStore; +import org.apache.ws.security.WSConstants; +import org.apache.ws.security.WSPasswordCallback; +import org.apache.ws.security.WSSecurityException; +import org.apache.ws.security.components.crypto.Crypto; +import org.apache.ws.security.saml.ext.AssertionWrapper; +import org.apache.ws.security.saml.ext.bean.ConditionsBean; +import org.apache.ws.security.saml.ext.builder.SAML1ComponentBuilder; +import org.apache.ws.security.saml.ext.builder.SAML2ComponentBuilder; +import org.joda.time.DateTime; +import org.opensaml.common.SAMLVersion; + +/** + * A TokenRenewer implementation that renews a (valid) SAML Token. + */ +public class SAMLTokenRenewer implements TokenRenewer { + + private static final Logger LOG = LogUtils.getL7dLogger(SAMLTokenRenewer.class); + private boolean signToken = true; + private ConditionsProvider conditionsProvider = new DefaultConditionsProvider(); + private Map realmMap = new HashMap(); + + /** + * Return true if this TokenRenewer implementation is able to renew a token. + */ + public boolean canHandleToken(ReceivedToken renewTarget) { + Object token = renewTarget.getToken(); + if (token instanceof Element) { + Element tokenElement = (Element)token; + String namespace = tokenElement.getNamespaceURI(); + String localname = tokenElement.getLocalName(); + if ((WSConstants.SAML_NS.equals(namespace) || WSConstants.SAML2_NS.equals(namespace)) + && "Assertion".equals(localname)) { + return true; + } + } + return false; + } + + public void setVerifyProofOfPossession(boolean verifyProofOfPossession) { + // + } + + + /** + * Renew a token given a TokenRenewerParameters + */ + public TokenRenewerResponse renewToken(TokenRenewerParameters tokenParameters) { + TokenRenewerResponse response = new TokenRenewerResponse(); + ReceivedToken tokenToRenew = tokenParameters.getToken(); + if (tokenToRenew == null || tokenToRenew.getToken() == null + || (tokenToRenew.getState() != STATE.EXPIRED && tokenToRenew.getState() != STATE.VALID)) { + LOG.log(Level.WARNING, "The token to renew is null or invalid"); + throw new STSException( + "The token to renew is null or invalid", STSException.INVALID_REQUEST + ); + } + + try { + AssertionWrapper assertion = new AssertionWrapper((Element)tokenToRenew.getToken()); + + // Create new Conditions & sign the Assertion + createNewConditions(assertion, tokenParameters); + signAssertion(assertion, tokenParameters); + + Document doc = DOMUtils.createDocument(); + Element token = assertion.toDOM(doc); + if (assertion.getSaml1() != null) { + token.setIdAttributeNS(null, "AssertionID", true); + } else { + token.setIdAttributeNS(null, "ID", true); + } + doc.appendChild(token); + + // Cache the token + String realm = tokenParameters.getRealm(); + storeTokenInCache( + tokenParameters.getTokenStore(), assertion, tokenParameters.getPrincipal(), realm + ); + + response.setToken(token); + response.setTokenId(assertion.getId()); + + DateTime validFrom = null; + DateTime validTill = null; + long lifetime = 0; + if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { + validFrom = assertion.getSaml2().getConditions().getNotBefore(); + validTill = assertion.getSaml2().getConditions().getNotOnOrAfter(); + lifetime = validTill.getMillis() - validFrom.getMillis(); + } else { + validFrom = assertion.getSaml1().getConditions().getNotBefore(); + validTill = assertion.getSaml1().getConditions().getNotOnOrAfter(); + lifetime = validTill.getMillis() - validFrom.getMillis(); + } + response.setLifetime(lifetime / 1000); + /* + response.setEntropy(entropyBytes); + if (keySize > 0) { + response.setKeySize(keySize); + } + response.setComputedKey(computedKey); + */ + return response; + + } catch (Exception ex) { + LOG.log(Level.WARNING, "", ex); + throw new STSException("Can't renew SAML assertion", ex, STSException.REQUEST_FAILED); + } + } + + /** + * Set the ConditionsProvider + */ + public void setConditionsProvider(ConditionsProvider conditionsProvider) { + this.conditionsProvider = conditionsProvider; + } + + /** + * Get the ConditionsProvider + */ + public ConditionsProvider getConditionsProvider() { + return conditionsProvider; + } + + /** + * Return whether the provided token will be signed or not. Default is true. + */ + public boolean isSignToken() { + return signToken; + } + + /** + * Set whether the provided token will be signed or not. Default is true. + */ + public void setSignToken(boolean signToken) { + this.signToken = signToken; + } + + /** + * Set the map of realm->SAMLRealm for this token provider + * @param realms the map of realm->SAMLRealm for this token provider + */ + public void setRealmMap(Map realms) { + this.realmMap = realms; + } + + /** + * Get the map of realm->SAMLRealm for this token provider + * @return the map of realm->SAMLRealm for this token provider + */ + public Map getRealmMap() { + return realmMap; + } + + private void signAssertion( + AssertionWrapper assertion, + TokenRenewerParameters tokenParameters + ) throws Exception { + if (signToken) { + STSPropertiesMBean stsProperties = tokenParameters.getStsProperties(); + + // Initialise signature objects with defaults of STSPropertiesMBean + Crypto signatureCrypto = stsProperties.getSignatureCrypto(); + CallbackHandler callbackHandler = stsProperties.getCallbackHandler(); + SignatureProperties signatureProperties = stsProperties.getSignatureProperties(); + String alias = stsProperties.getSignatureUsername(); + + String realm = tokenParameters.getRealm(); + SAMLRealm samlRealm = null; + if (realm != null && realmMap.containsKey(realm)) { + samlRealm = realmMap.get(realm); + } + if (samlRealm != null) { + // If SignatureCrypto configured in realm then + // callbackhandler and alias of STSPropertiesMBean is ignored + if (samlRealm.getSignatureCrypto() != null) { + LOG.fine("SAMLRealm signature keystore used"); + signatureCrypto = samlRealm.getSignatureCrypto(); + callbackHandler = samlRealm.getCallbackHandler(); + alias = samlRealm.getSignatureAlias(); + } + // SignatureProperties can be defined independently of SignatureCrypto + if (samlRealm.getSignatureProperties() != null) { + signatureProperties = samlRealm.getSignatureProperties(); + } + } + + // Get the signature algorithm to use + String signatureAlgorithm = tokenParameters.getKeyRequirements().getSignatureAlgorithm(); + if (signatureAlgorithm == null) { + // If none then default to what is configured + signatureAlgorithm = signatureProperties.getSignatureAlgorithm(); + } else { + List supportedAlgorithms = + signatureProperties.getAcceptedSignatureAlgorithms(); + if (!supportedAlgorithms.contains(signatureAlgorithm)) { + signatureAlgorithm = signatureProperties.getSignatureAlgorithm(); + LOG.fine("SignatureAlgorithm not supported, defaulting to: " + signatureAlgorithm); + } + } + + // Get the c14n algorithm to use + String c14nAlgorithm = tokenParameters.getKeyRequirements().getC14nAlgorithm(); + if (c14nAlgorithm == null) { + // If none then default to what is configured + c14nAlgorithm = signatureProperties.getC14nAlgorithm(); + } else { + List supportedAlgorithms = + signatureProperties.getAcceptedC14nAlgorithms(); + if (!supportedAlgorithms.contains(c14nAlgorithm)) { + c14nAlgorithm = signatureProperties.getC14nAlgorithm(); + LOG.fine("C14nAlgorithm not supported, defaulting to: " + c14nAlgorithm); + } + } + + // If alias not defined, get the default of the SignatureCrypto + if ((alias == null || "".equals(alias)) && (signatureCrypto != null)) { + alias = signatureCrypto.getDefaultX509Identifier(); + LOG.fine("Signature alias is null so using default alias: " + alias); + } + // Get the password + WSPasswordCallback[] cb = {new WSPasswordCallback(alias, WSPasswordCallback.SIGNATURE)}; + LOG.fine("Creating SAML Token"); + callbackHandler.handle(cb); + String password = cb[0].getPassword(); + + LOG.fine("Signing SAML Token"); + boolean useKeyValue = signatureProperties.isUseKeyValue(); + assertion.signAssertion( + alias, password, signatureCrypto, useKeyValue, c14nAlgorithm, signatureAlgorithm + ); + } + + } + + private void createNewConditions(AssertionWrapper assertion, TokenRenewerParameters tokenParameters) { + ConditionsBean conditions = + conditionsProvider.getConditions( + tokenParameters.getAppliesToAddress(), + tokenParameters.getTokenRequirements().getLifetime() + ); + + if (assertion.getSaml1() != null) { + org.opensaml.saml1.core.Assertion saml1Assertion = assertion.getSaml1(); + saml1Assertion.setIssueInstant(new DateTime()); + + org.opensaml.saml1.core.Conditions saml1Conditions = + SAML1ComponentBuilder.createSamlv1Conditions(conditions); + + saml1Assertion.setConditions(saml1Conditions); + } else { + org.opensaml.saml2.core.Assertion saml2Assertion = assertion.getSaml2(); + saml2Assertion.setIssueInstant(new DateTime()); + + org.opensaml.saml2.core.Conditions saml2Conditions = + SAML2ComponentBuilder.createConditions(conditions); + + saml2Assertion.setConditions(saml2Conditions); + } + } + + private void storeTokenInCache( + TokenStore tokenStore, + AssertionWrapper assertion, + Principal principal, + String tokenRealm + ) throws WSSecurityException { + // Store the successfully renewed token in the cache + byte[] signatureValue = assertion.getSignatureValue(); + if (tokenStore != null && signatureValue != null && signatureValue.length > 0) { + DateTime validTill = null; + if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { + validTill = assertion.getSaml2().getConditions().getNotOnOrAfter(); + } else { + validTill = assertion.getSaml1().getConditions().getNotOnOrAfter(); + } + + SecurityToken securityToken = new SecurityToken(assertion.getId(), null, validTill.toDate()); + securityToken.setToken(assertion.getElement()); + securityToken.setPrincipal(principal); + + if (tokenRealm != null) { + Properties props = new Properties(); + props.setProperty(STSConstants.TOKEN_REALM, tokenRealm); + securityToken.setProperties(props); + } + + int hash = Arrays.hashCode(signatureValue); + securityToken.setTokenHash(hash); + String identifier = Integer.toString(hash); + tokenStore.add(identifier, securityToken); + } + } + + +} Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewer.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewer.java?rev=1309846&r1=1309845&r2=1309846&view=diff ============================================================================== --- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewer.java (original) +++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewer.java Thu Apr 5 13:31:43 2012 @@ -25,7 +25,6 @@ import org.apache.cxf.sts.request.Receiv /** * An interface that can renew a security token. */ - public interface TokenRenewer { /** @@ -34,10 +33,9 @@ public interface TokenRenewer { void setVerifyProofOfPossession(boolean verifyProofOfPossession); /** - * Return true if this TokenRenewer implementation is able to renew a token - * that corresponds to the given token. + * Return true if this TokenRenewer implementation is able to renew a token. */ - boolean canHandleToken(ReceivedToken cancelTarget); + boolean canHandleToken(ReceivedToken renewTarget); /** * Renew a token given a TokenRenewerParameters Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewerParameters.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewerParameters.java?rev=1309846&r1=1309845&r2=1309846&view=diff ============================================================================== --- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewerParameters.java (original) +++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewerParameters.java Thu Apr 5 13:31:43 2012 @@ -20,12 +20,15 @@ package org.apache.cxf.sts.token.renewer; import java.security.Principal; +import java.util.Map; import javax.xml.ws.WebServiceContext; import org.apache.cxf.sts.STSPropertiesMBean; import org.apache.cxf.sts.request.KeyRequirements; +import org.apache.cxf.sts.request.ReceivedToken; import org.apache.cxf.sts.request.TokenRequirements; +import org.apache.cxf.sts.service.EncryptionProperties; import org.apache.cxf.ws.security.tokenstore.TokenStore; /** @@ -36,11 +39,25 @@ import org.apache.cxf.ws.security.tokens public class TokenRenewerParameters { private STSPropertiesMBean stsProperties; + private EncryptionProperties encryptionProperties; private Principal principal; private WebServiceContext webServiceContext; private KeyRequirements keyRequirements; private TokenRequirements tokenRequirements; + private String appliesToAddress; + private Map additionalProperties; private TokenStore tokenStore; + private String realm; + private ReceivedToken token; + + public ReceivedToken getToken() { + return token; + } + + public void setToken(ReceivedToken token) { + this.token = token; + } + public TokenStore getTokenStore() { return tokenStore; @@ -49,7 +66,15 @@ public class TokenRenewerParameters { public void setTokenStore(TokenStore tokenStore) { this.tokenStore = tokenStore; } - + + public String getAppliesToAddress() { + return appliesToAddress; + } + + public void setAppliesToAddress(String appliesToAddress) { + this.appliesToAddress = appliesToAddress; + } + public TokenRequirements getTokenRequirements() { return tokenRequirements; } @@ -57,7 +82,7 @@ public class TokenRenewerParameters { public void setTokenRequirements(TokenRequirements tokenRequirements) { this.tokenRequirements = tokenRequirements; } - + public KeyRequirements getKeyRequirements() { return keyRequirements; } @@ -65,7 +90,7 @@ public class TokenRenewerParameters { public void setKeyRequirements(KeyRequirements keyRequirements) { this.keyRequirements = keyRequirements; } - + public STSPropertiesMBean getStsProperties() { return stsProperties; } @@ -74,6 +99,14 @@ public class TokenRenewerParameters { this.stsProperties = stsProperties; } + public EncryptionProperties getEncryptionProperties() { + return encryptionProperties; + } + + public void setEncryptionProperties(EncryptionProperties encryptionProperties) { + this.encryptionProperties = encryptionProperties; + } + public WebServiceContext getWebServiceContext() { return webServiceContext; } @@ -90,4 +123,20 @@ public class TokenRenewerParameters { return principal; } + public void setAdditionalProperties(Map additionalProperties) { + this.additionalProperties = additionalProperties; + } + + public Map getAdditionalProperties() { + return additionalProperties; + } + + public void setRealm(String realm) { + this.realm = realm; + } + + public String getRealm() { + return realm; + } + } Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewerResponse.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewerResponse.java?rev=1309846&r1=1309845&r2=1309846&view=diff ============================================================================== --- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewerResponse.java (original) +++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/TokenRenewerResponse.java Thu Apr 5 13:31:43 2012 @@ -27,27 +27,73 @@ import org.apache.cxf.sts.token.provider */ public class TokenRenewerResponse { - private boolean tokenRenewed; - private Element renewedToken; + private Element token; private String tokenId; private long lifetime; + private byte[] entropy; + private long keySize; + private boolean computedKey; private TokenReference attachedReference; private TokenReference unAttachedReference; - public void setTokenRenewed(boolean tokenRenewed) { - this.tokenRenewed = tokenRenewed; + /** + * Return true if the entropy represents a Computed Key. + */ + public boolean isComputedKey() { + return computedKey; } - - public boolean isTokenRenewed() { - return tokenRenewed; + + /** + * Set whether the entropy represents a Computed Key or not + */ + public void setComputedKey(boolean computedKey) { + this.computedKey = computedKey; + } + + /** + * Get the KeySize that the TokenProvider set + */ + public long getKeySize() { + return keySize; + } + + /** + * Set the KeySize + */ + public void setKeySize(long keySize) { + this.keySize = keySize; + } + + /** + * Set the token + * @param token the token to set + */ + public void setToken(Element token) { + this.token = token; } - public void setRenewedToken(Element renewedToken) { - this.renewedToken = renewedToken; + /** + * Get the token + * @return the token to set + */ + public Element getToken() { + return token; + } + + /** + * Set the token Id + * @param tokenId the token Id + */ + public void setTokenId(String tokenId) { + this.tokenId = tokenId; } - public Element getRenewedToken() { - return renewedToken; + /** + * Get the token Id + * @return the token Id + */ + public String getTokenId() { + return tokenId; } /** @@ -67,6 +113,22 @@ public class TokenRenewerResponse { } /** + * Set the entropy associated with the token. + * @param entropy the entropy associated with the token. + */ + public void setEntropy(byte[] entropy) { + this.entropy = entropy; + } + + /** + * Get the entropy associated with the token. + * @return the entropy associated with the token. + */ + public byte[] getEntropy() { + return entropy; + } + + /** * Set the attached TokenReference * @param attachtedReference the attached TokenReference */ @@ -97,21 +159,6 @@ public class TokenRenewerResponse { public TokenReference getUnAttachedReference() { return unAttachedReference; } - - /** - * Set the token Id - * @param tokenId the token Id - */ - public void setTokenId(String tokenId) { - this.tokenId = tokenId; - } - - /** - * Get the token Id - * @return the token Id - */ - public String getTokenId() { - return tokenId; - } + } Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java?rev=1309846&r1=1309845&r2=1309846&view=diff ============================================================================== --- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java (original) +++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java Thu Apr 5 13:31:43 2012 @@ -155,7 +155,6 @@ public class SAMLTokenValidator implemen if (secToken != null && secToken.getTokenHash() != hash) { secToken = null; } - response.setSecurityToken(secToken); } if (secToken != null && secToken.isExpired()) { LOG.fine("Token: " + secToken.getId() + " is in the cache but expired - revalidating"); @@ -218,14 +217,14 @@ public class SAMLTokenValidator implemen } response.setTokenRealm(tokenRealm); - if (!validateConditions(assertion, validateTarget, secToken, tokenParameters.getTokenStore())) { + if (!validateConditions(assertion, validateTarget)) { return response; } // Store the successfully validated token in the cache if (secToken == null) { storeTokenInCache( - tokenParameters.getTokenStore(), assertion, tokenParameters.getPrincipal() + tokenParameters.getTokenStore(), assertion, tokenParameters.getPrincipal(), tokenRealm ); } @@ -274,10 +273,7 @@ public class SAMLTokenValidator implemen } protected boolean validateConditions( - AssertionWrapper assertion, - ReceivedToken validateTarget, - SecurityToken secToken, - TokenStore tokenStore + AssertionWrapper assertion, ReceivedToken validateTarget ) { DateTime validFrom = null; DateTime validTill = null; @@ -290,25 +286,20 @@ public class SAMLTokenValidator implemen } if (validFrom.isAfterNow()) { LOG.log(Level.WARNING, "SAML Token condition not met"); - if (secToken != null) { - tokenStore.remove(secToken.getId()); - } return false; } else if (validTill.isBeforeNow()) { LOG.log(Level.WARNING, "SAML Token condition not met"); - if (secToken != null) { - tokenStore.remove(secToken.getId()); - } validateTarget.setState(STATE.EXPIRED); return false; } return true; } - protected void storeTokenInCache( + private void storeTokenInCache( TokenStore tokenStore, AssertionWrapper assertion, - Principal principal + Principal principal, + String tokenRealm ) throws WSSecurityException { // Store the successfully validated token in the cache byte[] signatureValue = assertion.getSignatureValue(); @@ -323,6 +314,12 @@ public class SAMLTokenValidator implemen SecurityToken securityToken = new SecurityToken(assertion.getId(), null, validTill.toDate()); securityToken.setToken(assertion.getElement()); securityToken.setPrincipal(principal); + + if (tokenRealm != null) { + Properties props = new Properties(); + props.setProperty(STSConstants.TOKEN_REALM, tokenRealm); + securityToken.setProperties(props); + } int hash = Arrays.hashCode(signatureValue); securityToken.setTokenHash(hash); Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SCTValidator.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SCTValidator.java?rev=1309846&r1=1309845&r2=1309846&view=diff ============================================================================== --- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SCTValidator.java (original) +++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SCTValidator.java Thu Apr 5 13:31:43 2012 @@ -104,7 +104,6 @@ public class SCTValidator implements Tok LOG.fine("Identifier: " + identifier + " is not found in the cache"); return response; } - response.setSecurityToken(token); if (token.isExpired()) { validateTarget.setState(STATE.EXPIRED); LOG.fine("Token: " + identifier + " is in the cache but expired"); Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/TokenValidatorResponse.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/TokenValidatorResponse.java?rev=1309846&r1=1309845&r2=1309846&view=diff ============================================================================== --- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/TokenValidatorResponse.java (original) +++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/TokenValidatorResponse.java Thu Apr 5 13:31:43 2012 @@ -22,7 +22,6 @@ import java.security.Principal; import java.util.Map; import org.apache.cxf.sts.request.ReceivedToken; -import org.apache.cxf.ws.security.tokenstore.SecurityToken; /** * This class encapsulates the response from a TokenValidator instance after validating a token. @@ -33,19 +32,7 @@ public class TokenValidatorResponse { private Map additionalProperties; private String realm; private ReceivedToken token; - /** - * The SecurityToken corresponding to the ReceivedToken that was stored in the cache - */ - private SecurityToken securityToken; - public SecurityToken getSecurityToken() { - return securityToken; - } - - public void setSecurityToken(SecurityToken securityToken) { - this.securityToken = securityToken; - } - public ReceivedToken getToken() { return token; } Added: cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java?rev=1309846&view=auto ============================================================================== --- cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java (added) +++ cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java Thu Apr 5 13:31:43 2012 @@ -0,0 +1,431 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.sts.token.renewer; + +import java.util.Date; +import java.util.Properties; + +import javax.security.auth.callback.CallbackHandler; + +import org.w3c.dom.Document; +import org.w3c.dom.Element; + +import org.apache.cxf.jaxws.context.WebServiceContextImpl; +import org.apache.cxf.jaxws.context.WrappedMessageContext; +import org.apache.cxf.message.MessageImpl; +import org.apache.cxf.sts.STSConstants; +import org.apache.cxf.sts.StaticSTSProperties; +import org.apache.cxf.sts.cache.DefaultInMemoryTokenStore; +import org.apache.cxf.sts.common.PasswordCallbackHandler; +import org.apache.cxf.sts.request.KeyRequirements; +import org.apache.cxf.sts.request.Lifetime; +import org.apache.cxf.sts.request.ReceivedToken; +import org.apache.cxf.sts.request.ReceivedToken.STATE; +import org.apache.cxf.sts.request.TokenRequirements; +import org.apache.cxf.sts.service.EncryptionProperties; +import org.apache.cxf.sts.token.provider.DefaultConditionsProvider; +import org.apache.cxf.sts.token.provider.SAMLTokenProvider; +import org.apache.cxf.sts.token.provider.TokenProviderParameters; +import org.apache.cxf.sts.token.provider.TokenProviderResponse; +import org.apache.cxf.sts.token.validator.SAMLTokenValidator; +import org.apache.cxf.sts.token.validator.TokenValidator; +import org.apache.cxf.sts.token.validator.TokenValidatorParameters; +import org.apache.cxf.sts.token.validator.TokenValidatorResponse; +import org.apache.cxf.ws.security.tokenstore.TokenStore; +import org.apache.ws.security.CustomTokenPrincipal; +import org.apache.ws.security.WSConstants; +import org.apache.ws.security.WSSecurityException; +import org.apache.ws.security.components.crypto.Crypto; +import org.apache.ws.security.components.crypto.CryptoFactory; +import org.apache.ws.security.util.XmlSchemaDateFormat; +import org.junit.BeforeClass; + +/** + * Some unit tests for renewing a SAML token via the SAMLTokenRenewer. + */ +public class SAMLTokenRenewerTest extends org.junit.Assert { + + private static TokenStore tokenStore; + + @BeforeClass + public static void init() { + tokenStore = new DefaultInMemoryTokenStore(); + } + + /** + * Renew an expired SAML1 Assertion + */ + @org.junit.Test + public void renewExpiredSAML1Assertion() throws Exception { + // Create the Assertion + Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties()); + CallbackHandler callbackHandler = new PasswordCallbackHandler(); + Element samlToken = + createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50); + Document doc = samlToken.getOwnerDocument(); + samlToken = (Element)doc.appendChild(samlToken); + // Sleep to expire the token + Thread.sleep(1000); + + // Validate the Assertion + TokenValidator samlTokenValidator = new SAMLTokenValidator(); + TokenValidatorParameters validatorParameters = createValidatorParameters(); + TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements(); + ReceivedToken validateTarget = new ReceivedToken(samlToken); + tokenRequirements.setValidateTarget(validateTarget); + validatorParameters.setToken(validateTarget); + + assertTrue(samlTokenValidator.canHandleToken(validateTarget)); + + TokenValidatorResponse validatorResponse = + samlTokenValidator.validateToken(validatorParameters); + assertTrue(validatorResponse != null); + assertTrue(validatorResponse.getToken() != null); + assertTrue(validatorResponse.getToken().getState() == STATE.EXPIRED); + + // Renew the Assertion + TokenRenewerParameters renewerParameters = new TokenRenewerParameters(); + renewerParameters.setAppliesToAddress("http://dummy-service.com/dummy"); + renewerParameters.setStsProperties(validatorParameters.getStsProperties()); + renewerParameters.setPrincipal(new CustomTokenPrincipal("alice")); + renewerParameters.setWebServiceContext(validatorParameters.getWebServiceContext()); + renewerParameters.setKeyRequirements(validatorParameters.getKeyRequirements()); + renewerParameters.setTokenRequirements(validatorParameters.getTokenRequirements()); + renewerParameters.setTokenStore(validatorParameters.getTokenStore()); + renewerParameters.setToken(validatorResponse.getToken()); + + TokenRenewer samlTokenRenewer = new SAMLTokenRenewer(); + assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken())); + + TokenRenewerResponse renewerResponse = + samlTokenRenewer.renewToken(renewerParameters); + assertTrue(renewerResponse != null); + assertTrue(renewerResponse.getToken() != null); + + // Now validate it again + validateTarget = new ReceivedToken(renewerResponse.getToken()); + tokenRequirements.setValidateTarget(validateTarget); + validatorParameters.setToken(validateTarget); + + validatorResponse = samlTokenValidator.validateToken(validatorParameters); + assertTrue(validatorResponse != null); + assertTrue(validatorResponse.getToken() != null); + assertTrue(validatorResponse.getToken().getState() == STATE.VALID); + } + + /** + * Renew an expired SAML1 Assertion without using the cache + */ + @org.junit.Test + public void renewExpiredSAML1AssertionNoCache() throws Exception { + // Create the Assertion + Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties()); + CallbackHandler callbackHandler = new PasswordCallbackHandler(); + Element samlToken = + createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50); + Document doc = samlToken.getOwnerDocument(); + samlToken = (Element)doc.appendChild(samlToken); + // Sleep to expire the token + Thread.sleep(1000); + + // Validate the Assertion + TokenValidator samlTokenValidator = new SAMLTokenValidator(); + TokenValidatorParameters validatorParameters = createValidatorParameters(); + validatorParameters.setTokenStore(null); + TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements(); + ReceivedToken validateTarget = new ReceivedToken(samlToken); + tokenRequirements.setValidateTarget(validateTarget); + validatorParameters.setToken(validateTarget); + + assertTrue(samlTokenValidator.canHandleToken(validateTarget)); + + TokenValidatorResponse validatorResponse = + samlTokenValidator.validateToken(validatorParameters); + assertTrue(validatorResponse != null); + assertTrue(validatorResponse.getToken() != null); + assertTrue(validatorResponse.getToken().getState() == STATE.EXPIRED); + + // Renew the Assertion + TokenRenewerParameters renewerParameters = new TokenRenewerParameters(); + renewerParameters.setAppliesToAddress("http://dummy-service.com/dummy"); + renewerParameters.setStsProperties(validatorParameters.getStsProperties()); + renewerParameters.setPrincipal(new CustomTokenPrincipal("alice")); + renewerParameters.setWebServiceContext(validatorParameters.getWebServiceContext()); + renewerParameters.setKeyRequirements(validatorParameters.getKeyRequirements()); + renewerParameters.setTokenRequirements(validatorParameters.getTokenRequirements()); + renewerParameters.setTokenStore(validatorParameters.getTokenStore()); + renewerParameters.setToken(validatorResponse.getToken()); + + TokenRenewer samlTokenRenewer = new SAMLTokenRenewer(); + assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken())); + + TokenRenewerResponse renewerResponse = + samlTokenRenewer.renewToken(renewerParameters); + assertTrue(renewerResponse != null); + assertTrue(renewerResponse.getToken() != null); + + // Now validate it again + validateTarget = new ReceivedToken(renewerResponse.getToken()); + tokenRequirements.setValidateTarget(validateTarget); + validatorParameters.setToken(validateTarget); + + validatorResponse = samlTokenValidator.validateToken(validatorParameters); + assertTrue(validatorResponse != null); + assertTrue(validatorResponse.getToken() != null); + assertTrue(validatorResponse.getToken().getState() == STATE.VALID); + } + + /** + * Renew an expired SAML2 Assertion + */ + @org.junit.Test + public void renewExpiredSAML2Assertion() throws Exception { + // Create the Assertion + Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties()); + CallbackHandler callbackHandler = new PasswordCallbackHandler(); + Element samlToken = + createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50); + Document doc = samlToken.getOwnerDocument(); + samlToken = (Element)doc.appendChild(samlToken); + // Sleep to expire the token + Thread.sleep(1000); + + // Validate the Assertion + TokenValidator samlTokenValidator = new SAMLTokenValidator(); + TokenValidatorParameters validatorParameters = createValidatorParameters(); + TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements(); + ReceivedToken validateTarget = new ReceivedToken(samlToken); + tokenRequirements.setValidateTarget(validateTarget); + validatorParameters.setToken(validateTarget); + + assertTrue(samlTokenValidator.canHandleToken(validateTarget)); + + TokenValidatorResponse validatorResponse = + samlTokenValidator.validateToken(validatorParameters); + assertTrue(validatorResponse != null); + assertTrue(validatorResponse.getToken() != null); + assertTrue(validatorResponse.getToken().getState() == STATE.EXPIRED); + + // Renew the Assertion + TokenRenewerParameters renewerParameters = new TokenRenewerParameters(); + renewerParameters.setAppliesToAddress("http://dummy-service.com/dummy"); + renewerParameters.setStsProperties(validatorParameters.getStsProperties()); + renewerParameters.setPrincipal(new CustomTokenPrincipal("alice")); + renewerParameters.setWebServiceContext(validatorParameters.getWebServiceContext()); + renewerParameters.setKeyRequirements(validatorParameters.getKeyRequirements()); + renewerParameters.setTokenRequirements(validatorParameters.getTokenRequirements()); + renewerParameters.setTokenStore(validatorParameters.getTokenStore()); + renewerParameters.setToken(validatorResponse.getToken()); + + TokenRenewer samlTokenRenewer = new SAMLTokenRenewer(); + assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken())); + + TokenRenewerResponse renewerResponse = + samlTokenRenewer.renewToken(renewerParameters); + assertTrue(renewerResponse != null); + assertTrue(renewerResponse.getToken() != null); + + // Now validate it again + validateTarget = new ReceivedToken(renewerResponse.getToken()); + tokenRequirements.setValidateTarget(validateTarget); + validatorParameters.setToken(validateTarget); + + validatorResponse = samlTokenValidator.validateToken(validatorParameters); + assertTrue(validatorResponse != null); + assertTrue(validatorResponse.getToken() != null); + assertTrue(validatorResponse.getToken().getState() == STATE.VALID); + } + + /** + * Renew an expired SAML2 Assertion without using the cache + */ + @org.junit.Test + public void renewExpiredSAML2AssertionNoCache() throws Exception { + // Create the Assertion + Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties()); + CallbackHandler callbackHandler = new PasswordCallbackHandler(); + Element samlToken = + createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50); + Document doc = samlToken.getOwnerDocument(); + samlToken = (Element)doc.appendChild(samlToken); + // Sleep to expire the token + Thread.sleep(1000); + + // Validate the Assertion + TokenValidator samlTokenValidator = new SAMLTokenValidator(); + TokenValidatorParameters validatorParameters = createValidatorParameters(); + validatorParameters.setTokenStore(null); + TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements(); + ReceivedToken validateTarget = new ReceivedToken(samlToken); + tokenRequirements.setValidateTarget(validateTarget); + validatorParameters.setToken(validateTarget); + + assertTrue(samlTokenValidator.canHandleToken(validateTarget)); + + TokenValidatorResponse validatorResponse = + samlTokenValidator.validateToken(validatorParameters); + assertTrue(validatorResponse != null); + assertTrue(validatorResponse.getToken() != null); + assertTrue(validatorResponse.getToken().getState() == STATE.EXPIRED); + + // Renew the Assertion + TokenRenewerParameters renewerParameters = new TokenRenewerParameters(); + renewerParameters.setAppliesToAddress("http://dummy-service.com/dummy"); + renewerParameters.setStsProperties(validatorParameters.getStsProperties()); + renewerParameters.setPrincipal(new CustomTokenPrincipal("alice")); + renewerParameters.setWebServiceContext(validatorParameters.getWebServiceContext()); + renewerParameters.setKeyRequirements(validatorParameters.getKeyRequirements()); + renewerParameters.setTokenRequirements(validatorParameters.getTokenRequirements()); + renewerParameters.setTokenStore(validatorParameters.getTokenStore()); + renewerParameters.setToken(validatorResponse.getToken()); + + TokenRenewer samlTokenRenewer = new SAMLTokenRenewer(); + assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken())); + + TokenRenewerResponse renewerResponse = + samlTokenRenewer.renewToken(renewerParameters); + assertTrue(renewerResponse != null); + assertTrue(renewerResponse.getToken() != null); + + // Now validate it again + validateTarget = new ReceivedToken(renewerResponse.getToken()); + tokenRequirements.setValidateTarget(validateTarget); + validatorParameters.setToken(validateTarget); + + validatorResponse = samlTokenValidator.validateToken(validatorParameters); + assertTrue(validatorResponse != null); + assertTrue(validatorResponse.getToken() != null); + assertTrue(validatorResponse.getToken().getState() == STATE.VALID); + } + + + private TokenValidatorParameters createValidatorParameters() throws WSSecurityException { + TokenValidatorParameters parameters = new TokenValidatorParameters(); + + TokenRequirements tokenRequirements = new TokenRequirements(); + parameters.setTokenRequirements(tokenRequirements); + + KeyRequirements keyRequirements = new KeyRequirements(); + parameters.setKeyRequirements(keyRequirements); + + parameters.setPrincipal(new CustomTokenPrincipal("alice")); + // Mock up message context + MessageImpl msg = new MessageImpl(); + WrappedMessageContext msgCtx = new WrappedMessageContext(msg); + WebServiceContextImpl webServiceContext = new WebServiceContextImpl(msgCtx); + parameters.setWebServiceContext(webServiceContext); + + // Add STSProperties object + StaticSTSProperties stsProperties = new StaticSTSProperties(); + Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties()); + stsProperties.setEncryptionCrypto(crypto); + stsProperties.setSignatureCrypto(crypto); + stsProperties.setEncryptionUsername("myservicekey"); + stsProperties.setSignatureUsername("mystskey"); + stsProperties.setCallbackHandler(new PasswordCallbackHandler()); + stsProperties.setIssuer("STS"); + parameters.setStsProperties(stsProperties); + parameters.setTokenStore(tokenStore); + + return parameters; + } + + private Element createSAMLAssertion( + String tokenType, Crypto crypto, String signatureUsername, + CallbackHandler callbackHandler, long ttlMs + ) throws WSSecurityException { + SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider(); + DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider(); + conditionsProvider.setAcceptClientLifetime(true); + samlTokenProvider.setConditionsProvider(conditionsProvider); + TokenProviderParameters providerParameters = + createProviderParameters( + tokenType, STSConstants.BEARER_KEY_KEYTYPE, crypto, signatureUsername, callbackHandler + ); + + if (ttlMs != 0) { + Lifetime lifetime = new Lifetime(); + Date creationTime = new Date(); + Date expirationTime = new Date(); + expirationTime.setTime(creationTime.getTime() + ttlMs); + + XmlSchemaDateFormat fmt = new XmlSchemaDateFormat(); + lifetime.setCreated(fmt.format(creationTime)); + lifetime.setExpires(fmt.format(expirationTime)); + + providerParameters.getTokenRequirements().setLifetime(lifetime); + } + + TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters); + assertTrue(providerResponse != null); + assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null); + + return providerResponse.getToken(); + } + + private TokenProviderParameters createProviderParameters( + String tokenType, String keyType, Crypto crypto, + String signatureUsername, CallbackHandler callbackHandler + ) throws WSSecurityException { + TokenProviderParameters parameters = new TokenProviderParameters(); + + TokenRequirements tokenRequirements = new TokenRequirements(); + tokenRequirements.setTokenType(tokenType); + parameters.setTokenRequirements(tokenRequirements); + + KeyRequirements keyRequirements = new KeyRequirements(); + keyRequirements.setKeyType(keyType); + parameters.setKeyRequirements(keyRequirements); + + parameters.setPrincipal(new CustomTokenPrincipal("alice")); + // Mock up message context + MessageImpl msg = new MessageImpl(); + WrappedMessageContext msgCtx = new WrappedMessageContext(msg); + WebServiceContextImpl webServiceContext = new WebServiceContextImpl(msgCtx); + parameters.setWebServiceContext(webServiceContext); + + parameters.setAppliesToAddress("http://dummy-service.com/dummy"); + + // Add STSProperties object + StaticSTSProperties stsProperties = new StaticSTSProperties(); + stsProperties.setSignatureCrypto(crypto); + stsProperties.setSignatureUsername(signatureUsername); + stsProperties.setCallbackHandler(callbackHandler); + stsProperties.setIssuer("STS"); + parameters.setStsProperties(stsProperties); + + parameters.setEncryptionProperties(new EncryptionProperties()); + parameters.setTokenStore(tokenStore); + + return parameters; + } + + private Properties getEncryptionProperties() { + Properties properties = new Properties(); + properties.put( + "org.apache.ws.security.crypto.provider", "org.apache.ws.security.components.crypto.Merlin" + ); + properties.put("org.apache.ws.security.crypto.merlin.keystore.password", "stsspass"); + properties.put("org.apache.ws.security.crypto.merlin.keystore.file", "stsstore.jks"); + + return properties; + } + + +} Modified: cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/secure_conv/cxf-sts.xml URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/secure_conv/cxf-sts.xml?rev=1309846&r1=1309845&r2=1309846&view=diff ============================================================================== --- cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/secure_conv/cxf-sts.xml (original) +++ cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/secure_conv/cxf-sts.xml Thu Apr 5 13:31:43 2012 @@ -53,7 +53,6 @@ - - - - - - - @@ -111,10 +104,6 @@ - - - - @@ -129,9 +118,6 @@ - - -