cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1469483 - in /cxf/branches/wss4j2.0-port/rt/ws/security/src: main/java/org/apache/cxf/ws/security/wss4j/ main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ test/java/org/apache/cxf/ws/security/wss4j/saml/
Date Thu, 18 Apr 2013 17:30:13 GMT
Author: coheigea
Date: Thu Apr 18 17:30:12 2013
New Revision: 1469483

URL: http://svn.apache.org/r1469483
Log:
Added some more SAML interop tests

Modified:
    cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
    cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java
    cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
    cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
    cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
    cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/DOMToStaxSamlTest.java

Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java?rev=1469483&r1=1469482&r2=1469483&view=diff
==============================================================================
--- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
(original)
+++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
Thu Apr 18 17:30:12 2013
@@ -190,6 +190,16 @@ public abstract class AbstractWSS4JInter
         if (certConstraints != null) {
             msg.setContextualProperty(WSHandlerConstants.SIG_SUBJECT_CERT_CONSTRAINTS, certConstraints);
         }
+        
+        // Now set SAML SenderVouches + Holder Of Key requirements
+        boolean validateSAMLSubjectConf = 
+            MessageUtils.getContextualBoolean(
+                msg, SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, true
+            );
+        msg.setContextualProperty(
+            WSHandlerConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, 
+            Boolean.toString(validateSAMLSubjectConf)
+        );
     }
 
     @Override

Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java?rev=1469483&r1=1469482&r2=1469483&view=diff
==============================================================================
--- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java
(original)
+++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java
Thu Apr 18 17:30:12 2013
@@ -19,31 +19,13 @@
 
 package org.apache.cxf.ws.security.wss4j;
 
-import java.security.Principal;
-import java.security.PublicKey;
-import java.security.cert.Certificate;
-import java.security.cert.X509Certificate;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
-import java.util.logging.Logger;
 
 import org.w3c.dom.Element;
 
-import org.apache.cxf.common.logging.LogUtils;
-import org.apache.cxf.helpers.CastUtils;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.security.transport.TLSSessionInfo;
-import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
-import org.apache.wss4j.common.saml.OpenSAMLUtil;
-import org.apache.wss4j.common.saml.SAMLKeyInfo;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
-import org.apache.wss4j.dom.WSConstants;
-import org.apache.wss4j.dom.WSDataRef;
-import org.apache.wss4j.dom.WSSecurityEngineResult;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.opensaml.common.SAMLVersion;
 import org.opensaml.xml.XMLObject;
 
@@ -52,8 +34,6 @@ import org.opensaml.xml.XMLObject;
  */
 public final class SAMLUtils {
     
-    private static final Logger LOG = LogUtils.getL7dLogger(SAMLUtils.class);
-    
     private SAMLUtils() {
     }
     
@@ -149,217 +129,4 @@ public final class SAMLUtils {
         return Collections.unmodifiableList(roles);
     }
     
-    public static void validateSAMLResults(
-        List<WSSecurityEngineResult> results,
-        Message message,
-        Element body
-    ) throws WSSecurityException {
-        final List<Integer> samlActions = new ArrayList<Integer>(2);
-        samlActions.add(WSConstants.ST_SIGNED);
-        samlActions.add(WSConstants.ST_UNSIGNED);
-        List<WSSecurityEngineResult> samlResults = 
-            WSSecurityUtil.fetchAllActionResults(results, samlActions);
-        
-        if (samlResults.isEmpty()) {
-            return;
-        }
-        
-        final List<Integer> signedActions = new ArrayList<Integer>(2);
-        signedActions.add(WSConstants.SIGN);
-        signedActions.add(WSConstants.UT_SIGN);
-        List<WSSecurityEngineResult> signedResults = 
-            WSSecurityUtil.fetchAllActionResults(results, signedActions);
-        
-        for (WSSecurityEngineResult samlResult : samlResults) {
-            SamlAssertionWrapper assertionWrapper = 
-                (SamlAssertionWrapper)samlResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
-            
-            TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
-            Certificate[] tlsCerts = null;
-            if (tlsInfo != null) {
-                tlsCerts = tlsInfo.getPeerCertificates();
-            }
-            if (!SAMLUtils.checkHolderOfKey(assertionWrapper, signedResults, tlsCerts)) {
-                LOG.warning("Assertion fails holder-of-key requirements");
-                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
-            }
-            if (!SAMLUtils.checkSenderVouches(assertionWrapper, tlsCerts, body, signedResults))
{
-                LOG.warning("Assertion fails sender-vouches requirements");
-                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
-            }
-        }
-        
-    }
-    
-    /**
-     * Check the holder-of-key requirements against the received assertion. The subject
-     * credential of the SAML Assertion must have been used to sign some portion of
-     * the message, thus showing proof-of-possession of the private/secret key. Alternatively,
-     * the subject credential of the SAML Assertion must match a client certificate credential
-     * when 2-way TLS is used.
-     * @param assertionWrapper the SAML Assertion wrapper object
-     * @param signedResults a list of all of the signed results
-     */
-    public static boolean checkHolderOfKey(
-        SamlAssertionWrapper assertionWrapper,
-        List<WSSecurityEngineResult> signedResults,
-        Certificate[] tlsCerts
-    ) {
-        List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
-        for (String confirmationMethod : confirmationMethods) {
-            if (OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) {
-                if (tlsCerts == null && (signedResults == null || signedResults.isEmpty()))
{
-                    return false;
-                }
-                SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
-                if (!compareCredentials(subjectKeyInfo, signedResults, tlsCerts)) {
-                    return false;
-                }
-            }
-        }
-        return true;
-    }
-
-    /**
-     * Compare the credentials of the assertion to the credentials used in 2-way TLS or those
-     * used to verify signatures.
-     * Return true on a match
-     * @param subjectKeyInfo the SAMLKeyInfo object
-     * @param signedResults a list of all of the signed results
-     * @return true if the credentials of the assertion were used to verify a signature
-     */
-    public static boolean compareCredentials(
-        SAMLKeyInfo subjectKeyInfo,
-        List<WSSecurityEngineResult> signedResults,
-        Certificate[] tlsCerts
-    ) {
-        X509Certificate[] subjectCerts = subjectKeyInfo.getCerts();
-        PublicKey subjectPublicKey = subjectKeyInfo.getPublicKey();
-        byte[] subjectSecretKey = subjectKeyInfo.getSecret();
-        
-        //
-        // Try to match the TLS certs first
-        //
-        if (tlsCerts != null && tlsCerts.length > 0 && subjectCerts !=
null 
-            && subjectCerts.length > 0 && tlsCerts[0].equals(subjectCerts[0]))
{
-            return true;
-        } else if (tlsCerts != null && tlsCerts.length > 0 && subjectPublicKey
!= null
-            && tlsCerts[0].getPublicKey().equals(subjectPublicKey)) {
-            return true;
-        }
-        
-        //
-        // Now try the message-level signatures
-        //
-        for (WSSecurityEngineResult signedResult : signedResults) {
-            X509Certificate[] certs =
-                (X509Certificate[])signedResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
-            PublicKey publicKey =
-                (PublicKey)signedResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
-            byte[] secretKey =
-                (byte[])signedResult.get(WSSecurityEngineResult.TAG_SECRET);
-            if (certs != null && certs.length > 0 && subjectCerts != null
-                && subjectCerts.length > 0 && certs[0].equals(subjectCerts[0]))
{
-                return true;
-            }
-            if (publicKey != null && publicKey.equals(subjectPublicKey)) {
-                return true;
-            }
-            if (checkSecretKey(secretKey, subjectSecretKey, signedResult)) {
-                return true;
-            }
-        }
-        return false;
-    }
-    
-    private static boolean checkSecretKey(
-        byte[] secretKey,
-        byte[] subjectSecretKey,
-        WSSecurityEngineResult signedResult
-    ) {
-        if (secretKey != null && subjectSecretKey != null) {
-            if (Arrays.equals(secretKey, subjectSecretKey)) {
-                return true;
-            } else {
-                Principal principal =
-                    (Principal)signedResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
-                if (principal instanceof WSDerivedKeyTokenPrincipal) {
-                    secretKey = ((WSDerivedKeyTokenPrincipal)principal).getSecret();
-                    if (Arrays.equals(secretKey, subjectSecretKey)) {
-                        return true;
-                    }
-                }
-            }
-        }
-        return false;
-    }
-    
-    /**
-     * Check the sender-vouches requirements against the received assertion. The SAML
-     * Assertion and the SOAP Body must be signed by the same signature.
-     */
-    public static boolean checkSenderVouches(
-        SamlAssertionWrapper assertionWrapper,
-        Certificate[] tlsCerts,
-        Element body,
-        List<WSSecurityEngineResult> signed
-    ) {
-        //
-        // If we have a 2-way TLS connection, then we don't have to check that the
-        // assertion + SOAP body are signed
-        //
-        if (tlsCerts != null && tlsCerts.length > 0) {
-            return true;
-        }
-        List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
-        for (String confirmationMethod : confirmationMethods) {
-            if (OpenSAMLUtil.isMethodSenderVouches(confirmationMethod)) {
-                if (signed == null || signed.isEmpty()) {
-                    return false;
-                }
-                if (!checkAssertionAndBodyAreSigned(assertionWrapper, body, signed)) {
-                    return false;
-                }
-            }
-        }
-        return true;
-    }
-
-    /**
-     * Return true if there is a signature which references the Assertion and the SOAP Body.
-     * @param assertionWrapper the SamlAssertionWrapper object
-     * @param body The SOAP body
-     * @param signed The List of signed results
-     * @return true if there is a signature which references the Assertion and the SOAP Body.
-     */
-    private static boolean checkAssertionAndBodyAreSigned(
-        SamlAssertionWrapper assertionWrapper,
-        Element body,
-        List<WSSecurityEngineResult> signed
-    ) {
-        for (WSSecurityEngineResult signedResult : signed) {
-            List<WSDataRef> sl =
-                CastUtils.cast((List<?>)signedResult.get(
-                    WSSecurityEngineResult.TAG_DATA_REF_URIS
-                ));
-            boolean assertionIsSigned = false;
-            boolean bodyIsSigned = false;
-            if (sl != null) {
-                for (WSDataRef dataRef : sl) {
-                    Element se = dataRef.getProtectedElement();
-                    if (se == assertionWrapper.getElement()) {
-                        assertionIsSigned = true;
-                    }
-                    if (se == body) {
-                        bodyIsSigned = true;
-                    }
-                    if (assertionIsSigned && bodyIsSigned) {
-                        return true;
-                    }
-                }
-            }
-        }
-        return false;
-    }
-
 }

Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1469483&r1=1469482&r2=1469483&view=diff
==============================================================================
--- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
(original)
+++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
Thu Apr 18 17:30:12 2013
@@ -20,6 +20,7 @@ package org.apache.cxf.ws.security.wss4j
 
 import java.io.IOException;
 import java.security.Principal;
+import java.security.cert.Certificate;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.HashMap;
@@ -65,6 +66,7 @@ import org.apache.cxf.message.MessageUti
 import org.apache.cxf.phase.Phase;
 import org.apache.cxf.phase.PhaseInterceptor;
 import org.apache.cxf.security.SecurityContext;
+import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.staxutils.StaxUtils;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
@@ -252,6 +254,12 @@ public class WSS4JInInterceptor extends 
                     msg, SecurityConstants.ENABLE_TIMESTAMP_CACHE, SecurityConstants.TIMESTAMP_CACHE_INSTANCE
                 );
             reqData.setTimestampReplayCache(timestampCache);
+            
+            TLSSessionInfo tlsInfo = msg.get(TLSSessionInfo.class);
+            if (tlsInfo != null) {
+                Certificate[] tlsCerts = tlsInfo.getPeerCertificates();
+                reqData.setTlsCerts(tlsCerts);
+            }
 
             /*
              * Get and check the Signature specific parameters first because
@@ -364,15 +372,6 @@ public class WSS4JInInterceptor extends 
             LOG.warning(warning);
         }
         
-        // Now check SAML SenderVouches + Holder Of Key requirements
-        boolean validateSAMLSubjectConf = 
-            MessageUtils.getContextualBoolean(
-                msg, SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, true
-            );
-        if (validateSAMLSubjectConf) {
-            SAMLUtils.validateSAMLResults(wsResult, msg, body);
-        }
-        
     }
     
     private void storeSignature(

Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java?rev=1469483&r1=1469482&r2=1469483&view=diff
==============================================================================
--- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
(original)
+++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
Thu Apr 18 17:30:12 2013
@@ -24,10 +24,10 @@ import java.util.List;
 
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
-import org.apache.cxf.ws.security.wss4j.SAMLUtils;
 import org.apache.wss4j.common.saml.SAMLKeyInfo;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.saml.DOMSAMLUtil;
 import org.apache.wss4j.policy.SPConstants.IncludeTokenType;
 import org.apache.wss4j.policy.model.AbstractToken;
 
@@ -77,7 +77,7 @@ public abstract class AbstractSamlPolicy
         List<WSSecurityEngineResult> signedResults,
         Certificate[] tlsCerts
     ) {
-        return SAMLUtils.checkHolderOfKey(assertionWrapper, signedResults, tlsCerts);
+        return DOMSAMLUtil.checkHolderOfKey(assertionWrapper, signedResults, tlsCerts);
     }
 
     /**
@@ -93,7 +93,7 @@ public abstract class AbstractSamlPolicy
         List<WSSecurityEngineResult> signedResults,
         Certificate[] tlsCerts
     ) {
-        return SAMLUtils.compareCredentials(subjectKeyInfo, signedResults, tlsCerts);
+        return DOMSAMLUtil.compareCredentials(subjectKeyInfo, signedResults, tlsCerts);
     }
     
 }

Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java?rev=1469483&r1=1469482&r2=1469483&view=diff
==============================================================================
--- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
(original)
+++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
Thu Apr 18 17:30:12 2013
@@ -32,10 +32,10 @@ import org.apache.cxf.message.Message;
 import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.wss4j.SAMLUtils;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.saml.DOMSAMLUtil;
 import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.SamlToken;
@@ -118,7 +118,7 @@ public class SamlTokenPolicyValidator ex
                     ai.setNotAsserted("Assertion fails holder-of-key requirements");
                     continue;
                 }
-                if (!SAMLUtils.checkSenderVouches(assertionWrapper, tlsCerts, body, signed))
{
+                if (!DOMSAMLUtil.checkSenderVouches(assertionWrapper, tlsCerts, body, signed))
{
                     ai.setNotAsserted("Assertion fails sender-vouches requirements");
                     continue;
                 }

Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/DOMToStaxSamlTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/DOMToStaxSamlTest.java?rev=1469483&r1=1469482&r2=1469483&view=diff
==============================================================================
--- cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/DOMToStaxSamlTest.java
(original)
+++ cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/DOMToStaxSamlTest.java
Thu Apr 18 17:30:12 2013
@@ -45,7 +45,6 @@ import org.junit.Test;
 /**
  * In these test-cases, the client is using DOM and the service is using StaX.
  */
-@org.junit.Ignore
 public class DOMToStaxSamlTest extends AbstractSecurityTest {
     
     @Test
@@ -54,7 +53,35 @@ public class DOMToStaxSamlTest extends A
         Service service = createService();
         
         WSSSecurityProperties inProperties = new WSSSecurityProperties();
-        // inProperties.setCallbackHandler(new TestPwdCallback());
+        inProperties.setValidateSamlSubjectConfirmation(false);
+        WSS4JStaxInInterceptor inhandler = new WSS4JStaxInInterceptor(inProperties);
+        service.getInInterceptors().add(inhandler);
+        
+        // Create + configure client
+        Echo echo = createClientProxy();
+        
+        Client client = ClientProxy.getClient(echo);
+        client.getInInterceptors().add(new LoggingInInterceptor());
+        client.getOutInterceptors().add(new LoggingOutInterceptor());
+        
+        Map<String, Object> properties = new HashMap<String, Object>();
+        properties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_UNSIGNED);
+        properties.put(
+            WSHandlerConstants.SAML_CALLBACK_REF, new SAML1CallbackHandler()
+        );
+        
+        WSS4JOutInterceptor ohandler = new WSS4JOutInterceptor(properties);
+        client.getOutInterceptors().add(ohandler);
+
+        assertEquals("test", echo.echo("test"));
+    }
+    
+    @Test
+    public void testSaml1SignedSenderVouches() throws Exception {
+        // Create + configure service
+        Service service = createService();
+        
+        WSSSecurityProperties inProperties = new WSSSecurityProperties();
         Properties cryptoProperties = 
             CryptoFactory.getProperties("insecurity.properties", this.getClass().getClassLoader());
         inProperties.setSignatureVerificationCryptoProperties(cryptoProperties);
@@ -69,10 +96,80 @@ public class DOMToStaxSamlTest extends A
         client.getOutInterceptors().add(new LoggingOutInterceptor());
         
         Map<String, Object> properties = new HashMap<String, Object>();
+        properties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_SIGNED);
+        properties.put(
+            WSHandlerConstants.SAML_CALLBACK_CLASS, 
+            "org.apache.cxf.ws.security.wss4j.saml.SAML1CallbackHandler"
+        );
+        properties.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
+        properties.put(WSHandlerConstants.USER, "alice");
+        properties.put(WSHandlerConstants.PW_CALLBACK_REF, new PasswordCallbackHandler());
+        properties.put(WSHandlerConstants.SIG_PROP_FILE, "alice.properties");
+        
+        WSS4JOutInterceptor ohandler = new WSS4JOutInterceptor(properties);
+        client.getOutInterceptors().add(ohandler);
+
+        assertEquals("test", echo.echo("test"));
+    }
+    
+    @Test
+    public void testSaml2() throws Exception {
+        // Create + configure service
+        Service service = createService();
+        
+        WSSSecurityProperties inProperties = new WSSSecurityProperties();
+        inProperties.setValidateSamlSubjectConfirmation(false);
+        WSS4JStaxInInterceptor inhandler = new WSS4JStaxInInterceptor(inProperties);
+        service.getInInterceptors().add(inhandler);
+        
+        // Create + configure client
+        Echo echo = createClientProxy();
+        
+        Client client = ClientProxy.getClient(echo);
+        client.getInInterceptors().add(new LoggingInInterceptor());
+        client.getOutInterceptors().add(new LoggingOutInterceptor());
+        
+        Map<String, Object> properties = new HashMap<String, Object>();
         properties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_UNSIGNED);
         properties.put(
-            WSHandlerConstants.SAML_CALLBACK_REF, new SAML1CallbackHandler()
+            WSHandlerConstants.SAML_CALLBACK_REF, new SAML2CallbackHandler()
+        );
+        
+        WSS4JOutInterceptor ohandler = new WSS4JOutInterceptor(properties);
+        client.getOutInterceptors().add(ohandler);
+
+        assertEquals("test", echo.echo("test"));
+    }
+    
+    @Test
+    public void testSaml2SignedSenderVouches() throws Exception {
+        // Create + configure service
+        Service service = createService();
+        
+        WSSSecurityProperties inProperties = new WSSSecurityProperties();
+        Properties cryptoProperties = 
+            CryptoFactory.getProperties("insecurity.properties", this.getClass().getClassLoader());
+        inProperties.setSignatureVerificationCryptoProperties(cryptoProperties);
+        WSS4JStaxInInterceptor inhandler = new WSS4JStaxInInterceptor(inProperties);
+        service.getInInterceptors().add(inhandler);
+        
+        // Create + configure client
+        Echo echo = createClientProxy();
+        
+        Client client = ClientProxy.getClient(echo);
+        client.getInInterceptors().add(new LoggingInInterceptor());
+        client.getOutInterceptors().add(new LoggingOutInterceptor());
+        
+        Map<String, Object> properties = new HashMap<String, Object>();
+        properties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_SIGNED);
+        properties.put(
+            WSHandlerConstants.SAML_CALLBACK_CLASS, 
+            "org.apache.cxf.ws.security.wss4j.saml.SAML2CallbackHandler"
         );
+        properties.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
+        properties.put(WSHandlerConstants.USER, "alice");
+        properties.put(WSHandlerConstants.PW_CALLBACK_REF, new PasswordCallbackHandler());
+        properties.put(WSHandlerConstants.SIG_PROP_FILE, "alice.properties");
         
         WSS4JOutInterceptor ohandler = new WSS4JOutInterceptor(properties);
         client.getOutInterceptors().add(ohandler);



Mime
View raw message