cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1525033 - in /cxf/trunk: rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/ systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/
Date Fri, 20 Sep 2013 15:24:50 GMT
Author: coheigea
Date: Fri Sep 20 15:24:49 2013
New Revision: 1525033

URL: http://svn.apache.org/r1525033
Log:
[CXF-4442] - StAX support

Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
    cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSamlTokenTest.java
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java?rev=1525033&r1=1525032&r2=1525033&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
Fri Sep 20 15:24:49 2013
@@ -444,6 +444,24 @@ public class PolicyBasedWSS4JStaxInInter
         return false;
     }
     
+    /**
+     * Is a SAML Cache required, i.e. are we expecting a SAML Token 
+     */
+    @Override
+    protected boolean isSamlCacheRequired(SoapMessage msg) {
+        AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
+        if (aim != null) {
+            Collection<AssertionInfo> ais = 
+                getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
+            
+            if (!ais.isEmpty()) {
+                return true;
+            }
+        }
+        
+        return false;
+    }
+    
     @Override
     protected List<SecurityEventListener> configureSecurityEventListeners(
         SoapMessage msg, WSSSecurityProperties securityProperties

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java?rev=1525033&r1=1525032&r2=1525033&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
Fri Sep 20 15:24:49 2013
@@ -235,6 +235,31 @@ public class WSS4JStaxInInterceptor exte
             }
         }
         
+        ReplayCache samlCache = null;
+        if (isSamlCacheRequired(msg)) {
+            samlCache = WSS4JUtils.getReplayCache(
+                msg, SecurityConstants.ENABLE_SAML_ONE_TIME_USE_CACHE, 
+                SecurityConstants.SAML_ONE_TIME_USE_CACHE_INSTANCE
+            );
+        }
+        if (samlCache == null) {
+            if (config != null) {
+                config.put(ConfigurationConstants.ENABLE_SAML_ONE_TIME_USE_CACHE, "false");
+                config.remove(ConfigurationConstants.SAML_ONE_TIME_USE_CACHE_INSTANCE);
+            } else {
+                securityProperties.setEnableSamlOneTimeUseReplayCache(false);
+                securityProperties.setSamlOneTimeUseReplayCache(null);
+            }
+        } else {
+            if (config != null) {
+                config.put(ConfigurationConstants.ENABLE_SAML_ONE_TIME_USE_CACHE, "true");
+                config.put(ConfigurationConstants.SAML_ONE_TIME_USE_CACHE_INSTANCE, samlCache);
+            } else {
+                securityProperties.setEnableSamlOneTimeUseReplayCache(true);
+                securityProperties.setSamlOneTimeUseReplayCache(samlCache);
+            }
+        }
+        
         boolean enableRevocation = 
             MessageUtils.isTrue(msg.getContextualProperty(SecurityConstants.ENABLE_REVOCATION));
         if (securityProperties != null) {
@@ -319,6 +344,27 @@ public class WSS4JStaxInInterceptor exte
     }
     
     /**
+     * Is a SAML Cache required, i.e. are we expecting a SAML Token 
+     */
+    protected boolean isSamlCacheRequired(SoapMessage msg) {
+        WSSSecurityProperties securityProperties = getSecurityProperties();
+        
+        if (securityProperties != null && securityProperties.getOutAction() != null)
{
+            for (WSSConstants.Action action : securityProperties.getOutAction()) {
+                if (action == WSSConstants.SAML_TOKEN_UNSIGNED 
+                    || action == WSSConstants.SAML_TOKEN_SIGNED) {
+                    return true;
+                }
+            }
+        } else if (actions != null && (actions.contains(ConfigurationConstants.SAML_TOKEN_UNSIGNED)
+            || actions.contains(ConfigurationConstants.SAML_TOKEN_SIGNED))) {
+            return true;
+        }
+        
+        return false;
+    }
+    
+    /**
      * Create a SoapFault from a WSSecurityException, following the SOAP Message Security
      * 1.1 specification, chapter 12 "Error Handling".
      * 

Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSamlTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSamlTokenTest.java?rev=1525033&r1=1525032&r2=1525033&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSamlTokenTest.java
(original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSamlTokenTest.java
Fri Sep 20 15:24:49 2013
@@ -27,12 +27,16 @@ import javax.xml.ws.Service;
 
 import org.apache.cxf.Bus;
 import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.frontend.ClientProxy;
 import org.apache.cxf.systest.ws.common.SecurityTestUtil;
 import org.apache.cxf.systest.ws.saml.client.SamlCallbackHandler;
 import org.apache.cxf.systest.ws.saml.client.SamlElementCallbackHandler;
 import org.apache.cxf.systest.ws.saml.client.SamlRoleCallbackHandler;
+import org.apache.cxf.systest.ws.ut.SecurityHeaderCacheInterceptor;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
 import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.wss4j.common.saml.bean.ConditionsBean;
 import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER;
 import org.apache.wss4j.common.saml.builder.SAML1Constants;
 import org.apache.wss4j.common.saml.builder.SAML2Constants;
@@ -1156,4 +1160,67 @@ public class StaxSamlTokenTest extends A
         ((java.io.Closeable)saml2Port).close();
         bus.shutdown(true);
     }
+    
+    @org.junit.Test
+    public void testSaml2Replay() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SamlTokenTest.class.getResource("client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort");
+        DoubleItPortType saml2Port = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(saml2Port, PORT2);
+
+        // Create a SAML Token with no "OneTimeUse" Condition
+        ((BindingProvider)saml2Port).getRequestContext().put(
+            "ws-security.saml-callback-handler", new SamlCallbackHandler()
+        );
+        
+        Client cxfClient = ClientProxy.getClient(saml2Port);
+        SecurityHeaderCacheInterceptor cacheInterceptor =
+            new SecurityHeaderCacheInterceptor();
+        cxfClient.getOutInterceptors().add(cacheInterceptor);
+        
+        // Make two invocations...should succeed
+        saml2Port.doubleIt(25);
+        saml2Port.doubleIt(25);
+        
+        // Now create a SAML Token with a "OneTimeUse" Condition
+        ConditionsBean conditions = new ConditionsBean();
+        conditions.setTokenPeriodMinutes(5);
+        conditions.setOneTimeUse(true);
+            
+        SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
+        callbackHandler.setConditions(conditions);
+        
+        ((BindingProvider)saml2Port).getRequestContext().put(
+            "ws-security.saml-callback-handler", callbackHandler
+        );
+        
+        cxfClient.getOutInterceptors().remove(cacheInterceptor);
+        cacheInterceptor = new SecurityHeaderCacheInterceptor();
+        cxfClient.getOutInterceptors().add(cacheInterceptor);
+        
+        // Make two invocations...should fail on the second one
+        saml2Port.doubleIt(25);
+        
+        try {
+            saml2Port.doubleIt(25);
+            fail("Failure expected on a replayed SAML Assertion");
+        } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+            String error = "A replay attack has been detected";
+            assertTrue(ex.getMessage().contains(error));
+        }
+        
+        ((java.io.Closeable)saml2Port).close();
+        bus.shutdown(true);
+    }
+    
 }

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml?rev=1525033&r1=1525032&r2=1525033&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
(original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
Fri Sep 20 15:24:49 2013
@@ -482,4 +482,24 @@
        </jaxws:inInterceptors>
     </jaxws:endpoint> 
     
+    <jaxws:endpoint 
+       id="Saml2TransportToken"
+       address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2Transport"

+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItSaml2TransportPort"
+       xmlns:s="http://www.example.org/contract/DoubleIt"
+       implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
+       wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
+       depends-on="tls-settings">
+        
+       <jaxws:properties>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+           <entry key="ws-security.signature.properties" value="bob.properties"/> 
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+           <entry key="ws-security.enable.streaming" value="true"/>
+       </jaxws:properties> 
+     
+    </jaxws:endpoint> 
+    
 </beans>



Mime
View raw message