cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1547853 - in /cxf/trunk: rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/ services/sts/systests/advanced/ services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/common/ services/sts/systests/advanced/src/test...
Date Wed, 04 Dec 2013 17:44:04 GMT
Author: coheigea
Date: Wed Dec  4 17:44:04 2013
New Revision: 1547853

URL: http://svn.apache.org/r1547853
Log:
More advanced STS systests

Added:
    cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/usernametoken/StaxServer.java
    cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/stax-cxf-service.xml
Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
    cxf/trunk/services/sts/systests/advanced/pom.xml
    cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/common/TokenTestUtils.java
    cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosTokenTest.java
    cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/usernametoken/UsernameTokenTest.java
    cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/DoubleIt.wsdl

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java?rev=1547853&r1=1547852&r2=1547853&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
Wed Dec  4 17:44:04 2013
@@ -20,42 +20,52 @@ package org.apache.cxf.ws.security.trust
 
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
-
 import org.apache.commons.codec.binary.Base64;
-
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
-
+import org.apache.wss4j.binding.wss10.AttributedString;
 import org.apache.wss4j.binding.wss10.BinarySecurityTokenType;
+import org.apache.wss4j.binding.wss10.EncodedString;
+import org.apache.wss4j.binding.wss10.PasswordString;
+import org.apache.wss4j.binding.wss10.UsernameTokenType;
+import org.apache.wss4j.binding.wsu10.AttributedDateTime;
 import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.ext.WSPasswordCallback;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.dom.message.token.BinarySecurity;
 import org.apache.wss4j.dom.message.token.KerberosSecurity;
 import org.apache.wss4j.dom.message.token.PKIPathSecurity;
+import org.apache.wss4j.dom.message.token.UsernameToken;
 import org.apache.wss4j.dom.message.token.X509Security;
 import org.apache.wss4j.stax.ext.WSSConstants;
+import org.apache.wss4j.stax.ext.WSSUtils;
 import org.apache.wss4j.stax.impl.securityToken.KerberosServiceSecurityTokenImpl;
 import org.apache.wss4j.stax.impl.securityToken.SamlSecurityTokenImpl;
+import org.apache.wss4j.stax.impl.securityToken.UsernameSecurityTokenImpl;
 import org.apache.wss4j.stax.impl.securityToken.X509PKIPathv1SecurityTokenImpl;
 import org.apache.wss4j.stax.impl.securityToken.X509V3SecurityTokenImpl;
 import org.apache.wss4j.stax.securityToken.SamlSecurityToken;
+import org.apache.wss4j.stax.securityToken.UsernameSecurityToken;
 import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
 import org.apache.wss4j.stax.validate.BinarySecurityTokenValidator;
 import org.apache.wss4j.stax.validate.BinarySecurityTokenValidatorImpl;
 import org.apache.wss4j.stax.validate.SamlTokenValidatorImpl;
 import org.apache.wss4j.stax.validate.TokenContext;
-
+import org.apache.wss4j.stax.validate.UsernameTokenValidator;
 import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.ext.XMLSecurityUtils;
 import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
 
 /**
  * A Streaming SAML Token Validator implementation to validate a received Token to a 
  * SecurityTokenService (STS).
+ * 
+ * TODO Refactor this class a bit better...
  */
 public class STSStaxTokenValidator 
-    extends SamlTokenValidatorImpl implements BinarySecurityTokenValidator {
+    extends SamlTokenValidatorImpl implements BinarySecurityTokenValidator, UsernameTokenValidator
{
     
     private boolean alwaysValidateToSts;
     
@@ -142,6 +152,228 @@ public class STSStaxTokenValidator 
         return validator.validate(binarySecurityTokenType, tokenContext);
     }
     
+    @SuppressWarnings("unchecked")
+    @Override
+    public <T extends UsernameSecurityToken & InboundSecurityToken> T validate(UsernameTokenType
usernameTokenType,
+                                                                               TokenContext
tokenContext)
+        throws WSSecurityException {
+        // If the UsernameToken is to be used for key derivation, the (1.1)
+        // spec says that it cannot contain a password, and it must contain
+        // an Iteration element
+        final byte[] salt = XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_wsse11_Salt);
+        PasswordString passwordType = 
+            XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_wsse_Password);
+        final Long iteration = 
+            XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_wsse11_Iteration);
+        if (salt != null && (passwordType != null || iteration == null)) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN,
"badTokenType01");
+        }
+
+        boolean handleCustomPasswordTypes = 
+            tokenContext.getWssSecurityProperties().getHandleCustomPasswordTypes();
+        boolean allowUsernameTokenNoPassword = 
+            tokenContext.getWssSecurityProperties().isAllowUsernameTokenNoPassword() 
+                || Boolean.parseBoolean((String)tokenContext.getWsSecurityContext().get(
+                    WSSConstants.PROP_ALLOW_USERNAMETOKEN_NOPASSWORD));
+
+        // Check received password type against required type
+        WSSConstants.UsernameTokenPasswordType requiredPasswordType = 
+            tokenContext.getWssSecurityProperties().getUsernameTokenPasswordType();
+        if (requiredPasswordType != null) {
+            if (passwordType == null || passwordType.getType() == null) {
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+            }
+            WSSConstants.UsernameTokenPasswordType usernameTokenPasswordType =
+                WSSConstants.UsernameTokenPasswordType.getUsernameTokenPasswordType(passwordType.getType());
+            if (requiredPasswordType != usernameTokenPasswordType) {
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+            }
+        }
+        
+        WSSConstants.UsernameTokenPasswordType usernameTokenPasswordType = 
+            WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE;
+        if (passwordType != null && passwordType.getType() != null) {
+            usernameTokenPasswordType = 
+                WSSConstants.UsernameTokenPasswordType.getUsernameTokenPasswordType(
+                    passwordType.getType());
+        }
+
+        final AttributedString username = usernameTokenType.getUsername();
+        if (username == null) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN,

+                                          "badTokenType01");
+        }
+
+        final EncodedString encodedNonce =
+                XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), 
+                                              WSSConstants.TAG_wsse_Nonce);
+        byte[] nonceVal = null;
+        if (encodedNonce != null && encodedNonce.getValue() != null) {
+            nonceVal = Base64.decodeBase64(encodedNonce.getValue());
+        }
+
+        final AttributedDateTime attributedDateTimeCreated =
+                XMLSecurityUtils.getQNameType(usernameTokenType.getAny(),
+                                              WSSConstants.TAG_wsu_Created);
+
+        String created = null;
+        if (attributedDateTimeCreated != null) {
+            created = attributedDateTimeCreated.getValue();
+        }
+        
+        // Validate to STS if required
+        boolean valid = false;
+        final SoapMessage message = 
+            (SoapMessage)tokenContext.getWssSecurityProperties().getMsgContext();
+        if (alwaysValidateToSts) {
+            Element tokenElement = 
+                convertToDOM(username.getValue(), passwordType.getValue(), 
+                             passwordType.getType(), usernameTokenType.getId());
+            validateTokenToSTS(tokenElement, message);
+            valid = true;
+        }
+
+        if (!valid) {
+            try {
+                if (usernameTokenPasswordType == WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST)
{
+                    if (encodedNonce == null || attributedDateTimeCreated == null) {
+                        throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN,

+                                                      "badTokenType01");
+                    }
+    
+                    if (!WSSConstants.SOAPMESSAGE_NS10_BASE64_ENCODING.equals(encodedNonce.getEncodingType()))
{
+                        throw new WSSecurityException(WSSecurityException.ErrorCode.UNSUPPORTED_SECURITY_TOKEN,

+                                                      "badTokenType01");
+                    }
+    
+                    verifyDigestPassword(username.getValue(), passwordType, nonceVal, created,
tokenContext);
+                } else if (usernameTokenPasswordType == WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT
+                        || passwordType != null && passwordType.getValue() != null
+                        && usernameTokenPasswordType == WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE)
{
+                    
+                    verifyPlaintextPassword(username.getValue(), passwordType, tokenContext);
+                } else if (passwordType != null && passwordType.getValue() != null)
{
+                    if (!handleCustomPasswordTypes) {
+                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+                    }
+                    verifyPlaintextPassword(username.getValue(), passwordType, tokenContext);
+                } else {
+                    if (!allowUsernameTokenNoPassword) {
+                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+                    }
+                }
+            } catch (WSSecurityException ex) {
+                Element tokenElement = 
+                    convertToDOM(username.getValue(), passwordType.getValue(), 
+                                 passwordType.getType(), usernameTokenType.getId());
+                validateTokenToSTS(tokenElement, message);
+            }
+        }
+
+        final String password;
+        if (passwordType != null) {
+            password = passwordType.getValue();
+        } else if (salt != null) {
+            WSPasswordCallback pwCb = new WSPasswordCallback(username.getValue(),
+                   WSPasswordCallback.USERNAME_TOKEN);
+            try {
+                WSSUtils.doPasswordCallback(tokenContext.getWssSecurityProperties().getCallbackHandler(),
pwCb);
+            } catch (WSSecurityException e) {
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION,
e);
+            }
+            password = pwCb.getPassword();
+        } else {
+            password = null;
+        }
+
+        UsernameSecurityTokenImpl usernameSecurityToken = new UsernameSecurityTokenImpl(
+                usernameTokenPasswordType, username.getValue(), password, created,
+                nonceVal, salt, iteration,
+                tokenContext.getWsSecurityContext(), usernameTokenType.getId(),
+                WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference);
+        usernameSecurityToken.setElementPath(tokenContext.getElementPath());
+        usernameSecurityToken.setXMLSecEvent(tokenContext.getFirstXMLSecEvent());
+
+        return (T)usernameSecurityToken;
+    }
+    
+    /**
+     * Verify a UsernameToken containing a password digest.
+     */
+    private void verifyDigestPassword(
+        String username,
+        PasswordString passwordType,
+        byte[] nonceVal,
+        String created,
+        TokenContext tokenContext
+    ) throws WSSecurityException {
+        WSPasswordCallback pwCb = new WSPasswordCallback(username,
+                null,
+                passwordType.getType(),
+                WSPasswordCallback.USERNAME_TOKEN);
+        try {
+            WSSUtils.doPasswordCallback(tokenContext.getWssSecurityProperties().getCallbackHandler(),
pwCb);
+        } catch (WSSecurityException e) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION,
e);
+        }
+
+        if (pwCb.getPassword() == null) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+        }
+
+        String passDigest = WSSUtils.doPasswordDigest(nonceVal, created, pwCb.getPassword());
+        if (!passwordType.getValue().equals(passDigest)) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+        }
+        passwordType.setValue(pwCb.getPassword());
+    }
+    
+    /**
+     * Verify a UsernameToken containing a plaintext password.
+     */
+    private void verifyPlaintextPassword(
+        String username,
+        PasswordString passwordType,
+        TokenContext tokenContext
+    ) throws WSSecurityException {
+        WSPasswordCallback pwCb = new WSPasswordCallback(username,
+                null,
+                passwordType.getType(),
+                WSPasswordCallback.USERNAME_TOKEN);
+        try {
+            WSSUtils.doPasswordCallback(tokenContext.getWssSecurityProperties().getCallbackHandler(),
pwCb);
+        } catch (WSSecurityException e) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION,
e);
+        }
+
+        if (pwCb.getPassword() == null) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+        }
+
+        if (!passwordType.getValue().equals(pwCb.getPassword())) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+        }
+        passwordType.setValue(pwCb.getPassword());
+    }
+    
+    // Convert to DOM to send the token to the STS - it does not copy Nonce/Created/Iteration

+    // values
+    private Element convertToDOM(
+        String username, String password, String passwordType, String id
+    ) {
+        Document doc = DOMUtils.newDocument();
+        
+        UsernameToken usernameToken = new UsernameToken(true, doc, passwordType);
+        usernameToken.setName(username);
+        usernameToken.setPassword(password);
+        usernameToken.setID(id);
+        
+        usernameToken.addWSSENamespace();
+        usernameToken.addWSUNamespace();
+        
+        return usernameToken.getElement();
+    }
+    
     private static void validateTokenToSTS(Element tokenElement, SoapMessage message) 
         throws WSSecurityException {
         SecurityToken token = new SecurityToken();
@@ -322,4 +554,6 @@ public class STSStaxTokenValidator 
             return binarySecurity.getElement();
         }
     }
+
+
 }

Modified: cxf/trunk/services/sts/systests/advanced/pom.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/pom.xml?rev=1547853&r1=1547852&r2=1547853&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/pom.xml (original)
+++ cxf/trunk/services/sts/systests/advanced/pom.xml Wed Dec  4 17:44:04 2013
@@ -79,6 +79,17 @@
             <scope>test</scope>
         </dependency>
         <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcprov-jdk15on</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.directory.server</groupId>
+            <artifactId>apacheds-kerberos-shared</artifactId>
+            <version>1.5.7</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
             <groupId>org.apache.cxf</groupId>
             <artifactId>cxf-rt-databinding-jaxb</artifactId>
             <version>${project.version}</version>

Modified: cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/common/TokenTestUtils.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/common/TokenTestUtils.java?rev=1547853&r1=1547852&r2=1547853&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/common/TokenTestUtils.java
(original)
+++ cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/common/TokenTestUtils.java
Wed Dec  4 17:44:04 2013
@@ -20,8 +20,9 @@ package org.apache.cxf.systest.sts.commo
 
 import java.util.List;
 
-import org.w3c.dom.Element;
+import javax.xml.ws.BindingProvider;
 
+import org.w3c.dom.Element;
 import org.apache.cxf.endpoint.Client;
 import org.apache.cxf.endpoint.Endpoint;
 import org.apache.cxf.frontend.ClientProxy;
@@ -72,4 +73,25 @@ public final class TokenTestUtils {
         }
     }
 
+    public static void updateSTSPort(BindingProvider p, String port) {
+        STSClient stsClient = (STSClient)p.getRequestContext().get(SecurityConstants.STS_CLIENT);
+        if (stsClient != null) {
+            String location = stsClient.getWsdlLocation();
+            if (location != null && location.contains("8080")) {
+                stsClient.setWsdlLocation(location.replace("8080", port));
+            } else if (location != null && location.contains("8443")) {
+                stsClient.setWsdlLocation(location.replace("8443", port));
+            }
+        }
+        stsClient = (STSClient)p.getRequestContext().get(SecurityConstants.STS_CLIENT + ".sct");
+        if (stsClient != null) {
+            String location = stsClient.getWsdlLocation();
+            if (location.contains("8080")) {
+                stsClient.setWsdlLocation(location.replace("8080", port));
+            } else if (location.contains("8443")) {
+                stsClient.setWsdlLocation(location.replace("8443", port));
+            }
+        }
+    }
+    
 }

Modified: cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosTokenTest.java?rev=1547853&r1=1547852&r2=1547853&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosTokenTest.java
(original)
+++ cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosTokenTest.java
Wed Dec  4 17:44:04 2013
@@ -19,18 +19,25 @@
 package org.apache.cxf.systest.sts.kerberos;
 
 import java.net.URL;
+import java.util.Arrays;
+import java.util.Collection;
 
 import javax.xml.namespace.QName;
+import javax.xml.ws.BindingProvider;
 import javax.xml.ws.Service;
 
 import org.apache.cxf.Bus;
 import org.apache.cxf.bus.spring.SpringBusFactory;
 import org.apache.cxf.systest.sts.common.SecurityTestUtil;
+import org.apache.cxf.systest.sts.common.TestParam;
+import org.apache.cxf.systest.sts.common.TokenTestUtils;
 import org.apache.cxf.systest.sts.deployment.STSServer;
+import org.apache.cxf.systest.sts.deployment.StaxSTSServer;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
-
 import org.example.contract.doubleit.DoubleItPortType;
 import org.junit.BeforeClass;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized.Parameters;
 
 /**
  * In this test, a CXF client requests a SAML2 HOK Assertion from the STS, which has a policy
of requiring
@@ -42,15 +49,23 @@ import org.junit.BeforeClass;
  * user principal "alice" (keytab in "/etc/alice.keytab"), and host service "bob@service.ws.apache.org"

  * (keytab in "/etc/bob.keytab").
  */
+@RunWith(value = org.junit.runners.Parameterized.class)
 public class KerberosTokenTest extends AbstractBusClientServerTestBase {
     
     static final String STSPORT = allocatePort(STSServer.class);
+    static final String STAX_STSPORT = allocatePort(StaxSTSServer.class);
     
     private static final String NAMESPACE = "http://www.example.org/contract/DoubleIt";
     private static final QName SERVICE_QNAME = new QName(NAMESPACE, "DoubleItService");
 
     private static final String PORT = allocatePort(Server.class);
     
+    final TestParam test;
+    
+    public KerberosTokenTest(TestParam type) {
+        this.test = type;
+    }
+    
     @BeforeClass
     public static void startServers() throws Exception {
         assertTrue(
@@ -65,6 +80,22 @@ public class KerberosTokenTest extends A
                    // set this to false to fork
                    launchServer(STSServer.class, true)
         );
+        assertTrue(
+                   "Server failed to launch",
+                   // run the server in the same process
+                   // set this to false to fork
+                   launchServer(StaxSTSServer.class, true)
+        );
+    }
+    
+    @Parameters(name = "{0}")
+    public static Collection<TestParam[]> data() {
+       
+        return Arrays.asList(new TestParam[][] {{new TestParam(PORT, false, STSPORT)},
+                                                {new TestParam(PORT, true, STSPORT)},
+                                                {new TestParam(PORT, false, STAX_STSPORT)},
+                                                {new TestParam(PORT, true, STAX_STSPORT)},
+        });
     }
     
     @org.junit.AfterClass
@@ -89,7 +120,9 @@ public class KerberosTokenTest extends A
         QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML2Port");
         DoubleItPortType transportSaml2Port = 
             service.getPort(portQName, DoubleItPortType.class);
-        updateAddressPort(transportSaml2Port, PORT);
+        updateAddressPort(transportSaml2Port, test.getPort());
+        
+        TokenTestUtils.updateSTSPort((BindingProvider)transportSaml2Port, test.getStsPort());
 
         doubleIt(transportSaml2Port, 25);
         

Added: cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/usernametoken/StaxServer.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/usernametoken/StaxServer.java?rev=1547853&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/usernametoken/StaxServer.java
(added)
+++ cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/usernametoken/StaxServer.java
Wed Dec  4 17:44:04 2013
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.usernametoken;
+
+import java.net.URL;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
+
+public class StaxServer extends AbstractBusTestServerBase {
+
+    public StaxServer() {
+
+    }
+
+    protected void run()  {
+        URL busFile = StaxServer.class.getResource("stax-cxf-service.xml");
+        Bus busLocal = new SpringBusFactory().createBus(busFile);
+        BusFactory.setDefaultBus(busLocal);
+        setBus(busLocal);
+
+        try {
+            new StaxServer();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}

Modified: cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/usernametoken/UsernameTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/usernametoken/UsernameTokenTest.java?rev=1547853&r1=1547852&r2=1547853&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/usernametoken/UsernameTokenTest.java
(original)
+++ cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/usernametoken/UsernameTokenTest.java
Wed Dec  4 17:44:04 2013
@@ -19,6 +19,8 @@
 package org.apache.cxf.systest.sts.usernametoken;
 
 import java.net.URL;
+import java.util.Arrays;
+import java.util.Collection;
 
 import javax.xml.namespace.QName;
 import javax.xml.ws.Service;
@@ -26,24 +28,36 @@ import javax.xml.ws.Service;
 import org.apache.cxf.Bus;
 import org.apache.cxf.bus.spring.SpringBusFactory;
 import org.apache.cxf.systest.sts.common.SecurityTestUtil;
+import org.apache.cxf.systest.sts.common.TestParam;
 import org.apache.cxf.systest.sts.deployment.STSServer;
+import org.apache.cxf.systest.sts.deployment.StaxSTSServer;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
-
 import org.example.contract.doubleit.DoubleItPortType;
 import org.junit.BeforeClass;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized.Parameters;
 
 /**
  * In this test case, a CXF client sends a Username Token via (1-way) TLS to a CXF provider.
  * The provider dispatches the Username Token to an STS for validation (via TLS).
  */
+@RunWith(value = org.junit.runners.Parameterized.class)
 public class UsernameTokenTest extends AbstractBusClientServerTestBase {
     
     static final String STSPORT = allocatePort(STSServer.class);
+    static final String STAX_STSPORT = allocatePort(StaxSTSServer.class);
     
     private static final String NAMESPACE = "http://www.example.org/contract/DoubleIt";
     private static final QName SERVICE_QNAME = new QName(NAMESPACE, "DoubleItService");
 
     private static final String PORT = allocatePort(Server.class);
+    private static final String STAX_PORT = allocatePort(StaxServer.class);
+
+    final TestParam test;
+    
+    public UsernameTokenTest(TestParam type) {
+        this.test = type;
+    }
     
     @BeforeClass
     public static void startServers() throws Exception {
@@ -57,8 +71,30 @@ public class UsernameTokenTest extends A
                    "Server failed to launch",
                    // run the server in the same process
                    // set this to false to fork
+                   launchServer(StaxServer.class, true)
+        );
+        assertTrue(
+                   "Server failed to launch",
+                   // run the server in the same process
+                   // set this to false to fork
                    launchServer(STSServer.class, true)
         );
+        assertTrue(
+                   "Server failed to launch",
+                   // run the server in the same process
+                   // set this to false to fork
+                   launchServer(StaxSTSServer.class, true)
+        );
+    }
+    
+    @Parameters(name = "{0}")
+    public static Collection<TestParam[]> data() {
+       
+        return Arrays.asList(new TestParam[][] {{new TestParam(PORT, false, "")},
+                                                {new TestParam(PORT, true, "")},
+                                                {new TestParam(STAX_PORT, false, "")},
+                                                {new TestParam(STAX_PORT, true, "")},
+        });
     }
     
     @org.junit.AfterClass
@@ -82,8 +118,12 @@ public class UsernameTokenTest extends A
         QName portQName = new QName(NAMESPACE, "DoubleItTransportUTPort");
         DoubleItPortType transportUTPort = 
             service.getPort(portQName, DoubleItPortType.class);
-        updateAddressPort(transportUTPort, PORT);
-
+        updateAddressPort(transportUTPort, test.getPort());
+        
+        if (test.isStreaming()) {
+            SecurityTestUtil.enableStreaming(transportUTPort);
+        }
+        
         doubleIt(transportUTPort, 25);
         
         ((java.io.Closeable)transportUTPort).close();
@@ -105,15 +145,22 @@ public class UsernameTokenTest extends A
         QName portQName = new QName(NAMESPACE, "DoubleItTransportUTPort");
         DoubleItPortType transportUTPort = 
             service.getPort(portQName, DoubleItPortType.class);
-        updateAddressPort(transportUTPort, PORT);
+        updateAddressPort(transportUTPort, test.getPort());
+        
+        if (test.isStreaming()) {
+            SecurityTestUtil.enableStreaming(transportUTPort);
+        }
         
         try {
             doubleIt(transportUTPort, 30);
             fail("Expected failure on a bad password");
         } catch (javax.xml.ws.soap.SOAPFaultException fault) {
-            String message = fault.getMessage();
-            assertTrue(message.contains("STS Authentication failed")
-                || message.contains("Validation of security token failed"));
+            if (test.isStreaming()) {
+                String message = fault.getMessage();
+                assertTrue(message.contains("STS Authentication failed")
+                    || message.contains("Validation of security token failed")
+                    || message.contains("PolicyViolationException"));
+            }
         }
         
         ((java.io.Closeable)transportUTPort).close();

Modified: cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/DoubleIt.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/DoubleIt.wsdl?rev=1547853&r1=1547852&r2=1547853&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/DoubleIt.wsdl
(original)
+++ cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/DoubleIt.wsdl
Wed Dec  4 17:44:04 2013
@@ -78,8 +78,7 @@
                                 <sp:RequireInternalReference/>
                             </wsp:Policy>
                             <sp:Issuer>
-                                <wsaw:Address>http://localhost:8080/STS/STSUT
-                                                                </wsaw:Address>
+                                <wsaw:Address>http://localhost:8080/STS/STSUT</wsaw:Address>
                                 <wsaw:Metadata>
                                     <wsx:Metadata>
                                         <wsx:MetadataSection>

Added: cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/stax-cxf-service.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/stax-cxf-service.xml?rev=1547853&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/stax-cxf-service.xml
(added)
+++ cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/stax-cxf-service.xml
Wed Dec  4 17:44:04 2013
@@ -0,0 +1,79 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ 
+ http://www.apache.org/licenses/LICENSE-2.0
+ 
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:cxf="http://cxf.apache.org/core"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://cxf.apache.org/configuration/security"
xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
xmlns:jaxws="http://cxf.apache.org/jaxws" xsi:schemaLocation="             http://cxf.apache.org/core
            http://cxf.apache.org/schemas/core.xsd             http://cxf.apache.org/configuration/security
            http://cxf.apache.org/schemas/configuration/security.xsd             http://cxf.apache.org/jaxws
            http://cxf.apache.org/schemas/jaxws.xsd             http://cxf.apache.org/transports/http/configuration
            http://cxf.apache.org/schemas/configuration/http-conf.xsd             http://cxf.apache.org/transports/http-jetty/configuration
            http://cxf.apache.org/schemas/configuration/http-jetty.xsd      
        http://www.springframework.org/schema/beans             http://www.springframework.org/schema/beans/spring-beans.xsd">
+    <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+    <cxf:bus>
+        <cxf:features>
+            <cxf:logging/>
+        </cxf:features>
+    </cxf:bus>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="doubleittransportut"
implementor="org.apache.cxf.systest.sts.common.DoubleItPortTypeImpl" endpointName="s:DoubleItTransportUTPort"
serviceName="s:DoubleItService" depends-on="ClientAuthHttpsSettings" address="https://localhost:${testutil.ports.StaxServer}/doubleit/services/doubleittransportut"
wsdlLocation="org/apache/cxf/systest/sts/usernametoken/DoubleIt.wsdl">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
+            <entry key="ws-security.ut.validator">
+                <bean class="org.apache.cxf.ws.security.trust.STSStaxTokenValidator"/>
+            </entry>
+            <entry key="ws-security.enable.streaming" value="true"/>
+            <entry key="ws-security.sts.client">
+                <bean class="org.apache.cxf.ws.security.trust.STSClient">
+                    <constructor-arg ref="cxf"/>
+                    <property name="wsdlLocation" value="https://localhost:${testutil.ports.StaxSTSServer}/SecurityTokenService/Transport?wsdl"/>
+                    <property name="serviceName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"/>
+                    <property name="endpointName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port"/>
+                    <property name="properties">
+                        <map>
+                            <entry key="ws-security.username" value="bob"/>
+                            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
+                            <entry key="ws-security.enable.streaming" value="true"/>
+                        </map>
+                    </property>
+                </bean>
+            </entry>
+        </jaxws:properties>
+    </jaxws:endpoint>
+    <httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf">
+        <httpj:engine port="${testutil.ports.StaxServer}">
+            <httpj:tlsServerParameters>
+                <sec:keyManagers keyPassword="skpass">
+                    <sec:keyStore type="jks" password="sspass" resource="servicestore.jks"/>
+                </sec:keyManagers>
+                <sec:cipherSuitesFilter>
+                    <sec:include>.*_EXPORT_.*</sec:include>
+                    <sec:include>.*_EXPORT1024_.*</sec:include>
+                    <sec:include>.*_WITH_DES_.*</sec:include>
+                    <sec:include>.*_WITH_AES_.*</sec:include>
+                    <sec:include>.*_WITH_NULL_.*</sec:include>
+                    <sec:exclude>.*_DH_anon_.*</sec:exclude>
+                </sec:cipherSuitesFilter>
+                <sec:clientAuthentication want="false" required="false"/>
+            </httpj:tlsServerParameters>
+        </httpj:engine>
+    </httpj:engine-factory>
+    <http:conduit name="https://localhost:.*">
+        <http:tlsClientParameters disableCNCheck="true">
+            <sec:trustManagers>
+                <sec:keyStore type="jks" password="sspass" resource="servicestore.jks"/>
+            </sec:trustManagers>
+            <sec:keyManagers keyPassword="skpass">
+                <sec:keyStore type="jks" password="sspass" resource="servicestore.jks"/>
+            </sec:keyManagers>
+        </http:tlsClientParameters>
+    </http:conduit>
+</beans>



Mime
View raw message