cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject svn commit: r1553156 - in /cxf/trunk: rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/ rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/ rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml...
Date Mon, 23 Dec 2013 17:30:03 GMT
Author: sergeyb
Date: Mon Dec 23 17:30:03 2013
New Revision: 1553156

URL: http://svn.apache.org/r1553156
Log:
[CXF-5424] Optionally loading the key info out of band

Modified:
    cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
    cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java
    cxf/trunk/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLResponseValidatorTest.java
    cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
    cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java
    cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java
    cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
    cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/server.xml

Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java?rev=1553156&r1=1553155&r2=1553156&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
(original)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
Mon Dec 23 17:30:03 2013
@@ -73,6 +73,7 @@ public class RequestAssertionConsumerSer
     private boolean supportBase64Encoding = true;
     private boolean enforceAssertionsSigned = true;
     private boolean enforceKnownIssuer = true;
+    private boolean keyInfoMustBeAvailable = true;
     private TokenReplayCache<String> replayCache;
 
     private MessageContext messageContext;
@@ -281,6 +282,7 @@ public class RequestAssertionConsumerSer
     ) {
         try {
             SAMLProtocolResponseValidator protocolValidator = new SAMLProtocolResponseValidator();
+            protocolValidator.setKeyInfoMustBeAvailable(keyInfoMustBeAvailable);
             protocolValidator.validateSamlResponse(samlResponse, getSignatureCrypto(), getCallbackHandler());
         } catch (WSSecurityException ex) {
             LOG.log(Level.FINE, ex.getMessage(), ex);
@@ -338,4 +340,7 @@ public class RequestAssertionConsumerSer
         LOG.warning(errorMsg.toString());
     }
     
+    public void setKeyInfoMustBeAvailable(boolean keyInfoMustBeAvailable) {
+        this.keyInfoMustBeAvailable = keyInfoMustBeAvailable;
+    }
 }

Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java?rev=1553156&r1=1553155&r2=1553156&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java
(original)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java
Mon Dec 23 17:30:03 2013
@@ -81,7 +81,7 @@ public class SAMLProtocolResponseValidat
     
     private Validator assertionValidator = new SamlAssertionValidator();
     private Validator signatureValidator = new SignatureTrustValidator();
-    
+    private boolean keyInfoMustBeAvailable = true;
     /**
      * Validate a SAML 2 Protocol Response
      * @param samlResponse
@@ -256,16 +256,21 @@ public class SAMLProtocolResponseValidat
         requestData.setWssConfig(wssConfig);
         requestData.setCallbackHandler(callbackHandler);
         
-        KeyInfo keyInfo = signature.getKeyInfo();
         SAMLKeyInfo samlKeyInfo = null;
-        try {
-            samlKeyInfo = 
-                SAMLUtil.getCredentialFromKeyInfo(
-                    keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData, new WSDocInfo(doc)),
sigCrypto
-                );
-        } catch (WSSecurityException ex) {
-            LOG.log(Level.FINE, "Error in getting KeyInfo from SAML Response: " + ex.getMessage(),
ex);
-            throw ex;
+        
+        KeyInfo keyInfo = signature.getKeyInfo();
+        if (keyInfo != null) {
+            try {
+                samlKeyInfo = 
+                    SAMLUtil.getCredentialFromKeyInfo(
+                        keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData, new WSDocInfo(doc)),
sigCrypto
+                    );
+            } catch (WSSecurityException ex) {
+                LOG.log(Level.FINE, "Error in getting KeyInfo from SAML Response: " + ex.getMessage(),
ex);
+                throw ex;
+            }
+        } else if (!keyInfoMustBeAvailable) {
+            samlKeyInfo = createKeyInfoFromDefaultAlias(sigCrypto);
         }
         if (samlKeyInfo == null) {
             LOG.fine("No KeyInfo supplied in the SAMLResponse signature");
@@ -288,6 +293,19 @@ public class SAMLProtocolResponseValidat
         }
     }
     
+    protected SAMLKeyInfo createKeyInfoFromDefaultAlias(Crypto sigCrypto) throws WSSecurityException
{
+        try {
+            X509Certificate[] certs = SecurityUtils.getCertificates(sigCrypto, 
+                                                                    sigCrypto.getDefaultX509Identifier());
+            SAMLKeyInfo samlKeyInfo = new SAMLKeyInfo(new X509Certificate[]{certs[0]});
+            samlKeyInfo.setPublicKey(certs[0].getPublicKey());
+            return samlKeyInfo;
+        } catch (Exception ex) {
+            LOG.log(Level.FINE, "Error in loading the certificates: " + ex.getMessage(),
ex);
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE,
ex);
+        }
+    }
+    
     /**
      * Validate a signature against the profiles
      */
@@ -351,12 +369,23 @@ public class SAMLProtocolResponseValidat
             try {
                 Signature sig = assertion.getSignature();
                 WSDocInfo docInfo = new WSDocInfo(sig.getDOM().getOwnerDocument());
-                KeyInfo keyInfo = sig.getKeyInfo();
                 
-                SAMLKeyInfo samlKeyInfo = 
-                    SAMLUtil.getCredentialFromKeyInfo(
+                SAMLKeyInfo samlKeyInfo = null;
+                
+                KeyInfo keyInfo = sig.getKeyInfo();
+                if (keyInfo != null) {
+                    samlKeyInfo = SAMLUtil.getCredentialFromKeyInfo(
                         keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData, docInfo),
sigCrypto
                     );
+                } else if (!keyInfoMustBeAvailable) {
+                    samlKeyInfo = createKeyInfoFromDefaultAlias(sigCrypto);
+                }
+
+                if (samlKeyInfo == null) {
+                    LOG.fine("No KeyInfo supplied in the SAMLResponse assertion signature");
+                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
"invalidSAMLsecurity");
+                }
+                
                 assertion.verifySignature(samlKeyInfo);
                 
                 assertion.parseHOKSubject(
@@ -519,4 +548,8 @@ public class SAMLProtocolResponseValidat
         }
     }
 
+    public void setKeyInfoMustBeAvailable(boolean keyInfoMustBeAvailable) {
+        this.keyInfoMustBeAvailable = keyInfoMustBeAvailable;
+    }
+
 }

Modified: cxf/trunk/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLResponseValidatorTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLResponseValidatorTest.java?rev=1553156&r1=1553155&r2=1553156&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLResponseValidatorTest.java
(original)
+++ cxf/trunk/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLResponseValidatorTest.java
Mon Dec 23 17:30:03 2013
@@ -235,7 +235,7 @@ public class SAMLResponseValidatorTest e
         ((Merlin)issuerCrypto).setKeyStore(keyStore);
         
         response.getAssertions().add(assertion.getSaml2());
-        signResponse(response, "alice", "password", issuerCrypto);
+        signResponse(response, "alice", "password", issuerCrypto, true);
         
         Element policyElement = OpenSAMLUtil.toDom(response, doc);
         doc.appendChild(policyElement);
@@ -257,6 +257,64 @@ public class SAMLResponseValidatorTest e
             marshalledResponse, issuerCrypto, new KeystorePasswordCallback()
         );
     }
+    
+    @org.junit.Test
+    public void testSignedResponseNoKeyInfo() throws Exception {
+        DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
+        docBuilderFactory.setNamespaceAware(true);
+        DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();
+        Document doc = docBuilder.newDocument();
+        
+        Status status = 
+            SAML2PResponseComponentBuilder.createStatus(
+                SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null
+            );
+        Response response = 
+            SAML2PResponseComponentBuilder.createSAMLResponse(
+                "http://cxf.apache.org/saml", "http://cxf.apache.org/issuer", status
+            );
+        
+        // Create an AuthenticationAssertion
+        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+        callbackHandler.setIssuer("http://cxf.apache.org/issuer");
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+        
+        SAMLCallback samlCallback = new SAMLCallback();
+        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
+        
+        Crypto issuerCrypto = new Merlin();
+        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+        ClassLoader loader = Loader.getClassLoader(SAMLResponseValidatorTest.class);
+        InputStream input = Merlin.loadInputStream(loader, "alice.jks");
+        keyStore.load(input, "password".toCharArray());
+        ((Merlin)issuerCrypto).setKeyStore(keyStore);
+        
+        response.getAssertions().add(assertion.getSaml2());
+        signResponse(response, "alice", "password", issuerCrypto, false);
+        
+        Element policyElement = OpenSAMLUtil.toDom(response, doc);
+        doc.appendChild(policyElement);
+        assertNotNull(policyElement);
+        
+        Response marshalledResponse = (Response)OpenSAMLUtil.fromDom(policyElement);
+        
+        // Validate the Response
+        SAMLProtocolResponseValidator validator = new SAMLProtocolResponseValidator();
+        validator.setKeyInfoMustBeAvailable(false);
+        try {
+            validator.validateSamlResponse(marshalledResponse, null, new KeystorePasswordCallback());
+            fail("Expected failure on no Signature Crypto");
+        } catch (WSSecurityException ex) {
+            // expected
+        }
+        
+        // Validate the Response
+        validator.validateSamlResponse(
+            marshalledResponse, issuerCrypto, new KeystorePasswordCallback()
+        );
+    }
 
     
     /**
@@ -267,7 +325,8 @@ public class SAMLResponseValidatorTest e
         Response response,
         String issuerKeyName,
         String issuerKeyPassword,
-        Crypto issuerCrypto
+        Crypto issuerCrypto,
+        boolean useKeyInfo
     ) throws Exception {
         //
         // Create the signature
@@ -302,15 +361,17 @@ public class SAMLResponseValidatorTest e
 
         signature.setSigningCredential(signingCredential);
 
-        X509KeyInfoGeneratorFactory kiFactory = new X509KeyInfoGeneratorFactory();
-        kiFactory.setEmitEntityCertificate(true);
-        
-        try {
-            KeyInfo keyInfo = kiFactory.newInstance().generate(signingCredential);
-            signature.setKeyInfo(keyInfo);
-        } catch (org.opensaml.xml.security.SecurityException ex) {
-            throw new Exception(
-                    "Error generating KeyInfo from signing credential", ex);
+        if (useKeyInfo) {
+            X509KeyInfoGeneratorFactory kiFactory = new X509KeyInfoGeneratorFactory();
+            kiFactory.setEmitEntityCertificate(true);
+            
+            try {
+                KeyInfo keyInfo = kiFactory.newInstance().generate(signingCredential);
+                signature.setKeyInfo(keyInfo);
+            } catch (org.opensaml.xml.security.SecurityException ex) {
+                throw new Exception(
+                        "Error generating KeyInfo from signing credential", ex);
+            }
         }
 
         // add the signature to the assertion

Modified: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java?rev=1553156&r1=1553155&r2=1553156&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
(original)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
Mon Dec 23 17:30:03 2013
@@ -26,6 +26,7 @@ import java.security.PublicKey;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
 import java.util.List;
+import java.util.logging.Level;
 import java.util.logging.Logger;
 
 import javax.ws.rs.NotAuthorizedException;
@@ -47,6 +48,8 @@ import org.apache.cxf.security.SecurityC
 import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.staxutils.StaxUtils;
 import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.saml.OpenSAMLUtil;
 import org.apache.wss4j.common.saml.SAMLKeyInfo;
 import org.apache.wss4j.common.saml.SAMLUtil;
@@ -74,6 +77,7 @@ public abstract class AbstractSamlInHand
     }
     
     private Validator samlValidator = new SamlAssertionValidator();
+    private boolean keyInfoMustBeAvailable = true;
     private SecurityContextProvider scProvider = new SecurityContextProviderImpl(); 
     
     public void setValidator(Validator validator) {
@@ -135,13 +139,18 @@ public abstract class AbstractSamlInHand
                     message.getContextualProperty(WSHandlerConstants.ENABLE_REVOCATION)));
                 Signature sig = assertion.getSignature();
                 WSDocInfo docInfo = new WSDocInfo(sig.getDOM().getOwnerDocument());
-                KeyInfo keyInfo = sig.getKeyInfo();
                 
-                SAMLKeyInfo samlKeyInfo = 
-                    SAMLUtil.getCredentialFromKeyInfo(
+                SAMLKeyInfo samlKeyInfo = null;
+                
+                KeyInfo keyInfo = sig.getKeyInfo();
+                if (keyInfo != null) {
+                    samlKeyInfo = SAMLUtil.getCredentialFromKeyInfo(
                         keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(data, docInfo), 
                         data.getSigVerCrypto()
                     );
+                } else if (!keyInfoMustBeAvailable) {
+                    samlKeyInfo = createKeyInfoFromDefaultAlias(data.getSigVerCrypto());
+                }
                 
                 assertion.verifySignature(samlKeyInfo);
                 assertion.parseHOKSubject(
@@ -166,6 +175,19 @@ public abstract class AbstractSamlInHand
         }
     }
     
+    protected SAMLKeyInfo createKeyInfoFromDefaultAlias(Crypto sigCrypto) throws WSSecurityException
{
+        try {
+            X509Certificate[] certs = SecurityUtils.getCertificates(sigCrypto, 
+                                                                    sigCrypto.getDefaultX509Identifier());
+            SAMLKeyInfo samlKeyInfo = new SAMLKeyInfo(new X509Certificate[]{certs[0]});
+            samlKeyInfo.setPublicKey(certs[0].getPublicKey());
+            return samlKeyInfo;
+        } catch (Exception ex) {
+            LOG.log(Level.FINE, "Error in loading the certificates: " + ex.getMessage(),
ex);
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE,
ex);
+        }
+    }
+    
     protected void checkSubjectConfirmationData(Message message, SamlAssertionWrapper assertion)
{
         Certificate[] tlsCerts = getTLSCertificates(message);
         if (!checkHolderOfKey(message, assertion, tlsCerts)) {
@@ -331,4 +353,8 @@ public abstract class AbstractSamlInHand
         return confirmMethod != null && confirmMethod.startsWith("urn:oasis:names:tc:SAML:")

                 && confirmMethod.endsWith(":cm:bearer");
     }
+
+    public void setKeyInfoMustBeAvailable(boolean keyInfoMustBeAvailable) {
+        this.keyInfoMustBeAvailable = keyInfoMustBeAvailable;
+    }
 }

Modified: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java?rev=1553156&r1=1553155&r2=1553156&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java
(original)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java
Mon Dec 23 17:30:03 2013
@@ -34,6 +34,7 @@ import org.apache.cxf.message.Message;
 import org.apache.cxf.rs.security.common.CryptoLoader;
 import org.apache.cxf.rs.security.common.SecurityUtils;
 import org.apache.cxf.rs.security.common.TrustValidator;
+import org.apache.cxf.security.SecurityContext;
 import org.apache.cxf.staxutils.W3CDOMStreamReader;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.wss4j.common.crypto.Crypto;
@@ -51,6 +52,7 @@ public class AbstractXmlSigInHandler ext
     
     private boolean removeSignature = true;
     private boolean persistSignature = true;
+    private boolean keyInfoMustBeAvailable = true;
     private SignatureProperties sigProps;
     
     public void setRemoveSignature(boolean remove) {
@@ -114,22 +116,32 @@ public class AbstractXmlSigInHandler ext
                 signedElement.setIdAttributeNS(null, "ID", true);
             }
             
+            X509Certificate cert = null;
+            PublicKey publicKey = null;
+            
+            
             // See also WSS4J SAMLUtil.getCredentialFromKeyInfo 
             KeyInfo keyInfo = signature.getKeyInfo();
             
-            X509Certificate cert = keyInfo.getX509Certificate();
-            if (cert != null) {
+            if (keyInfo != null) {
+                cert = keyInfo.getX509Certificate();
+                if (cert != null) {
+                    valid = signature.checkSignatureValue(cert);
+                } else {
+                    publicKey = keyInfo.getPublicKey();
+                    if (publicKey != null) {
+                        valid = signature.checkSignatureValue(publicKey);
+                    }
+                } 
+            } else if (!keyInfoMustBeAvailable) {
+                String user = getUserName(crypto, message);
+                cert = SecurityUtils.getCertificates(crypto, user)[0];
+                publicKey = cert.getPublicKey();
                 valid = signature.checkSignatureValue(cert);
-            } else {
-                PublicKey pk = keyInfo.getPublicKey();
-                if (pk != null) {
-                    valid = signature.checkSignatureValue(pk);
-                }
             }
             
             // validate trust 
-            new TrustValidator().validateTrust(crypto, cert, keyInfo.getPublicKey());
-            
+            new TrustValidator().validateTrust(crypto, cert, publicKey);
             if (valid && persistSignature) {
                 message.setContent(XMLSignature.class, signature);
                 message.setContent(Element.class, signedElement);
@@ -158,6 +170,16 @@ public class AbstractXmlSigInHandler ext
         
     }
     
+    protected String getUserName(Crypto crypto, Message message) {
+        SecurityContext sc = message.get(SecurityContext.class);
+        if (sc != null && sc.getUserPrincipal() != null) {
+            return sc.getUserPrincipal().getName();
+        } else {
+            return SecurityUtils.getUserName(crypto, null);
+        }
+        
+    }
+    
     private Element getActualBody(Element envelopingSigElement) {
         Element objectNode = getNode(envelopingSigElement, Constants.SignatureSpecNS, "Object",
0);
         if (objectNode == null) {
@@ -341,4 +363,8 @@ public class AbstractXmlSigInHandler ext
     public void setSignatureProperties(SignatureProperties properties) {
         this.sigProps = properties;
     }
+    
+    public void setKeyInfoMustBeAvailable(boolean use) {
+        this.keyInfoMustBeAvailable = use;
+    }
 }

Modified: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java?rev=1553156&r1=1553155&r2=1553156&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java
(original)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java
Mon Dec 23 17:30:03 2013
@@ -65,7 +65,7 @@ public class XmlSigOutInterceptor extend
     
     private QName envelopeQName = DEFAULT_ENV_QNAME;
     private String sigStyle = ENVELOPED_SIG;
-    
+    private boolean keyInfoMustBeAvailable = true;    
     private SignatureProperties sigProps = new SignatureProperties();
     
     public XmlSigOutInterceptor() {
@@ -82,6 +82,10 @@ public class XmlSigOutInterceptor extend
         sigStyle = style;    
     }
     
+    public void setKeyInfoMustBeAvailable(boolean use) {
+        this.keyInfoMustBeAvailable = use;
+    }
+    
     public void setSignatureAlgorithm(String algo) {
         sigProps.setSignatureAlgo(algo);
     }
@@ -148,9 +152,10 @@ public class XmlSigOutInterceptor extend
             sig = prepareEnvelopedSignature(doc, id, referenceId, sigAlgo, digestAlgo);
         }
         
-        
-        sig.addKeyInfo(issuerCerts[0]);
-        sig.addKeyInfo(issuerCerts[0].getPublicKey());
+        if (this.keyInfoMustBeAvailable) {
+            sig.addKeyInfo(issuerCerts[0]);
+            sig.addKeyInfo(issuerCerts[0].getPublicKey());
+        }
         sig.sign(privateKey);
         return sig.getElement().getOwnerDocument();
     }

Modified: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java?rev=1553156&r1=1553155&r2=1553156&view=diff
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
(original)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
Mon Dec 23 17:30:03 2013
@@ -116,22 +116,31 @@ public class JAXRSXmlSecTest extends Abs
     @Test
     public void testPostBookWithEnvelopedSig() throws Exception {
         String address = "https://localhost:" + PORT + "/xmlsig/bookstore/books";
-        doTestSignature(address, false, false);
+        doTestSignature(address, false, false, true);
+    }
+    
+    @Test
+    public void testPostBookWithEnvelopedSigNoKeyInfo() throws Exception {
+        String address = "https://localhost:" + PORT + "/xmlsignokeyinfo/bookstore/books";
+        doTestSignature(address, false, false, false);
     }
     
     @Test
     public void testPostBookWithEnvelopingSig() throws Exception {
         String address = "https://localhost:" + PORT + "/xmlsig/bookstore/books";
-        doTestSignature(address, true, false);
+        doTestSignature(address, true, false, true);
     }
     
     @Test
     public void testPostBookWithEnvelopingSigFromResponse() throws Exception {
         String address = "https://localhost:" + PORT + "/xmlsig/bookstore/books";
-        doTestSignature(address, true, true);
+        doTestSignature(address, true, true, true);
     }
     
-    private void doTestSignature(String address, boolean enveloping, boolean fromResponse)
{
+    private void doTestSignature(String address, 
+                                 boolean enveloping, 
+                                 boolean fromResponse,
+                                 boolean useKeyInfo) {
         JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
         bean.setAddress(address);
         
@@ -147,14 +156,18 @@ public class JAXRSXmlSecTest extends Abs
         properties.put("ws-security.signature.properties", 
                        "org/apache/cxf/systest/jaxrs/security/alice.properties");
         bean.setProperties(properties);
-        XmlSigOutInterceptor sigInterceptor = new XmlSigOutInterceptor();
+        XmlSigOutInterceptor sigOutInterceptor = new XmlSigOutInterceptor();
         if (enveloping) {
-            sigInterceptor.setStyle(XmlSigOutInterceptor.ENVELOPING_SIG);
+            sigOutInterceptor.setStyle(XmlSigOutInterceptor.ENVELOPING_SIG);
         }
-        bean.getOutInterceptors().add(sigInterceptor);
-        bean.getInInterceptors().add(new XmlSigInInterceptor());
+        sigOutInterceptor.setKeyInfoMustBeAvailable(useKeyInfo);
+        bean.getOutInterceptors().add(sigOutInterceptor);
+        XmlSigInInterceptor sigInInterceptor = new XmlSigInInterceptor();
+        sigInInterceptor.setKeyInfoMustBeAvailable(useKeyInfo);
+        bean.getInInterceptors().add(sigInInterceptor);
         
         WebClient wc = bean.createWebClient();
+        WebClient.getConfig(wc).getHttpConduit().getClient().setReceiveTimeout(10000000L);
         try {
             Book book;
             if (!fromResponse) {

Modified: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/server.xml?rev=1553156&r1=1553155&r2=1553156&view=diff
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/server.xml
(original)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/server.xml
Mon Dec 23 17:30:03 2013
@@ -60,10 +60,16 @@ under the License.
     <bean id="xmlSigInHandlerWithProps" class="org.apache.cxf.rs.security.xml.XmlSigInHandler">
         <property name="signatureProperties" ref="sigProps"/>
     </bean>
+    <bean id="xmlSigInHandlerNoKeyInfo" class="org.apache.cxf.rs.security.xml.XmlSigInHandler">
+        <property name="keyInfoMustBeAvailable" value="false"/>
+    </bean>
     <bean id="xmlSigOutHandler" class="org.apache.cxf.rs.security.xml.XmlSigOutInterceptor"/>
     <bean id="xmlSigOutHandlerWithProps" class="org.apache.cxf.rs.security.xml.XmlSigOutInterceptor">
         <property name="signatureProperties" ref="sigProps"/>
     </bean>
+    <bean id="xmlSigOutHandlerNoKeyInfo" class="org.apache.cxf.rs.security.xml.XmlSigOutInterceptor">
+        <property name="keyInfoMustBeAvailable" value="false"/>
+    </bean>
     <bean id="xmlEncInHandler" class="org.apache.cxf.rs.security.xml.XmlEncInHandler"/>
     <bean id="xmlEncInHandlerWithProps" class="org.apache.cxf.rs.security.xml.XmlEncInHandler">
         <property name="encryptionProperties" ref="encProps"/>
@@ -89,6 +95,23 @@ under the License.
             <entry key="ws-security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/alice.properties"/>
         </jaxrs:properties>
     </jaxrs:server>
+    
+    <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec}/xmlsignokeyinfo">
+        <jaxrs:serviceBeans>
+            <ref bean="serviceBean"/>
+        </jaxrs:serviceBeans>
+        <jaxrs:providers>
+            <ref bean="xmlSigInHandlerNoKeyInfo"/>
+        </jaxrs:providers>
+        <jaxrs:outInterceptors>
+            <ref bean="xmlSigOutHandlerNoKeyInfo"/>
+        </jaxrs:outInterceptors>
+        <jaxrs:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/alice.properties"/>
+        </jaxrs:properties>
+    </jaxrs:server>
+    
     <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec}/xmlenc">
         <jaxrs:serviceBeans>
             <ref bean="serviceBean"/>



Mime
View raw message