cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1414652 [1/2] - in /cxf/trunk: osgi/bundle/all/ osgi/bundle/minimal/ osgi/karaf/features/src/main/resources/ rt/ rt/security/ rt/security/src/ rt/security/src/main/ rt/security/src/main/java/ rt/security/src/main/java/org/ rt/security/src/...
Date Wed, 28 Nov 2012 12:47:34 GMT
Author: coheigea
Date: Wed Nov 28 12:47:26 2012
New Revision: 1414652

URL: http://svn.apache.org/viewvc?rev=1414652&view=rev
Log:
[CXF-4657] - Add XACML functionality to CXF runtime

Added:
    cxf/trunk/rt/security/
    cxf/trunk/rt/security/pom.xml
    cxf/trunk/rt/security/src/
    cxf/trunk/rt/security/src/main/
    cxf/trunk/rt/security/src/main/java/
    cxf/trunk/rt/security/src/main/java/org/
    cxf/trunk/rt/security/src/main/java/org/apache/
    cxf/trunk/rt/security/src/main/java/org/apache/cxf/
    cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/
    cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/
    cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/
    cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java
    cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java
    cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java
    cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java
    cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLConstants.java
    cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java
    cxf/trunk/rt/security/src/test/
    cxf/trunk/rt/security/src/test/java/
    cxf/trunk/rt/security/src/test/java/org/
    cxf/trunk/rt/security/src/test/java/org/apache/
    cxf/trunk/rt/security/src/test/java/org/apache/cxf/
    cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/
    cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/
    cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/
    cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilderTest.java
    cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilderTest.java
    cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java
    cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptorTest.java
    cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java
    cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlRoleCallbackHandler.java
    cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/server/XACMLAuthorizingInterceptor.java
Modified:
    cxf/trunk/osgi/bundle/all/pom.xml
    cxf/trunk/osgi/bundle/minimal/pom.xml
    cxf/trunk/osgi/karaf/features/src/main/resources/features.xml
    cxf/trunk/rt/pom.xml
    cxf/trunk/systests/ws-security/pom.xml
    cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml

Modified: cxf/trunk/osgi/bundle/all/pom.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/osgi/bundle/all/pom.xml?rev=1414652&r1=1414651&r2=1414652&view=diff
==============================================================================
--- cxf/trunk/osgi/bundle/all/pom.xml (original)
+++ cxf/trunk/osgi/bundle/all/pom.xml Wed Nov 28 12:47:26 2012
@@ -301,6 +301,11 @@
         </dependency>
         <dependency>
             <groupId>${project.groupId}</groupId>
+            <artifactId>cxf-rt-security</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>${project.groupId}</groupId>
             <artifactId>cxf-rt-ws-policy</artifactId>
             <version>${project.version}</version>
         </dependency>

Modified: cxf/trunk/osgi/bundle/minimal/pom.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/osgi/bundle/minimal/pom.xml?rev=1414652&r1=1414651&r2=1414652&view=diff
==============================================================================
--- cxf/trunk/osgi/bundle/minimal/pom.xml (original)
+++ cxf/trunk/osgi/bundle/minimal/pom.xml Wed Nov 28 12:47:26 2012
@@ -112,6 +112,11 @@
         </dependency>
         <dependency>
             <groupId>${project.groupId}</groupId>
+            <artifactId>cxf-rt-security</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>${project.groupId}</groupId>
             <artifactId>cxf-rt-ws-policy</artifactId>
             <version>${project.version}</version>
         </dependency>

Modified: cxf/trunk/osgi/karaf/features/src/main/resources/features.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/osgi/karaf/features/src/main/resources/features.xml?rev=1414652&r1=1414651&r2=1414652&view=diff
==============================================================================
--- cxf/trunk/osgi/karaf/features/src/main/resources/features.xml (original)
+++ cxf/trunk/osgi/karaf/features/src/main/resources/features.xml Wed Nov 28 12:47:26 2012
@@ -111,6 +111,10 @@
         <bundle start-level='40' dependency="true">mvn:org.apache.servicemix.bundles/org.apache.servicemix.bundles.ehcache/${cxf.ehcache.bundle.version}</bundle>
         <bundle start-level='40'>mvn:org.apache.cxf/cxf-rt-ws-security/${project.version}</bundle>
     </feature>
+    <feature name="cxf-rt-security" version="${project.version}" resolver='(obr)'>
+        <feature version="${cxf.wss4j.version}">wss4j</feature>
+        <bundle start-level='40'>mvn:org.apache.cxf/cxf-rt-security/${project.version}</bundle>
+    </feature>
     <feature name="cxf-http" version="${project.version}" resolver='(obr)'>
         <feature version="${project.version}">cxf-core</feature>
         <feature version="[2,4)">http-whiteboard</feature>

Modified: cxf/trunk/rt/pom.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/pom.xml?rev=1414652&r1=1414651&r2=1414652&view=diff
==============================================================================
--- cxf/trunk/rt/pom.xml (original)
+++ cxf/trunk/rt/pom.xml Wed Nov 28 12:47:26 2012
@@ -65,6 +65,7 @@
         <module>management</module>
         <module>management-web</module>
         <module>javascript</module>
+        <module>security</module>
     </modules>
 
 </project>

Added: cxf/trunk/rt/security/pom.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/pom.xml?rev=1414652&view=auto
==============================================================================
--- cxf/trunk/rt/security/pom.xml (added)
+++ cxf/trunk/rt/security/pom.xml Wed Nov 28 12:47:26 2012
@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>cxf-rt-security</artifactId>
+    <packaging>jar</packaging>
+    <name>Apache CXF Runtime Security functionality</name>
+    <description>Apache CXF Runtime Security functionality</description>
+    <url>http://cxf.apache.org</url>
+
+    <parent>
+        <groupId>org.apache.cxf</groupId>
+        <artifactId>cxf-parent</artifactId>
+        <version>2.7.1-SNAPSHOT</version>
+        <relativePath>../../parent/pom.xml</relativePath>
+    </parent>
+    <properties>
+        <cxf.osgi.import>
+            org.opensaml*,
+        </cxf.osgi.import>
+    </properties>
+
+    <dependencies>
+       <dependency>
+           <groupId>org.apache.cxf</groupId>
+           <artifactId>cxf-rt-core</artifactId>
+           <version>${project.version}</version>
+       </dependency>
+       <dependency>
+            <groupId>org.apache.ws.security</groupId>
+            <artifactId>wss4j</artifactId>
+            <version>${cxf.wss4j.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>xerces</groupId>
+                    <artifactId>xercesImpl</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>xml-apis</groupId>
+                    <artifactId>xml-apis</artifactId>
+                </exclusion>
+            </exclusions>
+       </dependency>
+       <dependency>
+           <groupId>commons-logging</groupId>
+           <artifactId>commons-logging</artifactId>
+       </dependency>
+       <dependency>
+           <groupId>junit</groupId>
+           <artifactId>junit</artifactId>
+           <scope>test</scope>
+       </dependency>
+
+    </dependencies>
+
+</project>

Added: cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java?rev=1414652&view=auto
==============================================================================
--- cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java (added)
+++ cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java Wed Nov 28 12:47:26 2012
@@ -0,0 +1,150 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.xacml;
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.interceptor.security.AccessDeniedException;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.phase.AbstractPhaseInterceptor;
+import org.apache.cxf.phase.Phase;
+import org.apache.cxf.security.LoginSecurityContext;
+import org.apache.cxf.security.SecurityContext;
+import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+import org.opensaml.xacml.ctx.DecisionType;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResponseType;
+import org.opensaml.xacml.ctx.ResultType;
+
+
+/**
+ * An abstract interceptor to perform an XACML authorization request to a remote PDP,
+ * and make an authorization decision based on the response. It takes the principal and roles
+ * from the SecurityContext, and uses the XACMLRequestBuilder to construct an XACML Request
+ * statement. 
+ * 
+ * This class must be subclassed to actually perform the request to the PDP.
+ */
+public abstract class AbstractXACMLAuthorizingInterceptor extends AbstractPhaseInterceptor<Message> {
+    
+    private static final Logger LOG = LogUtils.getL7dLogger(AbstractXACMLAuthorizingInterceptor.class);
+    
+    private XACMLRequestBuilder requestBuilder = new DefaultXACMLRequestBuilder();
+    
+    public AbstractXACMLAuthorizingInterceptor() {
+        super(Phase.PRE_INVOKE);
+        OpenSAMLUtil.initSamlEngine();
+    }
+    
+    public void handleMessage(Message message) throws Fault {
+        SecurityContext sc = message.get(SecurityContext.class);
+        
+        if (sc instanceof LoginSecurityContext) {
+            Principal principal = sc.getUserPrincipal();
+            
+            LoginSecurityContext loginSecurityContext = (LoginSecurityContext)sc;
+            Set<Principal> principalRoles = loginSecurityContext.getUserRoles();
+            List<String> roles = new ArrayList<String>();
+            if (principalRoles != null) {
+                for (Principal p : principalRoles) {
+                    if (p != principal) {
+                        roles.add(p.getName());
+                    }
+                }
+            }
+            
+            try {
+                if (authorize(principal, roles, message)) {
+                    return;
+                }
+            } catch (Exception e) {
+                LOG.log(Level.FINE, "Unauthorized: " + e.getMessage(), e);
+                throw new AccessDeniedException("Unauthorized");
+            }
+        }
+        
+        throw new AccessDeniedException("Unauthorized");
+    }
+    
+    public XACMLRequestBuilder getRequestBuilder() {
+        return requestBuilder;
+    }
+
+    public void setRequestBuilder(XACMLRequestBuilder requestBuilder) {
+        this.requestBuilder = requestBuilder;
+    }
+
+    /**
+     * Perform a (remote) authorization decision and return a boolean depending on the result
+     */
+    protected boolean authorize(
+        Principal principal, List<String> roles, Message message
+    ) throws Exception {
+        RequestType request = requestBuilder.createRequest(principal, roles, message);
+        
+        ResponseType response = performRequest(request, message);
+        
+        ResultType result = response.getResult();
+        
+        // Handle any Obligations returned by the PDP
+        handleObligations(request, principal, message, result);
+        
+        String resource = requestBuilder.getResource(message);
+        if (result != null 
+            && (result.getResourceId() == null || resource.equals(result.getResourceId()))
+            && (result.getDecision().getDecision() == DecisionType.DECISION.Permit)) {
+            LOG.fine("XACML authorization permitted");
+            return true;
+        }
+        LOG.fine("XACML authorization not permitted:");
+        if (result != null && result.getStatus() != null) {
+            if (result.getStatus().getStatusCode() != null) {
+                LOG.fine("XACML Status Code: " + result.getStatus().getStatusCode().getValue());
+            }
+            if (result.getStatus().getStatusMessage() != null) {
+                LOG.fine("XACML Status Message: " + result.getStatus().getStatusMessage().getValue());
+            }
+        }
+        
+        return false;
+    }
+    
+    public abstract ResponseType performRequest(RequestType request, Message message) throws Exception;
+    
+    /**
+     * Handle any Obligations returned by the PDP
+     */
+    protected void handleObligations(
+        RequestType request,
+        Principal principal,
+        Message message,
+        ResultType result
+    ) throws Exception {
+        // Do nothing by default
+    }
+    
+}

Added: cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java?rev=1414652&view=auto
==============================================================================
--- cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java (added)
+++ cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java Wed Nov 28 12:47:26 2012
@@ -0,0 +1,236 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.xacml;
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.w3c.dom.Element;
+
+import org.apache.cxf.interceptor.security.SAMLSecurityContext;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.security.SecurityContext;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.joda.time.DateTime;
+import org.opensaml.xacml.ctx.ActionType;
+import org.opensaml.xacml.ctx.AttributeType;
+import org.opensaml.xacml.ctx.AttributeValueType;
+import org.opensaml.xacml.ctx.EnvironmentType;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResourceType;
+import org.opensaml.xacml.ctx.SubjectType;
+
+
+/**
+ * This class constructs an XACML Request given a Principal, list of roles and MessageContext,
+ * following the SAML 2.0 profile of XACML 2.0. The principal name is inserted as the Subject ID,
+ * and the list of roles associated with that principal are inserted as Subject roles.
+ * 
+ * The action to send defaults to "execute". The resource is the WSDL Operation for a SOAP service,
+ * and the request URI for a REST service. You can also configure the ability to send the full
+ * request URL instead for a SOAP or REST service. The current DateTime is also sent in an
+ * Environment, however this can be disabled via configuration. 
+ */
+public class DefaultXACMLRequestBuilder implements XACMLRequestBuilder {
+    
+    private String action = "execute";
+    private boolean sendDateTime = true;
+    private boolean sendFullRequestURL;
+    
+    /**
+     * Set a new Action String to use
+     */
+    public void setAction(String newAction) {
+        action = newAction;
+    }
+    
+    /**
+     * Get the Action String currently in use
+     */
+    public String getAction() {
+        return action;
+    }
+    
+    /**
+     * Create an XACML Request given a Principal, list of roles and Message.
+     */
+    public RequestType createRequest(
+        Principal principal, List<String> roles, Message message
+    ) throws Exception {
+        String issuer = getIssuer(message);
+        String resource = getResource(message);
+        String actionToUse = getAction(message);
+        
+        // Subject
+        List<AttributeType> attributes = new ArrayList<AttributeType>();
+        AttributeValueType subjectIdAttributeValue = 
+            RequestComponentBuilder.createAttributeValueType(principal.getName());
+        AttributeType subjectIdAttribute = 
+            RequestComponentBuilder.createAttributeType(
+                    XACMLConstants.SUBJECT_ID,
+                    XACMLConstants.XS_STRING,
+                    issuer,
+                    Collections.singletonList(subjectIdAttributeValue)
+            );
+        attributes.add(subjectIdAttribute);
+        
+        for (String role : roles) {
+            AttributeValueType subjectRoleAttributeValue = 
+                RequestComponentBuilder.createAttributeValueType(role);
+            AttributeType subjectRoleAttribute = 
+                RequestComponentBuilder.createAttributeType(
+                        XACMLConstants.SUBJECT_ROLE,
+                        XACMLConstants.XS_ANY_URI,
+                        issuer,
+                        Collections.singletonList(subjectRoleAttributeValue)
+                );
+            attributes.add(subjectRoleAttribute);
+        }
+        SubjectType subjectType = RequestComponentBuilder.createSubjectType(attributes, null);
+        
+        // Resource
+        AttributeValueType resourceAttributeValue = 
+            RequestComponentBuilder.createAttributeValueType(resource);
+        AttributeType resourceAttribute = 
+            RequestComponentBuilder.createAttributeType(
+                    XACMLConstants.RESOURCE_ID,
+                    XACMLConstants.XS_STRING,
+                    null,
+                    Collections.singletonList(resourceAttributeValue)
+            );
+        attributes.clear();
+        attributes.add(resourceAttribute);
+        ResourceType resourceType = RequestComponentBuilder.createResourceType(attributes, null);
+        
+        // Action
+        AttributeValueType actionAttributeValue = 
+            RequestComponentBuilder.createAttributeValueType(actionToUse);
+        AttributeType actionAttribute = 
+            RequestComponentBuilder.createAttributeType(
+                    XACMLConstants.ACTION_ID,
+                    XACMLConstants.XS_STRING,
+                    null,
+                    Collections.singletonList(actionAttributeValue)
+            );
+        attributes.clear();
+        attributes.add(actionAttribute);
+        ActionType actionType = RequestComponentBuilder.createActionType(attributes);
+        
+        // Environment
+        EnvironmentType environmentType = null;
+        if (sendDateTime) {
+            DateTime dateTime = new DateTime();
+            AttributeValueType environmentAttributeValue = 
+                RequestComponentBuilder.createAttributeValueType(dateTime.toString());
+            AttributeType environmentAttribute = 
+                RequestComponentBuilder.createAttributeType(
+                        XACMLConstants.CURRENT_DATETIME,
+                        XACMLConstants.XS_DATETIME,
+                        null,
+                        Collections.singletonList(environmentAttributeValue)
+                );
+            attributes.clear();
+            attributes.add(environmentAttribute);
+            environmentType = RequestComponentBuilder.createEnvironmentType(attributes);
+        }
+        
+        // Request
+        RequestType request = 
+            RequestComponentBuilder.createRequestType(
+                Collections.singletonList(subjectType), 
+                Collections.singletonList(resourceType), 
+                actionType, 
+                environmentType
+            );
+        
+        return request;
+    }
+    
+    /**
+     * Get the Issuer of the SAML Assertion
+     */
+    private String getIssuer(Message message) throws WSSecurityException {
+        SecurityContext sc = message.get(SecurityContext.class);
+        
+        if (sc instanceof SAMLSecurityContext) {
+            Element assertionElement = ((SAMLSecurityContext)sc).getAssertionElement();
+            if (assertionElement != null) {
+                AssertionWrapper wrapper = new AssertionWrapper(assertionElement);
+                return wrapper.getIssuerString();
+            }
+        }
+        
+        return null;
+    }
+
+    public boolean isSendDateTime() {
+        return sendDateTime;
+    }
+
+    public void setSendDateTime(boolean sendDateTime) {
+        this.sendDateTime = sendDateTime;
+    }
+
+    public boolean isSendFullRequestURL() {
+        return sendFullRequestURL;
+    }
+
+    /**
+     * Whether to send the full Request URL as the resource or not. If set to true,
+     * the full Request URL will be sent for both a JAX-WS and JAX-RS service. If set
+     * to false (the default), a JAX-WS service will send the "{namespace}operation" QName,
+     * and a JAX-RS service will send the RequestURI (i.e. minus the initial https:<ip> prefix).
+     */
+    public void setSendFullRequestURL(boolean sendFullRequestURL) {
+        this.sendFullRequestURL = sendFullRequestURL;
+    }
+    
+    
+    /**
+     * Return the Resource that has been inserted into the Request
+     */
+    public String getResource(Message message) {
+        if (message == null) {
+            return null;
+        }
+        String resource = null;
+        if (sendFullRequestURL) {
+            resource = (String)message.get(Message.REQUEST_URL);
+        } else if (message.get(Message.WSDL_OPERATION) != null) {
+            resource = message.get(Message.WSDL_OPERATION).toString();
+        } else {
+            resource = (String)message.get(Message.REQUEST_URI);
+        }
+        return resource;
+    }
+    
+    private String getAction(Message message) {
+        String actionToUse = action;
+        // For REST use the HTTP Verb
+        if (message.get(Message.WSDL_OPERATION) == null
+            && message.get(Message.HTTP_REQUEST_METHOD) != null) {
+            actionToUse = (String)message.get(Message.HTTP_REQUEST_METHOD);
+        }
+        return actionToUse;
+    }
+}

Added: cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java?rev=1414652&view=auto
==============================================================================
--- cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java (added)
+++ cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java Wed Nov 28 12:47:26 2012
@@ -0,0 +1,182 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.xacml;
+
+import java.util.List;
+
+import org.opensaml.Configuration;
+import org.opensaml.xacml.XACMLObjectBuilder;
+import org.opensaml.xacml.ctx.ActionType;
+import org.opensaml.xacml.ctx.AttributeType;
+import org.opensaml.xacml.ctx.AttributeValueType;
+import org.opensaml.xacml.ctx.EnvironmentType;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResourceContentType;
+import org.opensaml.xacml.ctx.ResourceType;
+import org.opensaml.xacml.ctx.SubjectType;
+import org.opensaml.xml.XMLObjectBuilderFactory;
+
+/**
+ * A set of utility methods to construct XACML 2.0 Request statements
+ */
+public final class RequestComponentBuilder {
+    private static volatile XACMLObjectBuilder<AttributeValueType> attributeValueTypeBuilder;
+    
+    private static volatile XACMLObjectBuilder<AttributeType> attributeTypeBuilder;
+    
+    private static volatile XACMLObjectBuilder<SubjectType> subjectTypeBuilder;
+    
+    private static volatile XACMLObjectBuilder<ResourceType> resourceTypeBuilder;
+    
+    private static volatile XACMLObjectBuilder<ActionType> actionTypeBuilder;
+    
+    private static volatile XACMLObjectBuilder<EnvironmentType> environmentTypeBuilder;
+    
+    private static volatile XACMLObjectBuilder<RequestType> requestTypeBuilder;
+    
+    private static volatile XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory();
+    
+    private RequestComponentBuilder() {
+        // complete
+    }
+
+    @SuppressWarnings("unchecked")
+    public static AttributeValueType createAttributeValueType(
+        String value
+    ) {
+        if (attributeValueTypeBuilder == null) {
+            attributeValueTypeBuilder = (XACMLObjectBuilder<AttributeValueType>)
+                builderFactory.getBuilder(AttributeValueType.DEFAULT_ELEMENT_NAME);
+        }
+        AttributeValueType attributeValue = attributeValueTypeBuilder.buildObject();
+        attributeValue.setValue(value);
+        
+        return attributeValue;
+    }
+    
+    @SuppressWarnings("unchecked")
+    public static AttributeType createAttributeType(
+        String attributeId,
+        String dataType,
+        String issuer,
+        List<AttributeValueType> attributeValues
+    ) {
+        if (attributeTypeBuilder == null) {
+            attributeTypeBuilder = (XACMLObjectBuilder<AttributeType>)
+                builderFactory.getBuilder(AttributeType.DEFAULT_ELEMENT_NAME);
+        }
+        AttributeType attributeType = attributeTypeBuilder.buildObject();
+        attributeType.setAttributeID(attributeId);
+        attributeType.setDataType(dataType);
+        attributeType.setIssuer(issuer);
+        attributeType.getAttributeValues().addAll(attributeValues);
+        
+        return attributeType;
+    }
+    
+    @SuppressWarnings("unchecked")
+    public static SubjectType createSubjectType(
+        List<AttributeType> attributes,
+        String subjectCategory
+    ) {
+        if (subjectTypeBuilder == null) {
+            subjectTypeBuilder = (XACMLObjectBuilder<SubjectType>)
+                builderFactory.getBuilder(SubjectType.DEFAULT_ELEMENT_NAME);
+        }
+        SubjectType subject = subjectTypeBuilder.buildObject();
+        if (attributes != null) {
+            subject.getAttributes().addAll(attributes);
+        }
+        subject.setSubjectCategory(subjectCategory);
+        
+        return subject;
+    }
+    
+    @SuppressWarnings("unchecked")
+    public static ResourceType createResourceType(
+        List<AttributeType> attributes,
+        ResourceContentType resourceContent
+    ) {
+        if (resourceTypeBuilder == null) {
+            resourceTypeBuilder = (XACMLObjectBuilder<ResourceType>)
+                builderFactory.getBuilder(ResourceType.DEFAULT_ELEMENT_NAME);
+        }
+        ResourceType resource = resourceTypeBuilder.buildObject();
+        if (attributes != null) {
+            resource.getAttributes().addAll(attributes);
+        }
+        resource.setResourceContent(resourceContent);
+        
+        return resource;
+    }
+    
+    @SuppressWarnings("unchecked")
+    public static ActionType createActionType(
+        List<AttributeType> attributes
+    ) {
+        if (actionTypeBuilder == null) {
+            actionTypeBuilder = (XACMLObjectBuilder<ActionType>)
+                builderFactory.getBuilder(ActionType.DEFAULT_ELEMENT_NAME);
+        }
+        ActionType action = actionTypeBuilder.buildObject();
+        if (attributes != null) {
+            action.getAttributes().addAll(attributes);
+        }
+        
+        return action;
+    }
+    
+    @SuppressWarnings("unchecked")
+    public static EnvironmentType createEnvironmentType(
+        List<AttributeType> attributes
+    ) {
+        if (environmentTypeBuilder == null) {
+            environmentTypeBuilder = (XACMLObjectBuilder<EnvironmentType>)
+                builderFactory.getBuilder(EnvironmentType.DEFAULT_ELEMENT_NAME);
+        }
+        EnvironmentType enviroment = environmentTypeBuilder.buildObject();
+        if (attributes != null) {
+            enviroment.getAttributes().addAll(attributes);
+        }
+        
+        return enviroment;
+    }
+    
+    @SuppressWarnings("unchecked")
+    public static RequestType createRequestType(
+        List<SubjectType> subjects,
+        List<ResourceType> resources,
+        ActionType action,
+        EnvironmentType environment
+    ) {
+        if (requestTypeBuilder == null) {
+            requestTypeBuilder = (XACMLObjectBuilder<RequestType>)
+                builderFactory.getBuilder(RequestType.DEFAULT_ELEMENT_NAME);
+        }
+        RequestType request = requestTypeBuilder.buildObject();
+        request.getSubjects().addAll(subjects);
+        request.getResources().addAll(resources);
+        request.setAction(action);
+        request.setEnvironment(environment);
+        
+        return request;
+    }
+    
+}

Added: cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java?rev=1414652&view=auto
==============================================================================
--- cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java (added)
+++ cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java Wed Nov 28 12:47:26 2012
@@ -0,0 +1,117 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.xacml;
+
+import java.util.UUID;
+
+import org.joda.time.DateTime;
+import org.opensaml.Configuration;
+import org.opensaml.common.SAMLObjectBuilder;
+import org.opensaml.common.SAMLVersion;
+import org.opensaml.saml2.core.Issuer;
+import org.opensaml.xacml.XACMLObjectBuilder;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.profile.saml.SAMLProfileConstants;
+import org.opensaml.xacml.profile.saml.XACMLAuthzDecisionQueryType;
+import org.opensaml.xml.XMLObjectBuilderFactory;
+
+/**
+ * A set of utility methods to construct XACML SAML Request statements, based on the
+ * SAML 2.0 profile of XACML v2.0 specification.
+ */
+public final class SamlRequestComponentBuilder {
+    private static volatile XACMLObjectBuilder<XACMLAuthzDecisionQueryType> xacmlAuthzDecisionQueryTypeBuilder;
+    
+    private static volatile SAMLObjectBuilder<Issuer> issuerBuilder;
+    
+    private static volatile XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory();
+    
+    private SamlRequestComponentBuilder() {
+        // complete
+    }
+    
+    /**
+     * Create an AuthzDecisionQuery using the defaults
+     */
+    public static XACMLAuthzDecisionQueryType createAuthzDecisionQuery(
+        String issuerValue,
+        RequestType request,
+        String namespace
+    ) {
+        return createAuthzDecisionQuery(false, false, issuerValue, request, namespace);
+    }
+    
+    @SuppressWarnings("unchecked")
+    public static XACMLAuthzDecisionQueryType createAuthzDecisionQuery(
+        boolean inputContextOnly,
+        boolean returnContext,
+        String issuerValue,
+        RequestType request,
+        String namespace
+    ) {
+        if (xacmlAuthzDecisionQueryTypeBuilder == null) {
+            xacmlAuthzDecisionQueryTypeBuilder = (XACMLObjectBuilder<XACMLAuthzDecisionQueryType>)
+                builderFactory.getBuilder(XACMLAuthzDecisionQueryType.DEFAULT_ELEMENT_NAME_XACML20);
+        }
+        XACMLAuthzDecisionQueryType authzQuery = 
+            xacmlAuthzDecisionQueryTypeBuilder.buildObject(
+                namespace,
+                XACMLAuthzDecisionQueryType.DEFAULT_ELEMENT_LOCAL_NAME,
+                SAMLProfileConstants.SAML20XACMLPROTOCOL_PREFIX
+            );
+        authzQuery.setID("_" + UUID.randomUUID().toString());
+        authzQuery.setVersion(SAMLVersion.VERSION_20);
+        authzQuery.setIssueInstant(new DateTime());
+        authzQuery.setInputContextOnly(Boolean.valueOf(inputContextOnly));
+        authzQuery.setReturnContext(Boolean.valueOf(returnContext));
+        
+        if (issuerValue != null) {
+            Issuer issuer = createIssuer(issuerValue);
+            authzQuery.setIssuer(issuer);
+        }
+        
+        authzQuery.setRequest(request);
+        
+        return authzQuery;
+    }
+    
+    
+    /**
+     * Create an Issuer object
+     *
+     * @param issuerValue of type String
+     * @return an Issuer object
+     */
+    @SuppressWarnings("unchecked")
+    public static Issuer createIssuer(String issuerValue) {
+        if (issuerBuilder == null) {
+            issuerBuilder = (SAMLObjectBuilder<Issuer>) 
+                builderFactory.getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
+            
+        }
+        Issuer issuer = issuerBuilder.buildObject();
+        //
+        // The SAML authority that is making the claim(s) in the assertion. The issuer SHOULD 
+        // be unambiguous to the intended relying parties.
+        issuer.setValue(issuerValue);
+        return issuer;
+    }
+
+}

Added: cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLConstants.java?rev=1414652&view=auto
==============================================================================
--- cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLConstants.java (added)
+++ cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLConstants.java Wed Nov 28 12:47:26 2012
@@ -0,0 +1,197 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.xacml;
+
+
+
+/**
+ * XACML 1.x and 2.0 Constants.
+ */
+public final class XACMLConstants {
+    
+    //
+    // Attributes
+    //
+    
+    public static final String CURRENT_TIME = 
+        "urn:oasis:names:tc:xacml:1.0:environment:current-time";
+    public static final String CURRENT_DATE = 
+        "urn:oasis:names:tc:xacml:1.0:environment:current-date";
+    public static final String CURRENT_DATETIME = 
+        "urn:oasis:names:tc:xacml:1.0:environment:current-dateTime";
+
+    //
+    // Identifiers
+    //
+    
+    public static final String SUBJECT_DNS_NAME = 
+        "urn:oasis:names:tc:xacml:1.0:subject:authn-locality:dns-name";
+    public static final String SUBJECT_IP_ADDR = 
+        "urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address";
+    public static final String SUBJECT_AUTHN_METHOD = 
+        "urn:oasis:names:tc:xacml:1.0:subject:authentication-method";
+    public static final String SUBJECT_AUTHN_TIME = 
+        "urn:oasis:names:tc:xacml:1.0:subject:authentication-time";
+    public static final String SUBJECT_KEY_INFO = 
+        "urn:oasis:names:tc:xacml:1.0:subject:key-info";
+    public static final String SUBJECT_REQ_TIME = 
+        "urn:oasis:names:tc:xacml:1.0:subject:request-time";
+    public static final String SUBJECT_START_TIME = 
+        "urn:oasis:names:tc:xacml:1.0:subject:session-start-time";
+    public static final String SUBJECT_ID = 
+        "urn:oasis:names:tc:xacml:1.0:subject:subject-id";
+    public static final String SUBJECT_ID_QUALIFIER = 
+        "urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifier";
+    public static final String SUBJECT_CAT_ACCESS_SUBJECT = 
+        "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject";
+    public static final String SUBJECT_CAT_CODEBASE = 
+        "urn:oasis:names:tc:xacml:1.0:subject-category:codebase";
+    public static final String SUBJECT_CAT_INTERMED_SUBJECT = 
+        "urn:oasis:names:tc:xacml:1.0:subject-category:intermediary-subject";
+    public static final String SUBJECT_CAT_REC_SUBJECT = 
+        "urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject";
+    public static final String SUBJECT_CAT_REQ_MACHINE = 
+        "urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine";
+    public static final String RESOURCE_LOC = 
+        "urn:oasis:names:tc:xacml:1.0:resource:resource-location";
+    public static final String RESOURCE_ID = 
+        "urn:oasis:names:tc:xacml:1.0:resource:resource-id";
+    public static final String RESOURCE_FILE_NAME = 
+        "urn:oasis:names:tc:xacml:1.0:resource:simple-file-name";
+    public static final String ACTION_ID = 
+        "urn:oasis:names:tc:xacml:1.0:action:action-id";
+    public static final String ACTION_IMPLIED = 
+        "urn:oasis:names:tc:xacml:1.0:action:implied-action";
+    public static final String SUBJECT_ROLE = 
+        "urn:oasis:names:tc:xacml:2.0:subject:role";
+
+
+    //
+    // Datatypes
+    //
+    
+    public static final String XS_STRING = 
+        "http://www.w3.org/2001/XMLSchema#string";
+    public static final String XS_BOOLEAN = 
+        "http://www.w3.org/2001/XMLSchema#boolean";
+    public static final String XS_INT = 
+        "http://www.w3.org/2001/XMLSchema#integer";
+    public static final String XS_DOUBLE = 
+        "http://www.w3.org/2001/XMLSchema#double";
+    public static final String XS_TIME = 
+        "http://www.w3.org/2001/XMLSchema#time";
+    public static final String XS_DATE = 
+        "http://www.w3.org/2001/XMLSchema#date";
+    public static final String XS_DATETIME = 
+        "http://www.w3.org/2001/XMLSchema#dateTime";
+    public static final String XS_ANY_URI = 
+        "http://www.w3.org/2001/XMLSchema#anyURI";
+    public static final String XS_HEX =
+        "http://www.w3.org/2001/XMLSchema#hexBinary";
+    public static final String XS_BASE64 =
+        "http://www.w3.org/2001/XMLSchema#base64Binary";
+    public static final String RFC_822_NAME = 
+        "urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name";
+    public static final String X500_NAME = 
+        "urn:oasis:names:tc:xacml:1.0:data-type:x500Name";
+
+    //
+    // Functions
+    //
+    public static final String FUNC_STRING_EQUAL =  
+        "urn:oasis:names:tc:xacml:1.0:function:string-equal";
+    public static final String FUNC_BOOL_EQUAL = 
+        "urn:oasis:names:tc:xacml:1.0:function:boolean-equal";
+    public static final String FUNC_INT_EQUAL =
+        "urn:oasis:names:tc:xacml:1.0:function:integer-equal";
+    public static final String FUNC_DOUBLE_EQUAL =
+        "urn:oasis:names:tc:xacml:1.0:function:double-equal";
+    public static final String FUNC_DATE_EQUAL = 
+        "urn:oasis:names:tc:xacml:1.0:function:date-equal";
+    public static final String FUNC_TIME_EQUAL =
+        "urn:oasis:names:tc:xacml:1.0:function:time-equal";
+    public static final String FUNC_DATETIME_EQUAL =
+        "urn:oasis:names:tc:xacml:1.0:function:dateTime-equal";
+    public static final String FUNC_ANY_URI_EQUAL =
+        "urn:oasis:names:tc:xacml:1.0:function:anyURI-equal";
+    public static final String FUNC_X500_NAME_EQUAL =
+        "urn:oasis:names:tc:xacml:1.0:function:x500Name-equal";
+    public static final String FUNC_RFC_822_NAME_EQUAL =
+        "urn:oasis:names:tc:xacml:1.0:function:rfc822Name-equal";
+    public static final String FUNC_HEX_EQUAL =
+        "urn:oasis:names:tc:xacml:1.0:function:hexBinary-equal";
+    public static final String FUNC_BASE64_EQUAL =
+        "urn:oasis:names:tc:xacml:1.0:function:base64Binary-equal";
+ 
+    public static final String FUNC_INT_GT =
+        "urn:oasis:names:tc:xacml:1.0:function:integer-greater-than";
+    public static final String FUNC_INT_GTE =
+        "urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal";
+    public static final String FUNC_INT_LT =
+        "urn:oasis:names:tc:xacml:1.0:function:integer-less-than";
+    public static final String FUNC_INT_LTE =
+        "urn:oasis:names:tc:xacml:1.0:function:integer-less-than-or-equal";
+    public static final String FUNC_DOUBLE_GT =
+        "urn:oasis:names:tc:xacml:1.0:function:double-greater-than";
+    public static final String FUNC_DOUBLE_GTE =
+        "urn:oasis:names:tc:xacml:1.0:function:double-greater-than-or-equal";
+    public static final String FUNC_DOUBLE_LT =
+        "urn:oasis:names:tc:xacml:1.0:function:double-less-than";
+    public static final String FUNC_DOUBLE_LTE =
+        "urn:oasis:names:tc:xacml:1.0:function:double-less-than-or-equal";
+
+    public static final String FUNC_STRING_GT =
+        "urn:oasis:names:tc:xacml:1.0:function:string-greater-than";
+    public static final String FUNC_STRING_GTE =
+        "urn:oasis:names:tc:xacml:1.0:function:string-greater-than-or-equal";
+    public static final String FUNC_STRING_LT =
+        "urn:oasis:names:tc:xacml:1.0:function:string-less-than";
+    public static final String FUNC_STRING_LTE =
+        "urn:oasis:names:tc:xacml:1.0:function:string-less-than-or-equal";
+    public static final String FUNC_TIME_GT =
+        "urn:oasis:names:tc:xacml:1.0:function:time-greater-than";
+    public static final String FUNC_TIME_GTE =
+        "urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal";
+    public static final String FUNC_TIME_LT =
+        "urn:oasis:names:tc:xacml:1.0:function:time-less-than";
+    public static final String FUNC_TIME_LTE =
+        "urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal";
+    public static final String FUNC_DATETIME_GT =
+        "urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than";
+    public static final String FUNC_DATETIME_GTE = 
+        "urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than-or-equal";
+    public static final String FUNC_DATETIME_LT =
+        "urn:oasis:names:tc:xacml:1.0:function:dateTime-less-than";
+    public static final String FUNC_DATETIME_LTE =
+        "urn:oasis:names:tc:xacml:1.0:function:dateTime-less-than-or-equal";
+    public static final String FUNC_DATE_GT =
+        "urn:oasis:names:tc:xacml:1.0:function:date-greater-than";
+    public static final String FUNC_DATE_GTE =
+        "urn:oasis:names:tc:xacml:1.0:function:date-greater-than-or-equal";
+    public static final String FUNC_DATE_LT =
+        "urn:oasis:names:tc:xacml:1.0:function:date-less-than";
+    public static final String FUNC_DATE_LTE =
+        "urn:oasis:names:tc:xacml:1.0:function:date-less-than-or-equal";
+
+    
+    private XACMLConstants() {
+        // complete
+    }
+}

Added: cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java?rev=1414652&view=auto
==============================================================================
--- cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java (added)
+++ cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java Wed Nov 28 12:47:26 2012
@@ -0,0 +1,54 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.xacml;
+
+import java.security.Principal;
+import java.util.List;
+
+import org.apache.cxf.message.Message;
+import org.opensaml.xacml.ctx.RequestType;
+
+
+/**
+ * This interface defines a way to create an XACML Request.
+ */
+public interface XACMLRequestBuilder {
+    
+    /**
+     * Create an XACML Request given a Principal, list of roles and Message.
+     * 
+     * @param principal The principal to insert into the Subject of the Request
+     * @param roles The list of roles associated with the principal
+     * @param message The Message from which to retrieve the resource
+     * @return An OpenSAML RequestType object
+     * @throws Exception
+     */
+    RequestType createRequest(
+        Principal principal, List<String> roles, Message message
+    ) throws Exception;
+    
+    /**
+     * Return the Resource that has been inserted into the Request.
+     * 
+     * @param message The Message from which to retrieve the resource
+     * @return the Resource that has been inserted into the Request
+     */
+    String getResource(Message message);
+}

Added: cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilderTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilderTest.java?rev=1414652&view=auto
==============================================================================
--- cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilderTest.java (added)
+++ cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilderTest.java Wed Nov 28 12:47:26 2012
@@ -0,0 +1,222 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.xacml;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+import org.joda.time.DateTime;
+import org.opensaml.xacml.ctx.ActionType;
+import org.opensaml.xacml.ctx.AttributeType;
+import org.opensaml.xacml.ctx.AttributeValueType;
+import org.opensaml.xacml.ctx.EnvironmentType;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResourceType;
+import org.opensaml.xacml.ctx.SubjectType;
+
+
+/**
+ * Some unit tests to create a XACML Request using the RequestComponentBuilder.
+ */
+public class RequestComponentBuilderTest extends org.junit.Assert {
+    
+    private DocumentBuilder docBuilder;
+    static {
+        OpenSAMLUtil.initSamlEngine();
+    }
+    
+    public RequestComponentBuilderTest() throws ParserConfigurationException {
+        DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
+        docBuilderFactory.setNamespaceAware(true);
+        docBuilder = docBuilderFactory.newDocumentBuilder();
+    }
+
+    @org.junit.Test
+    public void testCreateXACMLRequest() throws Exception {
+        Document doc = docBuilder.newDocument();
+        
+        // Subject
+        AttributeValueType subjectIdAttributeValue = 
+            RequestComponentBuilder.createAttributeValueType(
+                    "alice-user@apache.org"
+            );
+        AttributeType subjectIdAttribute = 
+            RequestComponentBuilder.createAttributeType(
+                    XACMLConstants.SUBJECT_ID,
+                    XACMLConstants.RFC_822_NAME,
+                    null,
+                    Collections.singletonList(subjectIdAttributeValue)
+            );
+        
+        AttributeValueType subjectGroupAttributeValue = 
+            RequestComponentBuilder.createAttributeValueType(
+                    "manager"
+            );
+        AttributeType subjectGroupAttribute = 
+            RequestComponentBuilder.createAttributeType(
+                    XACMLConstants.SUBJECT_ROLE,
+                    XACMLConstants.XS_ANY_URI,
+                    "admin-user@apache.org",
+                    Collections.singletonList(subjectGroupAttributeValue)
+            );
+        List<AttributeType> attributes = new ArrayList<AttributeType>();
+        attributes.add(subjectIdAttribute);
+        attributes.add(subjectGroupAttribute);
+        SubjectType subject = RequestComponentBuilder.createSubjectType(attributes, null);
+        
+        // Resource
+        AttributeValueType resourceAttributeValue = 
+            RequestComponentBuilder.createAttributeValueType(
+                    "{http://www.example.org/contract/DoubleIt}DoubleIt"
+            );
+        AttributeType resourceAttribute = 
+            RequestComponentBuilder.createAttributeType(
+                    XACMLConstants.RESOURCE_ID,
+                    XACMLConstants.XS_STRING,
+                    null,
+                    Collections.singletonList(resourceAttributeValue)
+            );
+        attributes.clear();
+        attributes.add(resourceAttribute);
+        ResourceType resource = RequestComponentBuilder.createResourceType(attributes, null);
+        
+        // Action
+        AttributeValueType actionAttributeValue = 
+            RequestComponentBuilder.createAttributeValueType(
+                    "execute"
+            );
+        AttributeType actionAttribute = 
+            RequestComponentBuilder.createAttributeType(
+                    XACMLConstants.ACTION_ID,
+                    XACMLConstants.XS_STRING,
+                    null,
+                    Collections.singletonList(actionAttributeValue)
+            );
+        attributes.clear();
+        attributes.add(actionAttribute);
+        ActionType action = RequestComponentBuilder.createActionType(attributes);
+        
+        // Request
+        RequestType request = 
+            RequestComponentBuilder.createRequestType(
+                    Collections.singletonList(subject), 
+                    Collections.singletonList(resource), 
+                    action, 
+                    null
+            );
+        
+        Element policyElement = OpenSAMLUtil.toDom(request, doc);
+        // String outputString = DOM2Writer.nodeToString(policyElement);
+        assertNotNull(policyElement);
+    }
+    
+    @org.junit.Test
+    public void testEnvironment() throws Exception {
+        Document doc = docBuilder.newDocument();
+        
+        // Subject
+        AttributeValueType subjectIdAttributeValue = 
+            RequestComponentBuilder.createAttributeValueType(
+                    "alice-user@apache.org"
+            );
+        AttributeType subjectIdAttribute = 
+            RequestComponentBuilder.createAttributeType(
+                    XACMLConstants.SUBJECT_ID,
+                    XACMLConstants.RFC_822_NAME,
+                    null,
+                    Collections.singletonList(subjectIdAttributeValue)
+            );
+        
+        List<AttributeType> attributes = new ArrayList<AttributeType>();
+        attributes.add(subjectIdAttribute);
+        SubjectType subject = RequestComponentBuilder.createSubjectType(attributes, null);
+        
+        // Resource
+        AttributeValueType resourceAttributeValue = 
+            RequestComponentBuilder.createAttributeValueType(
+                    "{http://www.example.org/contract/DoubleIt}DoubleIt"
+            );
+        AttributeType resourceAttribute = 
+            RequestComponentBuilder.createAttributeType(
+                    XACMLConstants.RESOURCE_ID,
+                    XACMLConstants.XS_STRING,
+                    null,
+                    Collections.singletonList(resourceAttributeValue)
+            );
+        attributes.clear();
+        attributes.add(resourceAttribute);
+        ResourceType resource = RequestComponentBuilder.createResourceType(attributes, null);
+        
+        // Action
+        AttributeValueType actionAttributeValue = 
+            RequestComponentBuilder.createAttributeValueType(
+                    "execute"
+            );
+        AttributeType actionAttribute = 
+            RequestComponentBuilder.createAttributeType(
+                    XACMLConstants.ACTION_ID,
+                    XACMLConstants.XS_STRING,
+                    null,
+                    Collections.singletonList(actionAttributeValue)
+            );
+        attributes.clear();
+        attributes.add(actionAttribute);
+        ActionType action = RequestComponentBuilder.createActionType(attributes);
+        
+        // Environment
+        DateTime dateTime = new DateTime();
+        AttributeValueType environmentAttributeValue = 
+            RequestComponentBuilder.createAttributeValueType(dateTime.toString());
+        AttributeType environmentAttribute = 
+            RequestComponentBuilder.createAttributeType(
+                    XACMLConstants.CURRENT_DATETIME,
+                    XACMLConstants.XS_DATETIME,
+                    null,
+                    Collections.singletonList(environmentAttributeValue)
+            );
+        attributes.clear();
+        attributes.add(environmentAttribute);
+        EnvironmentType environmentType = 
+             RequestComponentBuilder.createEnvironmentType(attributes);
+        
+        // Request
+        RequestType request = 
+            RequestComponentBuilder.createRequestType(
+                    Collections.singletonList(subject), 
+                    Collections.singletonList(resource), 
+                    action, 
+                    environmentType
+            );
+        
+        Element policyElement = OpenSAMLUtil.toDom(request, doc);
+        // String outputString = DOM2Writer.nodeToString(policyElement);
+        assertNotNull(policyElement);
+    }
+    
+}

Added: cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilderTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilderTest.java?rev=1414652&view=auto
==============================================================================
--- cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilderTest.java (added)
+++ cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilderTest.java Wed Nov 28 12:47:26 2012
@@ -0,0 +1,154 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.xacml;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+
+import org.opensaml.xacml.ctx.ActionType;
+import org.opensaml.xacml.ctx.AttributeType;
+import org.opensaml.xacml.ctx.AttributeValueType;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResourceType;
+import org.opensaml.xacml.ctx.SubjectType;
+import org.opensaml.xacml.profile.saml.SAMLProfileConstants;
+import org.opensaml.xacml.profile.saml.XACMLAuthzDecisionQueryType;
+
+
+/**
+ * Some unit tests for creating a SAML XACML Request.
+ */
+public class SamlRequestComponentBuilderTest extends org.junit.Assert {
+    
+    private DocumentBuilder docBuilder;
+    static {
+        OpenSAMLUtil.initSamlEngine();
+    }
+    
+    public SamlRequestComponentBuilderTest() throws ParserConfigurationException {
+        DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
+        docBuilderFactory.setNamespaceAware(true);
+        docBuilder = docBuilderFactory.newDocumentBuilder();
+    }
+
+    @org.junit.Test
+    public void testCreateXACMLSamlAuthzQueryRequest() throws Exception {
+        Document doc = docBuilder.newDocument();
+        
+        //
+        // Create XACML request
+        //
+        
+        // Subject
+        AttributeValueType subjectIdAttributeValue = 
+            RequestComponentBuilder.createAttributeValueType(
+                    "alice-user@apache.org"
+            );
+        AttributeType subjectIdAttribute = 
+            RequestComponentBuilder.createAttributeType(
+                    XACMLConstants.SUBJECT_ID,
+                    XACMLConstants.RFC_822_NAME,
+                    null,
+                    Collections.singletonList(subjectIdAttributeValue)
+            );
+        
+        AttributeValueType subjectGroupAttributeValue = 
+            RequestComponentBuilder.createAttributeValueType(
+                    "manager"
+            );
+        AttributeType subjectGroupAttribute = 
+            RequestComponentBuilder.createAttributeType(
+                    XACMLConstants.SUBJECT_ROLE,
+                    XACMLConstants.XS_ANY_URI,
+                    "admin-user@apache.org",
+                    Collections.singletonList(subjectGroupAttributeValue)
+            );
+        List<AttributeType> attributes = new ArrayList<AttributeType>();
+        attributes.add(subjectIdAttribute);
+        attributes.add(subjectGroupAttribute);
+        SubjectType subject = RequestComponentBuilder.createSubjectType(attributes, null);
+        
+        // Resource
+        AttributeValueType resourceAttributeValue = 
+            RequestComponentBuilder.createAttributeValueType(
+                    "{http://www.example.org/contract/DoubleIt}DoubleIt"
+            );
+        AttributeType resourceAttribute = 
+            RequestComponentBuilder.createAttributeType(
+                    XACMLConstants.RESOURCE_ID,
+                    XACMLConstants.XS_STRING,
+                    null,
+                    Collections.singletonList(resourceAttributeValue)
+            );
+        attributes.clear();
+        attributes.add(resourceAttribute);
+        ResourceType resource = RequestComponentBuilder.createResourceType(attributes, null);
+        
+        // Action
+        AttributeValueType actionAttributeValue = 
+            RequestComponentBuilder.createAttributeValueType(
+                    "execute"
+            );
+        AttributeType actionAttribute = 
+            RequestComponentBuilder.createAttributeType(
+                    XACMLConstants.ACTION_ID,
+                    XACMLConstants.XS_STRING,
+                    null,
+                    Collections.singletonList(actionAttributeValue)
+            );
+        attributes.clear();
+        attributes.add(actionAttribute);
+        ActionType action = RequestComponentBuilder.createActionType(attributes);
+        
+        // Request
+        RequestType request = 
+            RequestComponentBuilder.createRequestType(
+                    Collections.singletonList(subject), 
+                    Collections.singletonList(resource), 
+                    action, 
+                    null
+            );
+        
+        //
+        // Create SAML wrapper
+        //
+        
+        XACMLAuthzDecisionQueryType authzQuery = 
+            SamlRequestComponentBuilder.createAuthzDecisionQuery(
+                    "Issuer", request, SAMLProfileConstants.SAML20XACML20P_NS
+            );
+        
+        Element policyElement = OpenSAMLUtil.toDom(authzQuery, doc);
+        // String outputString = DOM2Writer.nodeToString(policyElement);
+        assertNotNull(policyElement);
+    }
+    
+    
+}

Added: cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java?rev=1414652&view=auto
==============================================================================
--- cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java (added)
+++ cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java Wed Nov 28 12:47:26 2012
@@ -0,0 +1,116 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.xacml;
+
+import java.util.List;
+
+import org.apache.cxf.message.Message;
+import org.opensaml.Configuration;
+import org.opensaml.xacml.XACMLObjectBuilder;
+import org.opensaml.xacml.ctx.AttributeType;
+import org.opensaml.xacml.ctx.DecisionType;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResponseType;
+import org.opensaml.xacml.ctx.ResultType;
+import org.opensaml.xacml.ctx.StatusCodeType;
+import org.opensaml.xacml.ctx.StatusType;
+import org.opensaml.xacml.ctx.SubjectType;
+import org.opensaml.xml.XMLObjectBuilderFactory;
+
+
+/**
+ * A test implementation of AbstractXACMLAuthorizingInterceptor. It just mocks up a Response
+ * object based on the role of the Subject. If the role is "manager" then it permits the
+ * request, otherwise it denies it.
+ */
+public class XACMLAuthorizingInterceptor extends AbstractXACMLAuthorizingInterceptor {
+    
+    public ResponseType performRequest(RequestType request, Message message) throws Exception {
+        
+        XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory();
+        
+        @SuppressWarnings("unchecked")
+        XACMLObjectBuilder<ResponseType> responseTypeBuilder = 
+            (XACMLObjectBuilder<ResponseType>)
+            builderFactory.getBuilder(ResponseType.DEFAULT_ELEMENT_NAME);
+        
+        @SuppressWarnings("unchecked")
+        XACMLObjectBuilder<ResultType> resultTypeBuilder = 
+            (XACMLObjectBuilder<ResultType>)
+            builderFactory.getBuilder(ResultType.DEFAULT_ELEMENT_NAME);
+        
+        @SuppressWarnings("unchecked")
+        XACMLObjectBuilder<DecisionType> decisionTypeBuilder =
+            (XACMLObjectBuilder<DecisionType>)
+            builderFactory.getBuilder(DecisionType.DEFAULT_ELEMENT_NAME);
+        
+        @SuppressWarnings("unchecked")
+        XACMLObjectBuilder<StatusType> statusTypeBuilder = 
+            (XACMLObjectBuilder<StatusType>)
+            builderFactory.getBuilder(StatusType.DEFAULT_ELEMENT_NAME);
+        
+        @SuppressWarnings("unchecked")
+        XACMLObjectBuilder<StatusCodeType> statusCodeTypeBuilder =
+            (XACMLObjectBuilder<StatusCodeType>)
+            builderFactory.getBuilder(StatusCodeType.DEFAULT_ELEMENT_NAME);
+            
+        DecisionType decisionType = decisionTypeBuilder.buildObject();
+        
+        String role = getSubjectRole(request);
+        if ("manager".equals(role)) {
+            decisionType.setDecision(DecisionType.DECISION.Permit); 
+        } else {
+            decisionType.setDecision(DecisionType.DECISION.Deny);
+        }
+        
+        ResultType result = resultTypeBuilder.buildObject();
+        result.setDecision(decisionType);
+        
+        StatusType status = statusTypeBuilder.buildObject();
+        StatusCodeType statusCode = statusCodeTypeBuilder.buildObject();
+        statusCode.setValue("urn:oasis:names:tc:xacml:1.0:status:ok");
+        status.setStatusCode(statusCode);
+        result.setStatus(status);
+        
+        ResponseType response = responseTypeBuilder.buildObject();
+        response.setResult(result);
+        
+        return response;
+    }
+
+    private String getSubjectRole(RequestType request) {
+        List<SubjectType> subjects = request.getSubjects();
+        if (subjects != null) {
+            for (SubjectType subject : subjects) {
+                List<AttributeType> attributes = subject.getAttributes();
+                if (attributes != null) {
+                    for (AttributeType attribute : attributes) {
+                        if (XACMLConstants.SUBJECT_ROLE.equals(attribute.getAttributeID())) {
+                            return attribute.getAttributeValues().get(0).getValue();
+                        }
+                    }
+                }
+            }
+        }
+        return null;
+    }
+
+    
+}

Added: cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptorTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptorTest.java?rev=1414652&view=auto
==============================================================================
--- cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptorTest.java (added)
+++ cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptorTest.java Wed Nov 28 12:47:26 2012
@@ -0,0 +1,116 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.xacml;
+
+import java.security.Principal;
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageImpl;
+import org.apache.cxf.security.LoginSecurityContext;
+import org.apache.cxf.security.SecurityContext;
+import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+
+
+/**
+ * Some unit tests to test the AbstractXACMLAuthorizingInterceptor.
+ */
+public class XACMLAuthorizingInterceptorTest extends org.junit.Assert {
+    
+    static {
+        OpenSAMLUtil.initSamlEngine();
+    }
+
+    @org.junit.Test
+    public void testPermit() throws Exception {
+        // Mock up a Security Context
+        SecurityContext sc = createSecurityContext("alice", "manager");
+        
+        String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+        MessageImpl msg = new MessageImpl();
+        msg.put(Message.WSDL_OPERATION, operation);
+        msg.put(SecurityContext.class, sc);
+        
+        XACMLAuthorizingInterceptor authorizingInterceptor = 
+            new XACMLAuthorizingInterceptor();
+        authorizingInterceptor.handleMessage(msg);
+    }
+    
+    @org.junit.Test
+    public void testDeny() throws Exception {
+        // Mock up a Security Context
+        SecurityContext sc = createSecurityContext("alice", "boss");
+        
+        String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+        MessageImpl msg = new MessageImpl();
+        msg.put(Message.WSDL_OPERATION, operation);
+        msg.put(SecurityContext.class, sc);
+        
+        XACMLAuthorizingInterceptor authorizingInterceptor = 
+            new XACMLAuthorizingInterceptor();
+        
+        try {
+            authorizingInterceptor.handleMessage(msg);
+            fail("Failure expected on deny");
+        } catch (Exception ex) {
+            // Failure expected
+        }
+    }
+    
+    private SecurityContext createSecurityContext(final String user, final String role) {
+        return new LoginSecurityContext() {
+
+            @Override
+            public Principal getUserPrincipal() {
+                return new Principal() {
+                    public String getName() {
+                        return user;
+                    }
+                };
+            }
+
+            @Override
+            public boolean isUserInRole(String role) {
+                return false;
+            }
+
+            @Override
+            public Subject getSubject() {
+                return null;
+            }
+
+            @Override
+            public Set<Principal> getUserRoles() {
+                Set<Principal> principals = new HashSet<Principal>();
+                principals.add(new Principal() {
+                    public String getName() {
+                        return role;
+                    }
+                });
+                return principals;
+            }
+            
+        };
+    }
+    
+}

Added: cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java?rev=1414652&view=auto
==============================================================================
--- cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java (added)
+++ cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java Wed Nov 28 12:47:26 2012
@@ -0,0 +1,155 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.xacml;
+
+import java.security.Principal;
+import java.util.Collections;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageImpl;
+import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+import org.opensaml.xacml.ctx.RequestType;
+
+
+/**
+ * Some unit tests to create a XACML Request via the XACMLRequestBuilder interface.
+ */
+public class XACMLRequestBuilderTest extends org.junit.Assert {
+    
+    static {
+        OpenSAMLUtil.initSamlEngine();
+    }
+
+    @org.junit.Test
+    public void testXACMLRequestBuilder() throws Exception {
+        // Mock up a request
+        Principal principal = new Principal() {
+            public String getName() {
+                return "alice";
+            }
+        };
+        
+        String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+        MessageImpl msg = new MessageImpl();
+        msg.put(Message.WSDL_OPERATION, operation);
+        
+        XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
+        RequestType request = 
+            builder.createRequest(principal, Collections.singletonList("manager"), msg);
+        assertNotNull(request);
+    }
+    
+    @org.junit.Test
+    public void testResource() throws Exception {
+        // Mock up a request
+        Principal principal = new Principal() {
+            public String getName() {
+                return "alice";
+            }
+        };
+        
+        String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+        MessageImpl msg = new MessageImpl();
+        msg.put(Message.WSDL_OPERATION, operation);
+        
+        XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
+        RequestType request = 
+            builder.createRequest(principal, Collections.singletonList("manager"), msg);
+        assertNotNull(request); 
+        
+        assertEquals(operation, builder.getResource(msg));
+        
+        operation = "user/list.json";
+        msg = new MessageImpl();
+        msg.put(Message.REQUEST_URI, operation);
+        
+        request = builder.createRequest(principal, Collections.singletonList("manager"), msg);
+        assertNotNull(request); 
+        
+        assertEquals(operation, builder.getResource(msg));
+        
+        operation = "https://localhost:8080/user/list.json";
+        msg = new MessageImpl();
+        msg.put(Message.REQUEST_URL, operation);
+        
+        ((DefaultXACMLRequestBuilder)builder).setSendFullRequestURL(true);
+        request = builder.createRequest(principal, Collections.singletonList("manager"), msg);
+        assertNotNull(request); 
+        
+        assertEquals(operation, builder.getResource(msg));
+    }
+    
+    @org.junit.Test
+    public void testAction() throws Exception {
+        // Mock up a request
+        Principal principal = new Principal() {
+            public String getName() {
+                return "alice";
+            }
+        };
+        
+        String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+        MessageImpl msg = new MessageImpl();
+        msg.put(Message.WSDL_OPERATION, operation);
+        
+        XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
+        RequestType request = 
+            builder.createRequest(principal, Collections.singletonList("manager"), msg);
+        assertNotNull(request); 
+        
+        String action = 
+            request.getAction().getAttributes().get(0).getAttributeValues().get(0).getValue();
+        assertEquals(action, "execute");
+        
+        ((DefaultXACMLRequestBuilder)builder).setAction("write");
+        request = builder.createRequest(principal, Collections.singletonList("manager"), msg);
+        assertNotNull(request); 
+        
+        action = 
+            request.getAction().getAttributes().get(0).getAttributeValues().get(0).getValue();
+        assertEquals(action, "write");
+    }
+    
+    @org.junit.Test
+    public void testEnvironment() throws Exception {
+        // Mock up a request
+        Principal principal = new Principal() {
+            public String getName() {
+                return "alice";
+            }
+        };
+        
+        String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+        MessageImpl msg = new MessageImpl();
+        msg.put(Message.WSDL_OPERATION, operation);
+        
+        XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
+        RequestType request = 
+            builder.createRequest(principal, Collections.singletonList("manager"), msg);
+        assertNotNull(request);
+        assertNotNull(request.getEnvironment());
+        
+        ((DefaultXACMLRequestBuilder)builder).setSendDateTime(false);
+        request = builder.createRequest(principal, Collections.singletonList("manager"), msg);
+        assertNotNull(request);
+        assertNull(request.getEnvironment());
+    }
+    
+}

Modified: cxf/trunk/systests/ws-security/pom.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/pom.xml?rev=1414652&r1=1414651&r2=1414652&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/pom.xml (original)
+++ cxf/trunk/systests/ws-security/pom.xml Wed Nov 28 12:47:26 2012
@@ -110,6 +110,11 @@
         </dependency>
         <dependency>
             <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-security</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
             <artifactId>cxf-rt-databinding-jaxb</artifactId>
             <version>${project.version}</version>
         </dependency>

Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java?rev=1414652&r1=1414651&r2=1414652&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java (original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java Wed Nov 28 12:47:26 2012
@@ -29,6 +29,7 @@ import org.apache.cxf.Bus;
 import org.apache.cxf.bus.spring.SpringBusFactory;
 import org.apache.cxf.systest.ws.common.SecurityTestUtil;
 import org.apache.cxf.systest.ws.saml.client.SamlCallbackHandler;
+import org.apache.cxf.systest.ws.saml.client.SamlRoleCallbackHandler;
 import org.apache.cxf.systest.ws.saml.server.Server;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
 import org.apache.ws.security.saml.ext.bean.KeyInfoBean.CERT_IDENTIFIER;
@@ -561,5 +562,54 @@ public class SamlTokenTest extends Abstr
         bus.shutdown(true);
     }
     
+    // In this test-case, the WSP is configured with a XACML PEP interceptor, which in this
+    // case just mocks the call to the PDP + enforces the decision
+    @org.junit.Test
+    public void testSaml2PEP() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SamlTokenTest.class.getResource("client/client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItSaml2PEPPort");
+        DoubleItPortType saml2Port = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(saml2Port, PORT);
+       
+        try {
+            saml2Port.doubleIt(25);
+            fail("Failure expected as Assertion doesn't contain Role information");
+        } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+            // expected
+        }
+        
+        SamlRoleCallbackHandler roleCallbackHandler = 
+            new SamlRoleCallbackHandler();
+        roleCallbackHandler.setRoleName("manager");
+        ((BindingProvider)saml2Port).getRequestContext().put(
+            "ws-security.saml-callback-handler", roleCallbackHandler
+        );
+        
+        int result = saml2Port.doubleIt(25);
+        assertTrue(result == 50);
+        
+        // Expected failure on incorrect role
+        roleCallbackHandler.setRoleName("boss");
+        try {
+            saml2Port.doubleIt(25);
+            fail("Failure expected as Assertion doesn't contain correct role");
+        } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+            // expected
+        }
+        
+        ((java.io.Closeable)saml2Port).close();
+        bus.shutdown(true);
+    }
+    
     
 }



Mime
View raw message