cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1499740 - in /cxf/trunk: rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/ services/sts/systests/basic/src/test/java/org/apache/cxf/sy...
Date Thu, 04 Jul 2013 13:10:05 GMT
Author: coheigea
Date: Thu Jul  4 13:10:04 2013
New Revision: 1499740

URL: http://svn.apache.org/r1499740
Log:
Some initial work on streaming WS-Trust integration

Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
    cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/bearer/BearerTest.java
    cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java
    cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java?rev=1499740&r1=1499739&r2=1499740&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
Thu Jul  4 13:10:04 2013
@@ -49,6 +49,8 @@ import org.apache.cxf.ws.security.trust.
 import org.apache.cxf.ws.security.trust.STSUtils;
 import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor;
 import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor;
+import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxInInterceptor;
+import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxOutInterceptor;
 import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.IssuedTokenPolicyValidator;
 import org.apache.wss4j.common.saml.SAMLKeyInfo;
@@ -89,6 +91,11 @@ public class IssuedTokenInterceptorProvi
         this.getOutFaultInterceptors().add(new IssuedTokenOutInterceptor());
         this.getInInterceptors().add(new IssuedTokenInInterceptor());
         this.getInFaultInterceptors().add(new IssuedTokenInInterceptor());
+        
+        this.getOutInterceptors().add(PolicyBasedWSS4JStaxOutInterceptor.INSTANCE);
+        this.getOutFaultInterceptors().add(PolicyBasedWSS4JStaxOutInterceptor.INSTANCE);
+        this.getInInterceptors().add(PolicyBasedWSS4JStaxInInterceptor.INSTANCE);
+        this.getInFaultInterceptors().add(PolicyBasedWSS4JStaxInInterceptor.INSTANCE);
     }
     
     static final TokenStore createTokenStore(Message message) {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java?rev=1499740&r1=1499739&r2=1499740&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
Thu Jul  4 13:10:04 2013
@@ -37,6 +37,8 @@ import javax.security.auth.callback.Unsu
 import javax.xml.namespace.QName;
 import javax.xml.soap.SOAPException;
 
+import org.w3c.dom.Element;
+
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.common.classloader.ClassLoaderUtils;
 import org.apache.cxf.common.i18n.Message;
@@ -55,6 +57,7 @@ import org.apache.neethi.Assertion;
 import org.apache.wss4j.common.ConfigurationConstants;
 import org.apache.wss4j.common.ext.WSPasswordCallback;
 import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SAMLCallback;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.policy.SP11Constants;
 import org.apache.wss4j.policy.SP12Constants;
@@ -66,6 +69,7 @@ import org.apache.wss4j.policy.model.Abs
 import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
 import org.apache.wss4j.policy.model.EncryptedParts;
 import org.apache.wss4j.policy.model.Header;
+import org.apache.wss4j.policy.model.IssuedToken;
 import org.apache.wss4j.policy.model.KerberosToken;
 import org.apache.wss4j.policy.model.KeyValueToken;
 import org.apache.wss4j.policy.model.Layout;
@@ -305,6 +309,40 @@ public abstract class AbstractStaxBindin
         return new SecurePart(qname, Modifier.Element);
     }
     
+    protected void addIssuedToken(IssuedToken token, SecurityToken secToken, 
+                                  boolean signed, boolean endorsing) {
+        if (isTokenRequired(token.getIncludeTokenType())) {
+            final Element el = secToken.getToken();
+            
+            String samlAction = ConfigurationConstants.SAML_TOKEN_UNSIGNED;
+            if (signed || endorsing) {
+                samlAction = ConfigurationConstants.SAML_TOKEN_SIGNED;
+            }
+            Map<String, Object> config = getProperties();
+            if (config.containsKey(ConfigurationConstants.ACTION)) {
+                String action = (String)config.get(ConfigurationConstants.ACTION);
+                config.put(ConfigurationConstants.ACTION, action + " " + samlAction);
+            } else {
+                config.put(ConfigurationConstants.ACTION, samlAction);
+            }
+            
+            CallbackHandler callbackHandler = new CallbackHandler() {
+
+                @Override
+                public void handle(Callback[] callbacks) {
+                    for (Callback callback : callbacks) {
+                        if (callback instanceof SAMLCallback) {
+                            SAMLCallback samlCallback = (SAMLCallback)callback;
+                            samlCallback.setAssertionElement(el);
+                        }
+                    }
+                }
+                
+            };
+            config.put(ConfigurationConstants.SAML_CALLBACK_REF, callbackHandler);
+        } 
+    }
+    
     protected void policyNotAsserted(Assertion assertion, String reason) {
         if (assertion == null) {
             return;
@@ -428,60 +466,11 @@ public abstract class AbstractStaxBindin
             }
         }
         
-        // boolean alsoIncludeToken = false;
-        /* TODO if (token instanceof IssuedToken || token instanceof SamlToken) {
-            SecurityToken securityToken = getSecurityToken();
-            String tokenType = securityToken.getTokenType();
-
-            Element ref;
-            if (attached) {
-                ref = securityToken.getAttachedReference();
-            } else {
-                ref = securityToken.getUnattachedReference();
-            }
-
-            if (ref != null) {
-                SecurityTokenReference secRef = 
-                    new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
-                sig.setSecurityTokenReference(secRef);
-                sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
-            } else {
-                int type = attached ? WSConstants.CUSTOM_SYMM_SIGNING 
-                    : WSConstants.CUSTOM_SYMM_SIGNING_DIRECT;
-                if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
-                    || WSConstants.SAML_NS.equals(tokenType)) {
-                    sig.setCustomTokenValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
-                    sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
-                } else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
-                    || WSConstants.SAML2_NS.equals(tokenType)) {
-                    sig.setCustomTokenValueType(WSConstants.WSS_SAML2_KI_VALUE_TYPE);
-                    sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
-                } else {
-                    sig.setCustomTokenValueType(tokenType);
-                    sig.setKeyIdentifierType(type);
-                }
-            }
-
-            String sigTokId;
-            if (attached) {
-                sigTokId = securityToken.getWsuId();
-                if (sigTokId == null) {
-                    sigTokId = securityToken.getId();                    
-                }
-                if (sigTokId.startsWith("#")) {
-                    sigTokId = sigTokId.substring(1);
-                }
-            } else {
-                sigTokId = securityToken.getId();
-            }
-
-            sig.setCustomTokenId(sigTokId);
-        } else {
-        */
         AssertionInfoMap aim = message.get(AssertionInfoMap.class);
         AbstractBinding binding = getBinding(aim);
-        config.put(ConfigurationConstants.SIG_KEY_ID, getKeyIdentifierType(wrapper, token));
         
+        config.put(ConfigurationConstants.SIG_KEY_ID, getKeyIdentifierType(wrapper, token));
+
         // Find out do we also need to include the token as per the Inclusion requirement
         if (token instanceof X509Token 
             && token.getIncludeTokenType() != IncludeTokenType.INCLUDE_TOKEN_NEVER
@@ -510,9 +499,6 @@ public abstract class AbstractStaxBindin
         config.put(ConfigurationConstants.SIG_DIGEST_ALGO, algType.getDigest());
         // sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
 
-        //if (alsoIncludeToken) {
-        //    includeToken(user, crypto, sig);
-        //}
     }
     
     protected final TokenStore getTokenStore() {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java?rev=1499740&r1=1499739&r2=1499740&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
Thu Jul  4 13:10:04 2013
@@ -31,6 +31,7 @@ import org.apache.cxf.common.logging.Log
 import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.wss4j.common.ConfigurationConstants;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractToken;
@@ -78,7 +79,12 @@ public class StaxTransportBindingHandler
             if (tbinding != null) {
                 TransportToken token = tbinding.getTransportToken();
                 if (token.getToken() instanceof IssuedToken) {
-                    // TODO
+                    SecurityToken secToken = getSecurityToken();
+                    if (secToken == null) {
+                        policyNotAsserted(token.getToken(), "No transport token id");
+                        return;
+                    }
+                    addIssuedToken((IssuedToken)token.getToken(), secToken, false, false);
                 }
             }
             
@@ -164,15 +170,8 @@ public class StaxTransportBindingHandler
         for (AbstractToken token : sgndSuppTokens.getTokens()) {
             if (token instanceof UsernameToken) {
                 addUsernameToken((UsernameToken)token);
-            /*TODO 
-              else if (token instanceof IssuedToken) {
-                SecurityToken secTok = getSecurityToken();
-                
-                if (includeToken(token.getIncludeTokenType())) {
-                    //Add the token
-                    addEncryptedKeyElement(cloneElement(secTok.getToken()));
-                }
-            } */
+            } else if (token instanceof IssuedToken) {
+                addIssuedToken((IssuedToken)token, getSecurityToken(), false, false);
             } else if (token instanceof KerberosToken) {
                 addKerberosToken((KerberosToken)token, false, false);
             } else if (token instanceof SamlToken) {
@@ -181,7 +180,6 @@ public class StaxTransportBindingHandler
                 throw new Exception(token.getName() + " is not supported in the streaming
code");
             }
         }
-        
     }
     
     /**
@@ -251,15 +249,17 @@ public class StaxTransportBindingHandler
     private void handleEndorsingToken(
         AbstractToken token, SupportingTokens wrapper
     ) throws Exception {
-        /* TODO if (token instanceof IssuedToken
-            || token instanceof SecureConversationToken
+        if (token instanceof IssuedToken) {
+            addIssuedToken((IssuedToken)token, getSecurityToken(), false, true);
+            doSignature(token, wrapper);
+        /* TODO if (token instanceof SecureConversationToken
             || token instanceof SecurityContextToken
             || token instanceof SpnegoContextToken) {
             addSig(doIssuedTokenSignature(token, wrapper));
-        } else */ 
-        if (token instanceof X509Token
+        */
+        } else if (token instanceof X509Token
             || token instanceof KeyValueToken) {
-            doX509TokenSignature(token, wrapper);
+            doSignature(token, wrapper);
         } else if (token instanceof SamlToken) {
             addSamlToken((SamlToken)token, false, true);
             signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
@@ -283,7 +283,7 @@ public class StaxTransportBindingHandler
         }
     }
     
-    private void doX509TokenSignature(AbstractToken token, SupportingTokens wrapper) 
+    private void doSignature(AbstractToken token, SupportingTokens wrapper) 
         throws Exception {
         
         signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());

Modified: cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/bearer/BearerTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/bearer/BearerTest.java?rev=1499740&r1=1499739&r2=1499740&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/bearer/BearerTest.java
(original)
+++ cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/bearer/BearerTest.java
Thu Jul  4 13:10:04 2013
@@ -109,6 +109,17 @@ public class BearerTest extends Abstract
             TokenTestUtils.updateSTSPort((BindingProvider)transportSaml2Port, STSPORT);
         }
         
+        // DOM
+        doubleIt(transportSaml2Port, 45);
+        
+        // Streaming
+        transportSaml2Port = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(transportSaml2Port, PORT);
+        if (standalone) {
+            TokenTestUtils.updateSTSPort((BindingProvider)transportSaml2Port, STSPORT);
+        }
+        SecurityTestUtil.enableStreaming(transportSaml2Port);
         doubleIt(transportSaml2Port, 45);
         
         ((java.io.Closeable)transportSaml2Port).close();
@@ -185,8 +196,19 @@ public class BearerTest extends Abstract
             TokenTestUtils.updateSTSPort((BindingProvider)transportSaml2Port, STSPORT);
         }
         
+        // DOM
         doubleIt(transportSaml2Port, 45);
         
+        // Streaming
+        transportSaml2Port = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(transportSaml2Port, PORT);
+        if (standalone) {
+            TokenTestUtils.updateSTSPort((BindingProvider)transportSaml2Port, STSPORT);
+        }
+        SecurityTestUtil.enableStreaming(transportSaml2Port);
+        // TODO See WSS-358 doubleIt(transportSaml2Port, 45);
+        
         ((java.io.Closeable)transportSaml2Port).close();
         bus.shutdown(true);
     }

Modified: cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java?rev=1499740&r1=1499739&r2=1499740&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java
(original)
+++ cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java
Thu Jul  4 13:10:04 2013
@@ -20,6 +20,11 @@ package org.apache.cxf.systest.sts.commo
 
 import java.io.File;
 
+import javax.xml.ws.BindingProvider;
+
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.example.contract.doubleit.DoubleItPortType;
+
 /**
  * A utility class for security tests
  */
@@ -46,4 +51,13 @@ public final class SecurityTestUtil {
         }
     }
     
+    public static void enableStreaming(DoubleItPortType port) {
+        ((BindingProvider)port).getRequestContext().put(
+            SecurityConstants.ENABLE_STREAMING_SECURITY, "true"
+        );
+        ((BindingProvider)port).getResponseContext().put(
+            SecurityConstants.ENABLE_STREAMING_SECURITY, "true"
+        );
+    }
+    
 }

Modified: cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java?rev=1499740&r1=1499739&r2=1499740&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
(original)
+++ cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
Thu Jul  4 13:10:04 2013
@@ -95,7 +95,17 @@ public class TransportBindingTest extend
         if (standalone) {
             TokenTestUtils.updateSTSPort((BindingProvider)transportSaml1Port, STSPORT);
         }
+
+        // DOM
+        doubleIt(transportSaml1Port, 25);
         
+        // Streaming
+        transportSaml1Port = service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(transportSaml1Port, PORT);
+        if (standalone) {
+            TokenTestUtils.updateSTSPort((BindingProvider)transportSaml1Port, STSPORT);
+        }
+        SecurityTestUtil.enableStreaming(transportSaml1Port);
         doubleIt(transportSaml1Port, 25);
         
         ((java.io.Closeable)transportSaml1Port).close();
@@ -122,8 +132,19 @@ public class TransportBindingTest extend
             TokenTestUtils.updateSTSPort((BindingProvider)transportSaml2Port, STSPORT);
         }
         
+        // DOM
         doubleIt(transportSaml2Port, 30);
         
+        // Streaming
+        transportSaml2Port = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(transportSaml2Port, PORT);
+        if (standalone) {
+            TokenTestUtils.updateSTSPort((BindingProvider)transportSaml2Port, STSPORT);
+        }
+        SecurityTestUtil.enableStreaming(transportSaml2Port);
+        doubleIt(transportSaml2Port, 25);
+        
         ((java.io.Closeable)transportSaml2Port).close();
         bus.shutdown(true);
     }
@@ -154,6 +175,22 @@ public class TransportBindingTest extend
             TokenTestUtils.updateSTSPort((BindingProvider)transportSaml1Port, STSPORT);
         }
         
+        // DOM
+        try {
+            doubleIt(transportSaml1Port, 35);
+            fail("Expected failure on an unknown client");
+        } catch (javax.xml.ws.soap.SOAPFaultException fault) {
+            // expected
+        }
+        
+        // Streaming
+        transportSaml1Port = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(transportSaml1Port, PORT);
+        if (standalone) {
+            TokenTestUtils.updateSTSPort((BindingProvider)transportSaml1Port, STSPORT);
+        }
+        SecurityTestUtil.enableStreaming(transportSaml1Port);
         try {
             doubleIt(transportSaml1Port, 35);
             fail("Expected failure on an unknown client");
@@ -164,7 +201,7 @@ public class TransportBindingTest extend
         ((java.io.Closeable)transportSaml1Port).close();
         bus.shutdown(true);
     }
-
+    
     @org.junit.Test
     public void testSAML1Endorsing() throws Exception {
 
@@ -185,8 +222,19 @@ public class TransportBindingTest extend
             TokenTestUtils.updateSTSPort((BindingProvider)transportSaml1Port, STSPORT);
         }
         
+        // DOM
         doubleIt(transportSaml1Port, 40);
         
+        // Streaming
+        transportSaml1Port = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(transportSaml1Port, PORT);
+        if (standalone) {
+            TokenTestUtils.updateSTSPort((BindingProvider)transportSaml1Port, STSPORT);
+        }
+        SecurityTestUtil.enableStreaming(transportSaml1Port);
+        // TODO doubleIt(transportSaml1Port, 25);
+        
         ((java.io.Closeable)transportSaml1Port).close();
         bus.shutdown(true);
     }
@@ -226,7 +274,6 @@ public class TransportBindingTest extend
         ((java.io.Closeable)transportSaml1Port).close();
         bus.shutdown(true);
     }
-
     
     private static void doubleIt(DoubleItPortType port, int numToDouble) {
         int resp = port.doubleIt(numToDouble);



Mime
View raw message