cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1450200 - in /cxf/branches/2.6.x-fixes: rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy...
Date Tue, 26 Feb 2013 15:03:12 GMT
Author: coheigea
Date: Tue Feb 26 15:03:12 2013
New Revision: 1450200

URL: http://svn.apache.org/r1450200
Log:
Merged revisions 1450187 via  git cherry-pick from
https://svn.apache.org/repos/asf/cxf/trunk

........
  r1450187 | coheigea | 2013-02-26 06:32:07 -0800 (Tue, 26 Feb 2013) | 2 lines

  [CXF-4842] - Support Claims defined in Security Policy at IssuedToken/Claims

........


Conflicts:
	services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsTest.java

Modified:
    cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
    cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/IssuedTokenBuilder.java
    cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
    cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Token.java
    cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
    cxf/branches/2.6.x-fixes/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsTest.java
    cxf/branches/2.6.x-fixes/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/DoubleIt.wsdl
    cxf/branches/2.6.x-fixes/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/cxf-client.xml
    cxf/branches/2.6.x-fixes/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/cxf-service.xml

Modified: cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java?rev=1450200&r1=1450199&r2=1450200&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
(original)
+++ cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
Tue Feb 26 15:03:12 2013
@@ -396,6 +396,8 @@ public abstract class SPConstants {
     
     public static final String ISSUER_NAME = "IssuerName";
     
+    public static final String CLAIMS = "Claims";
+    
     public static final String REQUIRE_DERIVED_KEYS = "RequireDerivedKeys";
     
     public static final String REQUIRE_IMPLIED_DERIVED_KEYS = "RequireImpliedDerivedKeys";

Modified: cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/IssuedTokenBuilder.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/IssuedTokenBuilder.java?rev=1450200&r1=1450199&r2=1450200&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/IssuedTokenBuilder.java
(original)
+++ cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/IssuedTokenBuilder.java
Tue Feb 26 15:03:12 2013
@@ -82,6 +82,8 @@ public class IssuedTokenBuilder implemen
             } else if (SPConstants.REQUEST_SECURITY_TOKEN_TEMPLATE.equals(ln)) {
                 foundRST = true;
                 issuedToken.setRstTemplate(child);
+            } else if (SPConstants.CLAIMS.equals(ln)) {
+                issuedToken.setClaims(child);
             } else if (org.apache.neethi.Constants.ELEM_POLICY.equals(ln)) {
                 foundPolicy = true;
                 Policy policy = builder.getPolicy(child);

Modified: cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java?rev=1450200&r1=1450199&r2=1450200&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
(original)
+++ cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
Tue Feb 26 15:03:12 2013
@@ -350,6 +350,9 @@ public class IssuedTokenInterceptorProvi
             if (maps != null && maps.getNamespaceURI() != null) {
                 client.setAddressingNamespace(maps.getNamespaceURI());
             }
+            if (itok.getClaims() != null) {
+                client.setClaims(itok.getClaims());
+            }
             return client.requestSecurityToken(appliesTo);
         }
         

Modified: cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Token.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Token.java?rev=1450200&r1=1450199&r2=1450200&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Token.java
(original)
+++ cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Token.java
Tue Feb 26 15:03:12 2013
@@ -47,6 +47,11 @@ public abstract class Token extends Abst
     private Element policy;
     
     /**
+     * A reference to the DOM wst:Claims child Element
+     */
+    private Element claims;
+    
+    /**
      * A Reference to a parent SupportingToken assertion
      */
     private SupportingToken supportingToken;
@@ -131,4 +136,12 @@ public abstract class Token extends Abst
     public void setPolicy(Element policy) {
         this.policy = policy;
     }
+
+    public Element getClaims() {
+        return claims;
+    }
+
+    public void setClaims(Element claims) {
+        this.claims = claims;
+    }
 }

Modified: cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java?rev=1450200&r1=1450199&r2=1450200&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
(original)
+++ cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
Tue Feb 26 15:03:12 2013
@@ -84,6 +84,16 @@ public class IssuedTokenPolicyValidator 
                 ai.setNotAsserted("Error in validating the IssuedToken policy");
                 continue;
             }
+            
+            Element claims = issuedToken.getClaims();
+            if (claims != null) {
+                String dialect = claims.getAttributeNS(null, "Dialect");
+                if (claimsValidator.getDialect().equals(dialect)
+                    && !claimsValidator.validatePolicy(claims, assertionWrapper))
{
+                    ai.setNotAsserted("Error in validating the Claims policy");
+                    continue;
+                }
+            }
 
             TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
             Certificate[] tlsCerts = null;

Modified: cxf/branches/2.6.x-fixes/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsTest.java?rev=1450200&r1=1450199&r2=1450200&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsTest.java
(original)
+++ cxf/branches/2.6.x-fixes/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsTest.java
Tue Feb 26 15:03:12 2013
@@ -199,6 +199,29 @@ public class ClaimsTest extends Abstract
         bus.shutdown(true);
     }
     
+    @org.junit.Test
+    public void testSaml2ChildClaims() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = ClaimsTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = ClaimsTest.class.getResource("DoubleIt.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML2ChildClaimsPort");
+        DoubleItPortType transportClaimsPort = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(transportClaimsPort, PORT);
+        
+        doubleIt(transportClaimsPort, 25);
+        
+        ((java.io.Closeable)transportClaimsPort).close();
+        bus.shutdown(true);
+    }
+    
     private static void doubleIt(DoubleItPortType port, int numToDouble) {
         int resp = port.doubleIt(numToDouble);
         assertEquals(numToDouble * 2 , resp);

Modified: cxf/branches/2.6.x-fixes/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/DoubleIt.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/DoubleIt.wsdl?rev=1450200&r1=1450199&r2=1450200&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/DoubleIt.wsdl
(original)
+++ cxf/branches/2.6.x-fixes/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/DoubleIt.wsdl
Tue Feb 26 15:03:12 2013
@@ -78,6 +78,23 @@
 			</wsdl:output>
 		</wsdl:operation>
 	</wsdl:binding>
+	
+	<wsdl:binding name="DoubleItTransportSAML2ChildClaimsBinding" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#DoubleItBindingTransportSAML2ChildClaimsPolicy" />
+        <soap:binding style="document"
+            transport="http://schemas.xmlsoap.org/soap/http" />
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction="" />
+            <wsdl:input>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy" />
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy" />
+            </wsdl:output>
+        </wsdl:operation>
+    </wsdl:binding>
 
 	<wsdl:service name="DoubleItService">
 		<wsdl:port name="DoubleItTransportSAML1ClaimsPort" 
@@ -95,6 +112,11 @@
 			<soap:address
 				location="https://localhost:8081/doubleit/services/doubleittransportsaml1failingclaims"
/>
 		</wsdl:port>
+		<wsdl:port name="DoubleItTransportSAML2ChildClaimsPort" 
+                   binding="tns:DoubleItTransportSAML2ChildClaimsBinding">
+            <soap:address
+                location="https://localhost:8081/doubleit/services/doubleittransportsaml2childclaims"
/>
+        </wsdl:port>
 	</wsdl:service>
 	
 	<wsp:Policy wsu:Id="DoubleItBindingTransportSAML1ClaimsPolicy">
@@ -329,6 +351,85 @@
 		</wsp:ExactlyOne>
 	</wsp:Policy>
 	
+	<wsp:Policy wsu:Id="DoubleItBindingTransportSAML2ChildClaimsPolicy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <wsam:Addressing wsp:Optional="false">
+                    <wsp:Policy />
+                </wsam:Addressing>
+                <sp:TransportBinding
+                    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+                    <wsp:Policy>
+                        <sp:TransportToken>
+                            <wsp:Policy>
+                                <sp:HttpsToken>
+                                    <wsp:Policy/>
+                                </sp:HttpsToken>
+                            </wsp:Policy>
+                        </sp:TransportToken>
+                        <sp:AlgorithmSuite>
+                            <wsp:Policy>
+                                <sp:TripleDes />
+                            </wsp:Policy>
+                        </sp:AlgorithmSuite>
+                        <sp:Layout>
+                            <wsp:Policy>
+                                <sp:Lax />
+                            </wsp:Policy>
+                        </sp:Layout>
+                        <sp:IncludeTimestamp />
+                    </wsp:Policy>
+                </sp:TransportBinding>
+                <sp:SupportingTokens
+                    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+                    <wsp:Policy>
+                        <sp:IssuedToken
+                            sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                            <sp:RequestSecurityTokenTemplate>
+                                <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
+                                <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>
+                            </sp:RequestSecurityTokenTemplate>
+                            <t:Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"
+                                xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity">
+                                <ic:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"/>
+                            </t:Claims>
+                            <wsp:Policy>
+                                <sp:RequireInternalReference />
+                            </wsp:Policy>
+                            <sp:Issuer>
+                                <wsaw:Address>http://localhost:8080/SecurityTokenService/UT
+                                </wsaw:Address>
+                                <wsaw:Metadata>
+                                    <wsx:Metadata>
+                                        <wsx:MetadataSection>
+                                            <wsx:MetadataReference>
+                                                <wsaw:Address>http://localhost:8080/SecurityTokenService/UT/mex
+                                                </wsaw:Address>
+                                            </wsx:MetadataReference>
+                                        </wsx:MetadataSection>
+                                    </wsx:Metadata>
+                                </wsaw:Metadata>
+                            </sp:Issuer>
+                        </sp:IssuedToken>
+                    </wsp:Policy>
+                </sp:SupportingTokens>
+                <sp:Wss11>
+                    <wsp:Policy>
+                        <sp:MustSupportRefIssuerSerial />
+                        <sp:MustSupportRefThumbprint />
+                        <sp:MustSupportRefEncryptedKey />
+                    </wsp:Policy>
+                </sp:Wss11>
+                <sp:Trust13>
+                    <wsp:Policy>
+                        <sp:MustSupportIssuedTokens />
+                        <sp:RequireClientEntropy />
+                        <sp:RequireServerEntropy />
+                    </wsp:Policy>
+                </sp:Trust13>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
 	
 	
 	<wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">

Modified: cxf/branches/2.6.x-fixes/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/cxf-client.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/cxf-client.xml?rev=1450200&r1=1450199&r2=1450200&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/cxf-client.xml
(original)
+++ cxf/branches/2.6.x-fixes/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/cxf-client.xml
Tue Feb 26 15:03:12 2013
@@ -91,6 +91,34 @@ http://cxf.apache.org/configuration/secu
        </jaxws:properties>
    </jaxws:client>
    
+   <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItTransportSAML2ChildClaimsPort"
createdFromAPI="true">
+       <jaxws:properties>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
+           <entry key="ws-security.sts.client">
+               <bean class="org.apache.cxf.ws.security.trust.STSClient">
+                   <constructor-arg ref="cxf"/>
+                   <property name="wsdlLocation" 
+                             value="https://localhost:${testutil.ports.STSServer}/SecurityTokenService/Transport?wsdl"/>
+                   <property name="serviceName" 
+                             value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"/>
+                   <property name="endpointName" 
+                             value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port"/>
+                   <property name="properties">
+                       <map>
+                           <entry key="ws-security.username" value="alice"/>
+                           <entry key="ws-security.callback-handler" 
+                                  value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
+                           <entry key="ws-security.sts.token.username" value="myclientkey"/>
+                           <entry key="ws-security.sts.token.properties" value="clientKeystore.properties"/>

+                           <entry key="ws-security.sts.token.usecert" value="true"/>

+                       </map>
+                   </property>
+               </bean>            
+           </entry> 
+       </jaxws:properties>
+   </jaxws:client>
+   
    <http:conduit name="https://localhost:.*">
       <http:tlsClientParameters disableCNCheck="true">
         <sec:trustManagers>

Modified: cxf/branches/2.6.x-fixes/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/cxf-service.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/cxf-service.xml?rev=1450200&r1=1450199&r2=1450200&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/cxf-service.xml
(original)
+++ cxf/branches/2.6.x-fixes/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/cxf-service.xml
Tue Feb 26 15:03:12 2013
@@ -96,6 +96,25 @@
       </jaxws:properties> 
    </jaxws:endpoint>
    
+   <jaxws:endpoint id="doubleittransportsaml2childclaims"
+      implementor="org.apache.cxf.systest.sts.common.DoubleItPortTypeImpl"
+      endpointName="s:DoubleItTransportSAML2ChildClaimsPort"
+      serviceName="s:DoubleItService"
+      depends-on="ClientAuthHttpsSettings"
+      address="https://localhost:${testutil.ports.Server}/doubleit/services/doubleittransportsaml2childclaims"
+      wsdlLocation="org/apache/cxf/systest/sts/claims/DoubleIt.wsdl"
+      xmlns:s="http://www.example.org/contract/DoubleIt">
+        
+      <jaxws:properties>
+         <entry key="ws-security.callback-handler" 
+                value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
+         <entry key="ws-security.signature.properties" value="serviceKeystore.properties"/>
+         <entry key="ws-security.saml2.validator">
+            <bean class="org.apache.cxf.systest.sts.claims.ClaimsValidator"/>
+         </entry>
+      </jaxws:properties> 
+   </jaxws:endpoint>
+   
    <httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf">
    <httpj:engine port="${testutil.ports.Server}">
     <httpj:tlsServerParameters>



Mime
View raw message