cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1519653 - in /cxf/branches/2.6.x-fixes: rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/ systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/sam...
Date Tue, 03 Sep 2013 11:28:53 GMT
Author: coheigea
Date: Tue Sep  3 11:28:52 2013
New Revision: 1519653

URL: http://svn.apache.org/r1519653
Log:
[CXF-5248] - Signed SAML assertion validation error w/ SupportingTokens only policy
 - Added tests + some other bits and pieces

Conflicts:
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
	systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
	systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSamlTokenTest.java
	systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
	systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml


Conflicts:
	systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java

Modified:
    cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
    cxf/branches/2.6.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
    cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
    cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml

Modified: cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java?rev=1519653&r1=1519652&r2=1519653&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
(original)
+++ cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
Tue Sep  3 11:28:52 2013
@@ -23,6 +23,7 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.net.URL;
 import java.security.Principal;
+import java.security.cert.Certificate;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
@@ -32,7 +33,6 @@ import javax.security.auth.callback.Call
 import javax.xml.namespace.QName;
 
 import org.w3c.dom.Element;
-
 import org.apache.cxf.Bus;
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.common.classloader.ClassLoaderUtils;
@@ -45,12 +45,14 @@ import org.apache.cxf.interceptor.securi
 import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.resource.ResourceManager;
 import org.apache.cxf.security.SecurityContext;
+import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.policy.SP12Constants;
 import org.apache.cxf.ws.security.policy.model.SamlToken;
 import org.apache.cxf.ws.security.policy.model.Token;
+
 import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSDocInfo;
 import org.apache.ws.security.WSPasswordCallback;
@@ -67,6 +69,7 @@ import org.apache.ws.security.processor.
 import org.apache.ws.security.saml.ext.AssertionWrapper;
 import org.apache.ws.security.saml.ext.SAMLParms;
 import org.apache.ws.security.validate.Validator;
+
 import org.opensaml.common.SAMLVersion;
 
 /**
@@ -124,6 +127,20 @@ public class SamlTokenInterceptor extend
                                 if (!checkVersion(samlToken, assertionWrapper)) {
                                     ai.setNotAsserted("Wrong SAML Version");
                                 }
+                                
+                                TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
+                                Certificate[] tlsCerts = null;
+                                if (tlsInfo != null) {
+                                    tlsCerts = tlsInfo.getPeerCertificates();
+                                }
+                                if (!SAMLUtils.checkHolderOfKey(assertionWrapper, null, tlsCerts))
{
+                                    ai.setNotAsserted("Assertion fails holder-of-key requirements");
+                                    continue;
+                                }
+                                if (!SAMLUtils.checkSenderVouches(assertionWrapper, tlsCerts,
null, null)) {
+                                    ai.setNotAsserted("Assertion fails sender-vouches requirements");
+                                    continue;
+                                }
                             }
                         }
                         
@@ -182,6 +199,9 @@ public class SamlTokenInterceptor extend
         };
         data.setWssConfig(WSSConfig.getNewInstance());
         
+        data.setSigCrypto(getCrypto(null, SecurityConstants.SIGNATURE_CRYPTO,
+                                     SecurityConstants.SIGNATURE_PROPERTIES, message));
+        
         SAMLTokenProcessor p = new SAMLTokenProcessor();
         List<WSSecurityEngineResult> results = 
             p.handleToken(tokenElement, data, wsDocInfo);

Modified: cxf/branches/2.6.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java?rev=1519653&r1=1519652&r2=1519653&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
(original)
+++ cxf/branches/2.6.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
Tue Sep  3 11:28:52 2013
@@ -31,6 +31,7 @@ import org.apache.cxf.systest.ws.common.
 import org.apache.cxf.systest.ws.saml.client.SamlCallbackHandler;
 import org.apache.cxf.systest.ws.saml.server.Server;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.ws.security.saml.ext.bean.KeyInfoBean.CERT_IDENTIFIER;
 import org.apache.ws.security.saml.ext.builder.SAML2Constants;
 import org.example.contract.doubleit.DoubleItPortType;
@@ -124,6 +125,78 @@ public class SamlTokenTest extends Abstr
     }
     
     @org.junit.Test
+    public void testSaml1Supporting() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SamlTokenTest.class.getResource("client/client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItSaml1SupportingPort");
+        DoubleItPortType saml1Port = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(saml1Port, PORT2);
+        
+        ((BindingProvider)saml1Port).getRequestContext().put(
+            "ws-security.saml-callback-handler", new SamlCallbackHandler(false)
+        );
+        
+        int result = saml1Port.doubleIt(25);
+        assertTrue(result == 50);
+        
+        ((java.io.Closeable)saml1Port).close();
+        bus.shutdown(true);
+    }
+    
+    // Self-signing (see CXF-5248)
+    @org.junit.Test
+    public void testSaml1SupportingSelfSigned() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SamlTokenTest.class.getResource("client/client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItSaml1SupportingPort");
+        DoubleItPortType saml1Port = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(saml1Port, PORT2);
+        
+        ((BindingProvider)saml1Port).getRequestContext().put(
+            "ws-security.saml-callback-handler", new SamlCallbackHandler(false)
+        );
+        
+        ((BindingProvider)saml1Port).getRequestContext().put(
+            SecurityConstants.SELF_SIGN_SAML_ASSERTION, true
+        );
+        ((BindingProvider)saml1Port).getRequestContext().put(
+            SecurityConstants.SIGNATURE_USERNAME, "alice"
+        );
+        ((BindingProvider)saml1Port).getRequestContext().put(
+            SecurityConstants.SIGNATURE_PROPERTIES, 
+            "org/apache/cxf/systest/ws/wssec10/client/alice.properties"
+        );
+        ((BindingProvider)saml1Port).getRequestContext().put(
+            SecurityConstants.CALLBACK_HANDLER, 
+            "org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"
+        );
+        
+        int result = saml1Port.doubleIt(25);
+        assertTrue(result == 50);
+        
+        ((java.io.Closeable)saml1Port).close();
+        bus.shutdown(true);
+    }
+    
+    @org.junit.Test
     public void testSaml2OverSymmetric() throws Exception {
 
         SpringBusFactory bf = new SpringBusFactory();

Modified: cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl?rev=1519653&r1=1519652&r2=1519653&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
(original)
+++ cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
Tue Sep  3 11:28:52 2013
@@ -49,6 +49,23 @@
             </wsdl:fault>
         </wsdl:operation>
     </wsdl:binding>
+    <wsdl:binding name="DoubleItSaml1SupportingBinding" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#DoubleItSaml1SupportingPolicy" />
+        <soap:binding style="document"
+            transport="http://schemas.xmlsoap.org/soap/http" />
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction="" />
+            <wsdl:input>
+                <soap:body use="literal" />
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal" />
+            </wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault" />
+            </wsdl:fault>
+        </wsdl:operation>
+    </wsdl:binding>
     <wsdl:binding name="DoubleItSaml1SelfSignedTransportBinding" type="tns:DoubleItPortType">
         <wsp:PolicyReference URI="#DoubleItSaml1SelfSignedTransportPolicy" />
         <soap:binding style="document"
@@ -298,6 +315,9 @@
         <wsdl:port name="DoubleItSaml1TransportPort" binding="tns:DoubleItSaml1TransportBinding">
             <soap:address location="https://localhost:9009/DoubleItSaml1Transport" />
         </wsdl:port>
+        <wsdl:port name="DoubleItSaml1SupportingPort" binding="tns:DoubleItSaml1SupportingBinding">
+            <soap:address location="https://localhost:9009/DoubleItSaml1Supporting" />
+        </wsdl:port>
         <wsdl:port name="DoubleItSaml1TransportPort2" binding="tns:DoubleItInlinePolicyBinding">
             <soap:address location="https://localhost:9009/DoubleItSaml1Transport2" />
         </wsdl:port>
@@ -393,6 +413,22 @@
             </wsp:All>
         </wsp:ExactlyOne>
     </wsp:Policy>
+    <wsp:Policy wsu:Id="DoubleItSaml1SupportingPolicy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <sp:SupportingTokens>
+                    <wsp:Policy>
+                        <sp:SamlToken
+                            sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                            <wsp:Policy>
+                                <sp:WssSamlV11Token11/>
+                            </wsp:Policy>
+                        </sp:SamlToken>
+                    </wsp:Policy>
+                </sp:SupportingTokens>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
     <wsp:Policy wsu:Id="DoubleItSaml1SelfSignedTransportPolicy">
         <wsp:ExactlyOne>
             <wsp:All>

Modified: cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml?rev=1519653&r1=1519652&r2=1519653&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
(original)
+++ cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
Tue Sep  3 11:28:52 2013
@@ -105,6 +105,26 @@
      
     </jaxws:endpoint> 
     
+     <jaxws:endpoint 
+       id="Saml1SupportingToken"
+       address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml1Supporting" 
+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItSaml1SupportingPort"
+       xmlns:s="http://www.example.org/contract/DoubleIt"
+       implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
+       wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
+       depends-on="tls-settings">
+        
+       <jaxws:properties>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+           <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+       </jaxws:properties> 
+     
+    </jaxws:endpoint> 
+    
     <jaxws:endpoint 
        id="Saml2TokenOverSymmetric"
        address="http://localhost:${testutil.ports.Server}/DoubleItSaml2Symmetric" 



Mime
View raw message