cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1557188 - in /cxf/trunk: rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/ systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/
Date Fri, 10 Jan 2014 16:48:06 GMT
Author: coheigea
Date: Fri Jan 10 16:48:05 2014
New Revision: 1557188

URL: http://svn.apache.org/r1557188
Log:
Added a streaming XML Security in-interceptor for JAX-RS endpoints + tests

Added:
    cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
    cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/StaxBookServerXmlSec.java
    cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml
Modified:
    cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java

Added: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java?rev=1557188&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
(added)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
Fri Jan 10 16:48:05 2014
@@ -0,0 +1,352 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.xml;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.Key;
+import java.security.PublicKey;
+import java.security.cert.X509Certificate;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Set;
+import java.util.logging.Logger;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.ws.rs.BadRequestException;
+import javax.ws.rs.core.Response;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamReader;
+
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.interceptor.StaxInInterceptor;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.phase.Phase;
+import org.apache.cxf.phase.PhaseInterceptor;
+import org.apache.cxf.rs.security.common.CryptoLoader;
+import org.apache.cxf.rs.security.common.SecurityUtils;
+import org.apache.cxf.rs.security.common.TrustValidator;
+import org.apache.cxf.staxutils.StaxUtils;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoType;
+import org.apache.wss4j.common.ext.WSPasswordCallback;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.ext.InboundXMLSec;
+import org.apache.xml.security.stax.ext.XMLSec;
+import org.apache.xml.security.stax.ext.XMLSecurityConstants;
+import org.apache.xml.security.stax.ext.XMLSecurityProperties;
+import org.apache.xml.security.stax.securityEvent.AlgorithmSuiteSecurityEvent;
+import org.apache.xml.security.stax.securityEvent.SecurityEvent;
+import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
+import org.apache.xml.security.stax.securityEvent.SecurityEventListener;
+import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
+import org.apache.xml.security.stax.securityToken.SecurityToken;
+
+/**
+ * A new StAX-based interceptor for processing messages with XML Signature + Encryption content.
+ */
+public class XmlSecInInterceptor implements PhaseInterceptor<Message> {
+    
+    private static final Logger LOG = LogUtils.getL7dLogger(XmlSecInInterceptor.class);
+    
+    private Set<String> before = new HashSet<String>();
+    private Set<String> after = new HashSet<String>();
+    private EncryptionProperties encryptionProperties;
+    private SignatureProperties sigProps;
+    private String phase;
+    private String decryptionAlias;
+    private String signatureVerificationAlias;
+
+    public XmlSecInInterceptor() {
+        setPhase(Phase.POST_STREAM);
+        getAfter().add(StaxInInterceptor.class.getName());
+    }
+    
+    public void handleFault(Message message) {
+    }
+
+    public void handleMessage(Message message) throws Fault {
+        String method = (String)message.get(Message.HTTP_REQUEST_METHOD);
+        if ("GET".equals(method)) {
+            return;
+        }
+        
+        Message outMs = message.getExchange().getOutMessage();
+        Message inMsg = outMs == null ? message : outMs.getExchange().getInMessage();
+        
+        XMLStreamReader originalXmlStreamReader = inMsg.getContent(XMLStreamReader.class);
+        if (originalXmlStreamReader == null) {
+            InputStream is = inMsg.getContent(InputStream.class);
+            if (is != null) {
+                originalXmlStreamReader = StaxUtils.createXMLStreamReader(is);
+            }
+        }
+        
+        try {
+            XMLSecurityProperties properties = new XMLSecurityProperties();
+            configureDecryptionKeys(inMsg, properties);
+            Crypto signatureCrypto = getSignatureCrypto(inMsg);
+            configureSignatureKeys(signatureCrypto, inMsg, properties);
+            
+            SecurityEventListener securityEventListener = 
+                configureSecurityEventListener(signatureCrypto, inMsg, properties);
+            InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
+            
+            XMLStreamReader newXmlStreamReader = 
+                inboundXMLSec.processInMessage(originalXmlStreamReader, null, securityEventListener);
+            inMsg.setContent(XMLStreamReader.class, newXmlStreamReader);
+
+        } catch (XMLStreamException e) {
+            throwFault(e.getMessage(), e);
+        } catch (XMLSecurityException e) {
+            throwFault(e.getMessage(), e);
+        } catch (IOException e) {
+            throwFault(e.getMessage(), e);
+        } catch (UnsupportedCallbackException e) {
+            throwFault(e.getMessage(), e);
+        }
+    }
+    
+    private void configureDecryptionKeys(Message message, XMLSecurityProperties properties)

+        throws IOException, 
+        UnsupportedCallbackException, WSSecurityException {
+        String cryptoKey = null; 
+        String propKey = null;
+        if (SecurityUtils.isSignedAndEncryptedTwoWay(message)) {
+            cryptoKey = SecurityConstants.SIGNATURE_CRYPTO;
+            propKey = SecurityConstants.SIGNATURE_PROPERTIES;
+        } else {
+            cryptoKey = SecurityConstants.ENCRYPT_CRYPTO;
+            propKey = SecurityConstants.ENCRYPT_PROPERTIES;
+        }
+        
+        Crypto crypto = null;
+        try {
+            crypto = new CryptoLoader().getCrypto(message, cryptoKey, propKey);
+        } catch (Exception ex) {
+            throwFault("Crypto can not be loaded", ex);
+        }
+        
+        if (crypto != null && decryptionAlias != null) {
+            CallbackHandler callback = SecurityUtils.getCallbackHandler(message, this.getClass());
+            WSPasswordCallback passwordCallback = 
+                new WSPasswordCallback(decryptionAlias, WSPasswordCallback.DECRYPT);
+            callback.handle(new Callback[] {passwordCallback});
+
+            Key privateKey = crypto.getPrivateKey(decryptionAlias, passwordCallback.getPassword());
+            properties.setDecryptionKey(privateKey);
+        }
+    }
+    
+    private Crypto getSignatureCrypto(Message message) {
+        String cryptoKey = null; 
+        String propKey = null;
+        if (SecurityUtils.isSignedAndEncryptedTwoWay(message)) {
+            cryptoKey = SecurityConstants.ENCRYPT_CRYPTO;
+            propKey = SecurityConstants.ENCRYPT_PROPERTIES;
+        } else {
+            cryptoKey = SecurityConstants.SIGNATURE_CRYPTO;
+            propKey = SecurityConstants.SIGNATURE_PROPERTIES;    
+        }
+        
+        try {
+            return new CryptoLoader().getCrypto(message, cryptoKey, propKey);
+        } catch (Exception ex) {
+            throwFault("Crypto can not be loaded", ex);
+            return null;
+        }
+    }
+    
+    private void configureSignatureKeys(
+        Crypto sigCrypto, Message message, XMLSecurityProperties properties
+    ) throws IOException, 
+        UnsupportedCallbackException, WSSecurityException {
+        
+        if (sigCrypto != null && signatureVerificationAlias != null) {
+            CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+            cryptoType.setAlias(signatureVerificationAlias);
+            X509Certificate[] certs = sigCrypto.getX509Certificates(cryptoType);
+            if (certs != null && certs.length > 0) {
+                properties.setSignatureVerificationKey(certs[0].getPublicKey());
+            }
+        }
+    }
+    
+    protected SecurityEventListener configureSecurityEventListener(
+        final Crypto sigCrypto, Message msg, XMLSecurityProperties securityProperties
+    ) {
+        final List<SecurityEvent> incomingSecurityEventList = new LinkedList<SecurityEvent>();
+        SecurityEventListener securityEventListener = new SecurityEventListener() {
+            @Override
+            public void registerSecurityEvent(SecurityEvent securityEvent) throws XMLSecurityException
{
+                if (securityEvent.getSecurityEventType() == SecurityEventConstants.AlgorithmSuite)
{
+                    if (encryptionProperties != null) {
+                        checkEncryptionAlgorithms((AlgorithmSuiteSecurityEvent)securityEvent);
+                    }
+                    if (sigProps != null) {
+                        checkSignatureAlgorithms((AlgorithmSuiteSecurityEvent)securityEvent);
+                    }
+                } else if (securityEvent.getSecurityEventType() != SecurityEventConstants.EncryptedKeyToken
+                    && securityEvent instanceof TokenSecurityEvent<?>) {
+                    checkSignatureTrust(sigCrypto, (TokenSecurityEvent<?>)securityEvent);
+                }
+                incomingSecurityEventList.add(securityEvent);
+            }
+        };
+        msg.getExchange().put(SecurityEvent.class.getName() + ".in", incomingSecurityEventList);
+        msg.put(SecurityEvent.class.getName() + ".in", incomingSecurityEventList);
+
+        return securityEventListener;
+    }
+    
+    private void checkEncryptionAlgorithms(AlgorithmSuiteSecurityEvent event) 
+        throws XMLSecurityException {
+        if (XMLSecurityConstants.Enc.equals(event.getAlgorithmUsage())
+            && encryptionProperties.getEncryptionSymmetricKeyAlgo() != null
+            && !encryptionProperties.getEncryptionSymmetricKeyAlgo().equals(event.getAlgorithmURI()))
{
+            throw new XMLSecurityException("empty", "The symmetric encryption algorithm "
+                                           + event.getAlgorithmURI() + " is not allowed");
+        } else if ((XMLSecurityConstants.Sym_Key_Wrap.equals(event.getAlgorithmUsage())
+            || XMLSecurityConstants.Asym_Key_Wrap.equals(event.getAlgorithmUsage()))
+            && encryptionProperties.getEncryptionKeyTransportAlgo() != null
+            && !encryptionProperties.getEncryptionKeyTransportAlgo().equals(event.getAlgorithmURI()))
{
+            throw new XMLSecurityException("empty", "The key transport algorithm "
+                + event.getAlgorithmURI() + " is not allowed");
+        } else if (XMLSecurityConstants.Dig.equals(event.getAlgorithmUsage())
+            && encryptionProperties.getEncryptionDigestAlgo() != null
+            && !encryptionProperties.getEncryptionDigestAlgo().equals(event.getAlgorithmURI()))
{
+            throw new XMLSecurityException("empty", "The encryption digest algorithm "
+                + event.getAlgorithmURI() + " is not allowed");
+        }
+    }
+    
+    private void checkSignatureAlgorithms(AlgorithmSuiteSecurityEvent event) 
+        throws XMLSecurityException {
+        if (XMLSecurityConstants.Asym_Sig.equals(event.getAlgorithmUsage())
+            || XMLSecurityConstants.Sym_Sig.equals(event.getAlgorithmUsage())
+            && sigProps.getSignatureAlgo() != null
+            && !sigProps.getSignatureAlgo().equals(event.getAlgorithmURI())) {
+            throw new XMLSecurityException("empty", "The signature algorithm "
+                                           + event.getAlgorithmURI() + " is not allowed");
+        } else if (XMLSecurityConstants.Dig.equals(event.getAlgorithmUsage())
+            && sigProps.getSignatureDigestAlgo() != null
+            && !sigProps.getSignatureDigestAlgo().equals(event.getAlgorithmURI()))
{
+            throw new XMLSecurityException("empty", "The signature digest algorithm "
+                + event.getAlgorithmURI() + " is not allowed");
+        } /*else if (XMLSecurityConstants.C14n.equals(event.getAlgorithmUsage())
+            && sigProps.getSignatureC14Method() != null
+            && !sigProps.getSignatureC14Method().equals(event.getAlgorithmURI()))
{
+            throw new XMLSecurityException("empty", "The signature c14n algorithm "
+                + event.getAlgorithmURI() + " is not allowed");
+        }*/
+        // TODO Signature Digest Transform checking
+    }
+    
+    private void checkSignatureTrust(
+        Crypto sigCrypto, TokenSecurityEvent<?> event
+    ) throws XMLSecurityException {
+        SecurityToken token = event.getSecurityToken();
+        if (token != null) {
+            X509Certificate[] certs = token.getX509Certificates();
+            PublicKey publicKey = token.getPublicKey();
+            X509Certificate cert = null;
+            if (certs != null && certs.length > 0) {
+                cert = certs[0];
+            }
+            
+            // validate trust 
+            try {
+                new TrustValidator().validateTrust(sigCrypto, cert, publicKey);
+            } catch (WSSecurityException e) {
+                throw new XMLSecurityException("empty", "Error during Signature Trust "
+                                               + "validation: " + e.getMessage());
+            }
+        }
+    }
+    
+    protected void throwFault(String error, Exception ex) {
+        LOG.warning(error);
+        Response response = Response.status(400).entity(error).build();
+        throw ex != null ? new BadRequestException(response, ex) : new BadRequestException(response);
+    }
+
+    public Collection<PhaseInterceptor<? extends Message>> getAdditionalInterceptors()
{
+        return null;
+    }
+
+    public Set<String> getAfter() {
+        return after;
+    }
+
+    public void setAfter(Set<String> after) {
+        this.after = after;
+    }
+
+    public Set<String> getBefore() {
+        return before;
+    }
+
+    public void setBefore(Set<String> before) {
+        this.before = before;
+    }
+
+    public String getId() {
+        return getClass().getName();
+    }
+
+    public String getPhase() {
+        return phase;
+    }
+
+    public void setPhase(String phase) {
+        this.phase = phase;
+    }
+
+    public void setEncryptionProperties(EncryptionProperties properties) {
+        this.encryptionProperties = properties;
+    }
+    
+    public void setSignatureProperties(SignatureProperties properties) {
+        this.sigProps = properties;
+    }
+
+    public String getDecryptionAlias() {
+        return decryptionAlias;
+    }
+
+    public void setDecryptionAlias(String decryptionAlias) {
+        this.decryptionAlias = decryptionAlias;
+    }
+
+    public String getSignatureVerificationAlias() {
+        return signatureVerificationAlias;
+    }
+
+    public void setSignatureVerificationAlias(String signatureVerificationAlias) {
+        this.signatureVerificationAlias = signatureVerificationAlias;
+    }
+    
+}

Modified: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java?rev=1557188&r1=1557187&r2=1557188&view=diff
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
(original)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
Fri Jan 10 16:48:05 2014
@@ -20,6 +20,8 @@
 package org.apache.cxf.systest.jaxrs.security.xml;
 
 import java.net.URL;
+import java.util.Arrays;
+import java.util.Collection;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -40,34 +42,57 @@ import org.apache.cxf.systest.jaxrs.secu
 import org.apache.cxf.systest.jaxrs.security.BookStore;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
 import org.apache.xml.security.encryption.XMLCipher;
-
 import org.junit.BeforeClass;
 import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized.Parameters;
 
+@RunWith(value = org.junit.runners.Parameterized.class)
 public class JAXRSXmlSecTest extends AbstractBusClientServerTestBase {
     public static final String PORT = BookServerXmlSec.PORT;
+    public static final String STAX_PORT = StaxBookServerXmlSec.PORT;
+    
+    final TestParam test;
+    
+    public JAXRSXmlSecTest(TestParam type) {
+        this.test = type;
+    }
 
     @BeforeClass
     public static void startServers() throws Exception {
         assertTrue("server did not launch correctly", 
                    launchServer(BookServerXmlSec.class, true));
+        assertTrue("server did not launch correctly", 
+                   launchServer(StaxBookServerXmlSec.class, true));
+    }
+    
+    @Parameters(name = "{0}")
+    public static Collection<TestParam[]> data() {
+       
+        return Arrays.asList(new TestParam[][] {{new TestParam(PORT, false)},
+                                                {new TestParam(STAX_PORT, false)},
+        });
     }
     
     @Test
     public void testPostBookWithEnvelopedSigAndProxy() throws Exception {
-        String address = "https://localhost:" + PORT + "/xmlsig";
+        String address = "https://localhost:" + test.port + "/xmlsig";
         doTestSignatureProxy(address, false, null);
     }
     
     @Test
     public void testPostBookWithEnvelopedSigAndProxy2() throws Exception {
-        String address = "https://localhost:" + PORT + "/xmlsig";
+        String address = "https://localhost:" + test.port + "/xmlsig";
         doTestSignatureProxy(address, false, "");
     }
     
     @Test
     public void testPostBookEnvelopingSigAndProxy() throws Exception {
-        String address = "https://localhost:" + PORT + "/xmlsig";
+        if (STAX_PORT.equals(test.port)) {
+            // TODO Supporting Enveloping
+            return;
+        }
+        String address = "https://localhost:" + test.port + "/xmlsig";
         doTestSignatureProxy(address, true, "file:");
     }
     
@@ -115,25 +140,33 @@ public class JAXRSXmlSecTest extends Abs
     
     @Test
     public void testPostBookWithEnvelopedSig() throws Exception {
-        String address = "https://localhost:" + PORT + "/xmlsig/bookstore/books";
+        String address = "https://localhost:" + test.port + "/xmlsig/bookstore/books";
         doTestSignature(address, false, false, true);
     }
     
     @Test
     public void testPostBookWithEnvelopedSigNoKeyInfo() throws Exception {
-        String address = "https://localhost:" + PORT + "/xmlsignokeyinfo/bookstore/books";
+        String address = "https://localhost:" + test.port + "/xmlsignokeyinfo/bookstore/books";
         doTestSignature(address, false, false, false);
     }
     
     @Test
     public void testPostBookWithEnvelopingSig() throws Exception {
-        String address = "https://localhost:" + PORT + "/xmlsig/bookstore/books";
+        if (STAX_PORT.equals(test.port)) {
+            // TODO Supporting Enveloping
+            return;
+        }
+        String address = "https://localhost:" + test.port + "/xmlsig/bookstore/books";
         doTestSignature(address, true, false, true);
     }
     
     @Test
     public void testPostBookWithEnvelopingSigFromResponse() throws Exception {
-        String address = "https://localhost:" + PORT + "/xmlsig/bookstore/books";
+        if (STAX_PORT.equals(test.port)) {
+            // TODO Supporting Enveloping
+            return;
+        }
+        String address = "https://localhost:" + test.port + "/xmlsig/bookstore/books";
         doTestSignature(address, true, true, true);
     }
     
@@ -189,7 +222,7 @@ public class JAXRSXmlSecTest extends Abs
     
     @Test
     public void testPostEncryptedBook() throws Exception {
-        String address = "https://localhost:" + PORT + "/xmlenc/bookstore/books";
+        String address = "https://localhost:" + test.port + "/xmlenc/bookstore/books";
         Map<String, Object> properties = new HashMap<String, Object>();
         properties.put("ws-security.callback-handler", 
                        "org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
@@ -213,7 +246,7 @@ public class JAXRSXmlSecTest extends Abs
             return;
         }
         
-        String address = "https://localhost:" + PORT + "/xmlenc/bookstore/books";
+        String address = "https://localhost:" + test.port + "/xmlenc/bookstore/books";
         Map<String, Object> properties = new HashMap<String, Object>();
         properties.put("ws-security.callback-handler", 
                        "org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
@@ -226,7 +259,7 @@ public class JAXRSXmlSecTest extends Abs
     
     @Test
     public void testPostEncryptedBookSHA256() throws Exception {
-        String address = "https://localhost:" + PORT + "/xmlenc/bookstore/books";
+        String address = "https://localhost:" + test.port + "/xmlenc/bookstore/books";
         Map<String, Object> properties = new HashMap<String, Object>();
         properties.put("ws-security.callback-handler", 
                        "org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
@@ -240,7 +273,7 @@ public class JAXRSXmlSecTest extends Abs
     
     @Test
     public void testPostEncryptedBookIssuerSerial() throws Exception {
-        String address = "https://localhost:" + PORT + "/xmlenc/bookstore/books";
+        String address = "https://localhost:" + test.port + "/xmlenc/bookstore/books";
         Map<String, Object> properties = new HashMap<String, Object>();
         properties.put("ws-security.callback-handler", 
                        "org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
@@ -254,7 +287,7 @@ public class JAXRSXmlSecTest extends Abs
     
     @Test
     public void testPostEncryptedSignedBook() throws Exception {
-        String address = "https://localhost:" + PORT + "/xmlsec-validate/bookstore/books";
+        String address = "https://localhost:" + test.port + "/xmlsec-validate/bookstore/books";
         Map<String, Object> properties = new HashMap<String, Object>();
         properties.put("ws-security.callback-handler", 
                        "org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
@@ -270,7 +303,7 @@ public class JAXRSXmlSecTest extends Abs
     
     @Test
     public void testPostEncryptedSignedBookInvalid() throws Exception {
-        String address = "https://localhost:" + PORT + "/xmlsec-validate/bookstore/books";
+        String address = "https://localhost:" + test.port + "/xmlsec-validate/bookstore/books";
         Map<String, Object> properties = new HashMap<String, Object>();
         properties.put("ws-security.callback-handler", 
                        "org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
@@ -291,7 +324,11 @@ public class JAXRSXmlSecTest extends Abs
     
     @Test
     public void testPostEncryptedSignedBookUseReqSigCert() throws Exception {
-        String address = "https://localhost:" + PORT + "/xmlsec-useReqSigCert/bookstore/books";
+        if (STAX_PORT.equals(test.port)) {
+            // TODO Supporting UseReqSigCert
+            return;
+        }
+        String address = "https://localhost:" + test.port + "/xmlsec-useReqSigCert/bookstore/books";
         Map<String, Object> properties = new HashMap<String, Object>();
         properties.put("ws-security.callback-handler", 
                        "org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
@@ -362,5 +399,19 @@ public class JAXRSXmlSecTest extends Abs
         
     }
     
+    private static final class TestParam {
+        final String port;
+        final boolean streaming;
+        
+        public TestParam(String p, boolean b) {
+            port = p;
+            streaming = b;
+        }
+        
+        public String toString() {
+            return port + ":" + (streaming ? "streaming" : "dom");
+        }
+        
+    }
     
 }

Added: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/StaxBookServerXmlSec.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/StaxBookServerXmlSec.java?rev=1557188&view=auto
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/StaxBookServerXmlSec.java
(added)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/StaxBookServerXmlSec.java
Fri Jan 10 16:48:05 2014
@@ -0,0 +1,57 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.jaxrs.security.xml;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
+import org.apache.cxf.testutil.common.TestUtil;
+    
+public class StaxBookServerXmlSec extends AbstractBusTestServerBase {
+    public static final String PORT = TestUtil.getPortNumber("jaxrs-xmlsec-stax");
+    private static final String SERVER_CONFIG_FILE =
+        "org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml";
+    
+    protected void run() {
+        SpringBusFactory bf = new SpringBusFactory();
+        Bus springBus = bf.createBus(SERVER_CONFIG_FILE);
+        BusFactory.setDefaultBus(springBus);
+        setBus(springBus);
+        
+        try {
+            new StaxBookServerXmlSec();
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    public static void main(String[] args) {
+        try {
+            StaxBookServerXmlSec s = new StaxBookServerXmlSec();
+            s.start();
+        } catch (Exception ex) {
+            ex.printStackTrace();
+            System.exit(-1);
+        } finally {
+            System.out.println("done!");
+        }
+    }
+}

Added: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml?rev=1557188&view=auto
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml
(added)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml
Fri Jan 10 16:48:05 2014
@@ -0,0 +1,181 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
xmlns:sec="http://cxf.apache.org/configuration/security" xmlns:cxf="http://cxf.apache.org/core"
xmlns:jaxrs="http://cxf.apache.org/jaxrs" xsi:schemaLocation="         http://cxf.apache.org/jaxrs
http://cxf.apache.org/schemas/jaxrs.xsd         http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
        http://www.springframework.org/schema/beans                 http://www.springframework.org/schema/beans/spring-beans.xsd
        http://cxf.apache.org/transports/http/configuration         http://cxf.apache.org/schemas/configuration/http-conf.xsd
        http://cxf.apache.org/transports/http-jetty/configuration   http://cxf.apache.org/schemas/configuration/http-jetty.xsd
        http://cxf.apache.org/configuration/security    
             http://cxf.apache.org/schemas/configuration/security.xsd         ">
+    <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+    <cxf:bus>
+        <cxf:features>
+            <cxf:logging/>
+        </cxf:features>
+    </cxf:bus>
+    <httpj:engine-factory id="port-9095-tls-config">
+        <httpj:engine port="${testutil.ports.jaxrs-xmlsec-stax}">
+            <httpj:tlsServerParameters>
+                <sec:keyManagers keyPassword="password">
+                    <sec:keyStore type="JKS" password="password" file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/>
+                </sec:keyManagers>
+                <sec:trustManagers>
+                    <sec:keyStore type="JKS" password="password" file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
+                </sec:trustManagers>
+                <sec:cipherSuitesFilter>
+                    <sec:include>.*_EXPORT_.*</sec:include>
+                    <sec:include>.*_EXPORT1024_.*</sec:include>
+                    <sec:include>.*_WITH_DES_.*</sec:include>
+                    <sec:include>.*_WITH_AES_.*</sec:include>
+                    <sec:include>.*_WITH_NULL_.*</sec:include>
+                    <sec:exclude>.*_DH_anon_.*</sec:exclude>
+                </sec:cipherSuitesFilter>
+                <sec:clientAuthentication want="true" required="true"/>
+            </httpj:tlsServerParameters>
+        </httpj:engine>
+    </httpj:engine-factory>
+    <bean id="serviceBean" class="org.apache.cxf.systest.jaxrs.security.BookStore"/>
+    <bean id="sigProps" class="org.apache.cxf.rs.security.xml.SignatureProperties">
+        <property name="signatureAlgo" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+        <property name="signatureDigestAlgo" value="http://www.w3.org/2000/09/xmldsig#sha1"/>
+        <property name="signatureC14Method" value="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
+        <property name="signatureC14Transform" value="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    </bean>
+    <bean id="encProps" class="org.apache.cxf.rs.security.xml.EncryptionProperties">
+        <property name="encryptionKeyTransportAlgo" value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+        <property name="encryptionSymmetricKeyAlgo" value="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+    </bean>
+    <bean id="xmlSecInHandler" class="org.apache.cxf.rs.security.xml.XmlSecInInterceptor">
+        <property name="decryptionAlias" value="bob" />
+        <property name="signatureVerificationAlias" value="alice" />
+    </bean>
+    <bean id="xmlSecInHandlerWithProps" class="org.apache.cxf.rs.security.xml.XmlSecInInterceptor">
+        <property name="signatureProperties" ref="sigProps"/>
+        <property name="encryptionProperties" ref="encProps"/>
+        <property name="decryptionAlias" value="bob" />
+        <property name="signatureVerificationAlias" value="alice" />
+    </bean>
+    <bean id="xmlSigOutHandler" class="org.apache.cxf.rs.security.xml.XmlSigOutInterceptor"/>
+    <bean id="xmlSigOutHandlerWithProps" class="org.apache.cxf.rs.security.xml.XmlSigOutInterceptor">
+        <property name="signatureProperties" ref="sigProps"/>
+    </bean>
+    <bean id="xmlSigOutHandlerNoKeyInfo" class="org.apache.cxf.rs.security.xml.XmlSigOutInterceptor">
+    </bean>
+    <bean id="xmlEncOutHandler" class="org.apache.cxf.rs.security.xml.XmlEncOutInterceptor">
+        <property name="symmetricEncAlgorithm" value="aes128-cbc"/>
+    </bean>
+    <bean id="xmlEncOutHandlerWithProps" class="org.apache.cxf.rs.security.xml.XmlEncOutInterceptor">
+        <property name="encryptionProperties" ref="encProps"/>
+    </bean>
+    <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec-stax}/xmlsig">
+        <jaxrs:serviceBeans>
+            <ref bean="serviceBean"/>
+        </jaxrs:serviceBeans>
+        <jaxrs:inInterceptors>
+            <ref bean="xmlSecInHandler"/>
+        </jaxrs:inInterceptors>
+        <jaxrs:outInterceptors>
+            <ref bean="xmlSigOutHandler"/>
+        </jaxrs:outInterceptors>
+        <jaxrs:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/alice.properties"/>
+        </jaxrs:properties>
+    </jaxrs:server>
+    
+    <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec-stax}/xmlsignokeyinfo">
+        <jaxrs:serviceBeans>
+            <ref bean="serviceBean"/>
+        </jaxrs:serviceBeans>
+        <jaxrs:inInterceptors>
+            <ref bean="xmlSecInHandler"/>
+        </jaxrs:inInterceptors>
+        <jaxrs:outInterceptors>
+            <ref bean="xmlSigOutHandlerNoKeyInfo"/>
+        </jaxrs:outInterceptors>
+        <jaxrs:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/alice.properties"/>
+        </jaxrs:properties>
+    </jaxrs:server>
+    
+    <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec-stax}/xmlenc">
+        <jaxrs:serviceBeans>
+            <ref bean="serviceBean"/>
+        </jaxrs:serviceBeans>
+        <jaxrs:inInterceptors>
+            <ref bean="xmlSecInHandler"/>
+        </jaxrs:inInterceptors>
+        <jaxrs:outInterceptors>
+            <ref bean="xmlEncOutHandler"/>
+        </jaxrs:outInterceptors>
+        <jaxrs:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
+            <entry key="ws-security.encryption.properties" value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
+        </jaxrs:properties>
+    </jaxrs:server>
+    <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec-stax}/xmlsec">
+        <jaxrs:serviceBeans>
+            <ref bean="serviceBean"/>
+        </jaxrs:serviceBeans>
+        <jaxrs:inInterceptors>
+            <ref bean="xmlSecInHandler"/>
+        </jaxrs:inInterceptors>
+        <jaxrs:outInterceptors>
+            <ref bean="xmlSigOutHandler"/>
+            <ref bean="xmlEncOutHandler"/>
+        </jaxrs:outInterceptors>
+        <jaxrs:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
+            <entry key="ws-security.encryption.properties" value="org/apache/cxf/systest/jaxrs/security/alice.properties"/>
+            <entry key="ws-security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
+        </jaxrs:properties>
+    </jaxrs:server>
+    <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec-stax}/xmlsec-validate">
+        <jaxrs:serviceBeans>
+            <ref bean="serviceBean"/>
+        </jaxrs:serviceBeans>
+        <jaxrs:inInterceptors>
+            <ref bean="xmlSecInHandlerWithProps"/>
+        </jaxrs:inInterceptors>
+        <jaxrs:outInterceptors>
+            <ref bean="xmlSigOutHandlerWithProps"/>
+            <ref bean="xmlEncOutHandlerWithProps"/>
+        </jaxrs:outInterceptors>
+        <jaxrs:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
+            <entry key="ws-security.encryption.properties" value="org/apache/cxf/systest/jaxrs/security/alice.properties"/>
+            <entry key="ws-security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
+        </jaxrs:properties>
+    </jaxrs:server>
+    <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec-stax}/xmlsec-useReqSigCert">
+        <jaxrs:serviceBeans>
+            <ref bean="serviceBean"/>
+        </jaxrs:serviceBeans>
+        <jaxrs:inInterceptors>
+            <ref bean="xmlSecInHandler"/>
+        </jaxrs:inInterceptors>
+        <jaxrs:outInterceptors>
+            <ref bean="xmlSigOutHandler"/>
+            <ref bean="xmlEncOutHandler"/>
+        </jaxrs:outInterceptors>
+        <jaxrs:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
+            <entry key="ws-security.encryption.properties" value="org/apache/cxf/systest/jaxrs/security/alice.properties"/>
+            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+        </jaxrs:properties>
+    </jaxrs:server>
+
+</beans>



Mime
View raw message