Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5AEBA104E4 for ; Thu, 18 Apr 2013 17:41:47 +0000 (UTC) Received: (qmail 38102 invoked by uid 500); 18 Apr 2013 17:30:58 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 37831 invoked by uid 500); 18 Apr 2013 17:30:47 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 37594 invoked by uid 99); 18 Apr 2013 17:30:36 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 18 Apr 2013 17:30:36 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 18 Apr 2013 17:30:34 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id DDB0023888E7; Thu, 18 Apr 2013 17:30:13 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1469483 - in /cxf/branches/wss4j2.0-port/rt/ws/security/src: main/java/org/apache/cxf/ws/security/wss4j/ main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ test/java/org/apache/cxf/ws/security/wss4j/saml/ Date: Thu, 18 Apr 2013 17:30:13 -0000 To: commits@cxf.apache.org From: coheigea@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20130418173013.DDB0023888E7@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: coheigea Date: Thu Apr 18 17:30:12 2013 New Revision: 1469483 URL: http://svn.apache.org/r1469483 Log: Added some more SAML interop tests Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/DOMToStaxSamlTest.java Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java?rev=1469483&r1=1469482&r2=1469483&view=diff ============================================================================== --- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java (original) +++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java Thu Apr 18 17:30:12 2013 @@ -190,6 +190,16 @@ public abstract class AbstractWSS4JInter if (certConstraints != null) { msg.setContextualProperty(WSHandlerConstants.SIG_SUBJECT_CERT_CONSTRAINTS, certConstraints); } + + // Now set SAML SenderVouches + Holder Of Key requirements + boolean validateSAMLSubjectConf = + MessageUtils.getContextualBoolean( + msg, SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, true + ); + msg.setContextualProperty( + WSHandlerConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, + Boolean.toString(validateSAMLSubjectConf) + ); } @Override Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java?rev=1469483&r1=1469482&r2=1469483&view=diff ============================================================================== --- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java (original) +++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java Thu Apr 18 17:30:12 2013 @@ -19,31 +19,13 @@ package org.apache.cxf.ws.security.wss4j; -import java.security.Principal; -import java.security.PublicKey; -import java.security.cert.Certificate; -import java.security.cert.X509Certificate; import java.util.ArrayList; -import java.util.Arrays; import java.util.Collections; import java.util.List; -import java.util.logging.Logger; import org.w3c.dom.Element; -import org.apache.cxf.common.logging.LogUtils; -import org.apache.cxf.helpers.CastUtils; -import org.apache.cxf.message.Message; -import org.apache.cxf.security.transport.TLSSessionInfo; -import org.apache.wss4j.common.ext.WSSecurityException; -import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal; -import org.apache.wss4j.common.saml.OpenSAMLUtil; -import org.apache.wss4j.common.saml.SAMLKeyInfo; import org.apache.wss4j.common.saml.SamlAssertionWrapper; -import org.apache.wss4j.dom.WSConstants; -import org.apache.wss4j.dom.WSDataRef; -import org.apache.wss4j.dom.WSSecurityEngineResult; -import org.apache.wss4j.dom.util.WSSecurityUtil; import org.opensaml.common.SAMLVersion; import org.opensaml.xml.XMLObject; @@ -52,8 +34,6 @@ import org.opensaml.xml.XMLObject; */ public final class SAMLUtils { - private static final Logger LOG = LogUtils.getL7dLogger(SAMLUtils.class); - private SAMLUtils() { } @@ -149,217 +129,4 @@ public final class SAMLUtils { return Collections.unmodifiableList(roles); } - public static void validateSAMLResults( - List results, - Message message, - Element body - ) throws WSSecurityException { - final List samlActions = new ArrayList(2); - samlActions.add(WSConstants.ST_SIGNED); - samlActions.add(WSConstants.ST_UNSIGNED); - List samlResults = - WSSecurityUtil.fetchAllActionResults(results, samlActions); - - if (samlResults.isEmpty()) { - return; - } - - final List signedActions = new ArrayList(2); - signedActions.add(WSConstants.SIGN); - signedActions.add(WSConstants.UT_SIGN); - List signedResults = - WSSecurityUtil.fetchAllActionResults(results, signedActions); - - for (WSSecurityEngineResult samlResult : samlResults) { - SamlAssertionWrapper assertionWrapper = - (SamlAssertionWrapper)samlResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION); - - TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class); - Certificate[] tlsCerts = null; - if (tlsInfo != null) { - tlsCerts = tlsInfo.getPeerCertificates(); - } - if (!SAMLUtils.checkHolderOfKey(assertionWrapper, signedResults, tlsCerts)) { - LOG.warning("Assertion fails holder-of-key requirements"); - throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY); - } - if (!SAMLUtils.checkSenderVouches(assertionWrapper, tlsCerts, body, signedResults)) { - LOG.warning("Assertion fails sender-vouches requirements"); - throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY); - } - } - - } - - /** - * Check the holder-of-key requirements against the received assertion. The subject - * credential of the SAML Assertion must have been used to sign some portion of - * the message, thus showing proof-of-possession of the private/secret key. Alternatively, - * the subject credential of the SAML Assertion must match a client certificate credential - * when 2-way TLS is used. - * @param assertionWrapper the SAML Assertion wrapper object - * @param signedResults a list of all of the signed results - */ - public static boolean checkHolderOfKey( - SamlAssertionWrapper assertionWrapper, - List signedResults, - Certificate[] tlsCerts - ) { - List confirmationMethods = assertionWrapper.getConfirmationMethods(); - for (String confirmationMethod : confirmationMethods) { - if (OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) { - if (tlsCerts == null && (signedResults == null || signedResults.isEmpty())) { - return false; - } - SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo(); - if (!compareCredentials(subjectKeyInfo, signedResults, tlsCerts)) { - return false; - } - } - } - return true; - } - - /** - * Compare the credentials of the assertion to the credentials used in 2-way TLS or those - * used to verify signatures. - * Return true on a match - * @param subjectKeyInfo the SAMLKeyInfo object - * @param signedResults a list of all of the signed results - * @return true if the credentials of the assertion were used to verify a signature - */ - public static boolean compareCredentials( - SAMLKeyInfo subjectKeyInfo, - List signedResults, - Certificate[] tlsCerts - ) { - X509Certificate[] subjectCerts = subjectKeyInfo.getCerts(); - PublicKey subjectPublicKey = subjectKeyInfo.getPublicKey(); - byte[] subjectSecretKey = subjectKeyInfo.getSecret(); - - // - // Try to match the TLS certs first - // - if (tlsCerts != null && tlsCerts.length > 0 && subjectCerts != null - && subjectCerts.length > 0 && tlsCerts[0].equals(subjectCerts[0])) { - return true; - } else if (tlsCerts != null && tlsCerts.length > 0 && subjectPublicKey != null - && tlsCerts[0].getPublicKey().equals(subjectPublicKey)) { - return true; - } - - // - // Now try the message-level signatures - // - for (WSSecurityEngineResult signedResult : signedResults) { - X509Certificate[] certs = - (X509Certificate[])signedResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES); - PublicKey publicKey = - (PublicKey)signedResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY); - byte[] secretKey = - (byte[])signedResult.get(WSSecurityEngineResult.TAG_SECRET); - if (certs != null && certs.length > 0 && subjectCerts != null - && subjectCerts.length > 0 && certs[0].equals(subjectCerts[0])) { - return true; - } - if (publicKey != null && publicKey.equals(subjectPublicKey)) { - return true; - } - if (checkSecretKey(secretKey, subjectSecretKey, signedResult)) { - return true; - } - } - return false; - } - - private static boolean checkSecretKey( - byte[] secretKey, - byte[] subjectSecretKey, - WSSecurityEngineResult signedResult - ) { - if (secretKey != null && subjectSecretKey != null) { - if (Arrays.equals(secretKey, subjectSecretKey)) { - return true; - } else { - Principal principal = - (Principal)signedResult.get(WSSecurityEngineResult.TAG_PRINCIPAL); - if (principal instanceof WSDerivedKeyTokenPrincipal) { - secretKey = ((WSDerivedKeyTokenPrincipal)principal).getSecret(); - if (Arrays.equals(secretKey, subjectSecretKey)) { - return true; - } - } - } - } - return false; - } - - /** - * Check the sender-vouches requirements against the received assertion. The SAML - * Assertion and the SOAP Body must be signed by the same signature. - */ - public static boolean checkSenderVouches( - SamlAssertionWrapper assertionWrapper, - Certificate[] tlsCerts, - Element body, - List signed - ) { - // - // If we have a 2-way TLS connection, then we don't have to check that the - // assertion + SOAP body are signed - // - if (tlsCerts != null && tlsCerts.length > 0) { - return true; - } - List confirmationMethods = assertionWrapper.getConfirmationMethods(); - for (String confirmationMethod : confirmationMethods) { - if (OpenSAMLUtil.isMethodSenderVouches(confirmationMethod)) { - if (signed == null || signed.isEmpty()) { - return false; - } - if (!checkAssertionAndBodyAreSigned(assertionWrapper, body, signed)) { - return false; - } - } - } - return true; - } - - /** - * Return true if there is a signature which references the Assertion and the SOAP Body. - * @param assertionWrapper the SamlAssertionWrapper object - * @param body The SOAP body - * @param signed The List of signed results - * @return true if there is a signature which references the Assertion and the SOAP Body. - */ - private static boolean checkAssertionAndBodyAreSigned( - SamlAssertionWrapper assertionWrapper, - Element body, - List signed - ) { - for (WSSecurityEngineResult signedResult : signed) { - List sl = - CastUtils.cast((List)signedResult.get( - WSSecurityEngineResult.TAG_DATA_REF_URIS - )); - boolean assertionIsSigned = false; - boolean bodyIsSigned = false; - if (sl != null) { - for (WSDataRef dataRef : sl) { - Element se = dataRef.getProtectedElement(); - if (se == assertionWrapper.getElement()) { - assertionIsSigned = true; - } - if (se == body) { - bodyIsSigned = true; - } - if (assertionIsSigned && bodyIsSigned) { - return true; - } - } - } - } - return false; - } - } Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1469483&r1=1469482&r2=1469483&view=diff ============================================================================== --- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java (original) +++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java Thu Apr 18 17:30:12 2013 @@ -20,6 +20,7 @@ package org.apache.cxf.ws.security.wss4j import java.io.IOException; import java.security.Principal; +import java.security.cert.Certificate; import java.util.ArrayList; import java.util.Collection; import java.util.HashMap; @@ -65,6 +66,7 @@ import org.apache.cxf.message.MessageUti import org.apache.cxf.phase.Phase; import org.apache.cxf.phase.PhaseInterceptor; import org.apache.cxf.security.SecurityContext; +import org.apache.cxf.security.transport.TLSSessionInfo; import org.apache.cxf.staxutils.StaxUtils; import org.apache.cxf.ws.security.SecurityConstants; import org.apache.cxf.ws.security.tokenstore.SecurityToken; @@ -252,6 +254,12 @@ public class WSS4JInInterceptor extends msg, SecurityConstants.ENABLE_TIMESTAMP_CACHE, SecurityConstants.TIMESTAMP_CACHE_INSTANCE ); reqData.setTimestampReplayCache(timestampCache); + + TLSSessionInfo tlsInfo = msg.get(TLSSessionInfo.class); + if (tlsInfo != null) { + Certificate[] tlsCerts = tlsInfo.getPeerCertificates(); + reqData.setTlsCerts(tlsCerts); + } /* * Get and check the Signature specific parameters first because @@ -364,15 +372,6 @@ public class WSS4JInInterceptor extends LOG.warning(warning); } - // Now check SAML SenderVouches + Holder Of Key requirements - boolean validateSAMLSubjectConf = - MessageUtils.getContextualBoolean( - msg, SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, true - ); - if (validateSAMLSubjectConf) { - SAMLUtils.validateSAMLResults(wsResult, msg, body); - } - } private void storeSignature( Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java?rev=1469483&r1=1469482&r2=1469483&view=diff ============================================================================== --- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java (original) +++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java Thu Apr 18 17:30:12 2013 @@ -24,10 +24,10 @@ import java.util.List; import org.apache.cxf.message.Message; import org.apache.cxf.message.MessageUtils; -import org.apache.cxf.ws.security.wss4j.SAMLUtils; import org.apache.wss4j.common.saml.SAMLKeyInfo; import org.apache.wss4j.common.saml.SamlAssertionWrapper; import org.apache.wss4j.dom.WSSecurityEngineResult; +import org.apache.wss4j.dom.saml.DOMSAMLUtil; import org.apache.wss4j.policy.SPConstants.IncludeTokenType; import org.apache.wss4j.policy.model.AbstractToken; @@ -77,7 +77,7 @@ public abstract class AbstractSamlPolicy List signedResults, Certificate[] tlsCerts ) { - return SAMLUtils.checkHolderOfKey(assertionWrapper, signedResults, tlsCerts); + return DOMSAMLUtil.checkHolderOfKey(assertionWrapper, signedResults, tlsCerts); } /** @@ -93,7 +93,7 @@ public abstract class AbstractSamlPolicy List signedResults, Certificate[] tlsCerts ) { - return SAMLUtils.compareCredentials(subjectKeyInfo, signedResults, tlsCerts); + return DOMSAMLUtil.compareCredentials(subjectKeyInfo, signedResults, tlsCerts); } } Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java?rev=1469483&r1=1469482&r2=1469483&view=diff ============================================================================== --- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java (original) +++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java Thu Apr 18 17:30:12 2013 @@ -32,10 +32,10 @@ import org.apache.cxf.message.Message; import org.apache.cxf.security.transport.TLSSessionInfo; import org.apache.cxf.ws.policy.AssertionInfo; import org.apache.cxf.ws.policy.AssertionInfoMap; -import org.apache.cxf.ws.security.wss4j.SAMLUtils; import org.apache.wss4j.common.saml.SamlAssertionWrapper; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.WSSecurityEngineResult; +import org.apache.wss4j.dom.saml.DOMSAMLUtil; import org.apache.wss4j.dom.util.WSSecurityUtil; import org.apache.wss4j.policy.SPConstants; import org.apache.wss4j.policy.model.SamlToken; @@ -118,7 +118,7 @@ public class SamlTokenPolicyValidator ex ai.setNotAsserted("Assertion fails holder-of-key requirements"); continue; } - if (!SAMLUtils.checkSenderVouches(assertionWrapper, tlsCerts, body, signed)) { + if (!DOMSAMLUtil.checkSenderVouches(assertionWrapper, tlsCerts, body, signed)) { ai.setNotAsserted("Assertion fails sender-vouches requirements"); continue; } Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/DOMToStaxSamlTest.java URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/DOMToStaxSamlTest.java?rev=1469483&r1=1469482&r2=1469483&view=diff ============================================================================== --- cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/DOMToStaxSamlTest.java (original) +++ cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/DOMToStaxSamlTest.java Thu Apr 18 17:30:12 2013 @@ -45,7 +45,6 @@ import org.junit.Test; /** * In these test-cases, the client is using DOM and the service is using StaX. */ -@org.junit.Ignore public class DOMToStaxSamlTest extends AbstractSecurityTest { @Test @@ -54,7 +53,35 @@ public class DOMToStaxSamlTest extends A Service service = createService(); WSSSecurityProperties inProperties = new WSSSecurityProperties(); - // inProperties.setCallbackHandler(new TestPwdCallback()); + inProperties.setValidateSamlSubjectConfirmation(false); + WSS4JStaxInInterceptor inhandler = new WSS4JStaxInInterceptor(inProperties); + service.getInInterceptors().add(inhandler); + + // Create + configure client + Echo echo = createClientProxy(); + + Client client = ClientProxy.getClient(echo); + client.getInInterceptors().add(new LoggingInInterceptor()); + client.getOutInterceptors().add(new LoggingOutInterceptor()); + + Map properties = new HashMap(); + properties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_UNSIGNED); + properties.put( + WSHandlerConstants.SAML_CALLBACK_REF, new SAML1CallbackHandler() + ); + + WSS4JOutInterceptor ohandler = new WSS4JOutInterceptor(properties); + client.getOutInterceptors().add(ohandler); + + assertEquals("test", echo.echo("test")); + } + + @Test + public void testSaml1SignedSenderVouches() throws Exception { + // Create + configure service + Service service = createService(); + + WSSSecurityProperties inProperties = new WSSSecurityProperties(); Properties cryptoProperties = CryptoFactory.getProperties("insecurity.properties", this.getClass().getClassLoader()); inProperties.setSignatureVerificationCryptoProperties(cryptoProperties); @@ -69,10 +96,80 @@ public class DOMToStaxSamlTest extends A client.getOutInterceptors().add(new LoggingOutInterceptor()); Map properties = new HashMap(); + properties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_SIGNED); + properties.put( + WSHandlerConstants.SAML_CALLBACK_CLASS, + "org.apache.cxf.ws.security.wss4j.saml.SAML1CallbackHandler" + ); + properties.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference"); + properties.put(WSHandlerConstants.USER, "alice"); + properties.put(WSHandlerConstants.PW_CALLBACK_REF, new PasswordCallbackHandler()); + properties.put(WSHandlerConstants.SIG_PROP_FILE, "alice.properties"); + + WSS4JOutInterceptor ohandler = new WSS4JOutInterceptor(properties); + client.getOutInterceptors().add(ohandler); + + assertEquals("test", echo.echo("test")); + } + + @Test + public void testSaml2() throws Exception { + // Create + configure service + Service service = createService(); + + WSSSecurityProperties inProperties = new WSSSecurityProperties(); + inProperties.setValidateSamlSubjectConfirmation(false); + WSS4JStaxInInterceptor inhandler = new WSS4JStaxInInterceptor(inProperties); + service.getInInterceptors().add(inhandler); + + // Create + configure client + Echo echo = createClientProxy(); + + Client client = ClientProxy.getClient(echo); + client.getInInterceptors().add(new LoggingInInterceptor()); + client.getOutInterceptors().add(new LoggingOutInterceptor()); + + Map properties = new HashMap(); properties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_UNSIGNED); properties.put( - WSHandlerConstants.SAML_CALLBACK_REF, new SAML1CallbackHandler() + WSHandlerConstants.SAML_CALLBACK_REF, new SAML2CallbackHandler() + ); + + WSS4JOutInterceptor ohandler = new WSS4JOutInterceptor(properties); + client.getOutInterceptors().add(ohandler); + + assertEquals("test", echo.echo("test")); + } + + @Test + public void testSaml2SignedSenderVouches() throws Exception { + // Create + configure service + Service service = createService(); + + WSSSecurityProperties inProperties = new WSSSecurityProperties(); + Properties cryptoProperties = + CryptoFactory.getProperties("insecurity.properties", this.getClass().getClassLoader()); + inProperties.setSignatureVerificationCryptoProperties(cryptoProperties); + WSS4JStaxInInterceptor inhandler = new WSS4JStaxInInterceptor(inProperties); + service.getInInterceptors().add(inhandler); + + // Create + configure client + Echo echo = createClientProxy(); + + Client client = ClientProxy.getClient(echo); + client.getInInterceptors().add(new LoggingInInterceptor()); + client.getOutInterceptors().add(new LoggingOutInterceptor()); + + Map properties = new HashMap(); + properties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_SIGNED); + properties.put( + WSHandlerConstants.SAML_CALLBACK_CLASS, + "org.apache.cxf.ws.security.wss4j.saml.SAML2CallbackHandler" ); + properties.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference"); + properties.put(WSHandlerConstants.USER, "alice"); + properties.put(WSHandlerConstants.PW_CALLBACK_REF, new PasswordCallbackHandler()); + properties.put(WSHandlerConstants.SIG_PROP_FILE, "alice.properties"); WSS4JOutInterceptor ohandler = new WSS4JOutInterceptor(properties); client.getOutInterceptors().add(ohandler);