cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject git commit: Adding an initial JAAS LoginModule for the STS
Date Tue, 21 Oct 2014 11:38:20 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes 61a5ee1a8 -> a279a14a7


Adding an initial JAAS LoginModule for the STS


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a279a14a
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a279a14a
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a279a14a

Branch: refs/heads/3.0.x-fixes
Commit: a279a14a74f1dc61cd295bd025a356a911dbc659
Parents: 61a5ee1
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue Oct 21 12:35:43 2014 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Tue Oct 21 12:38:12 2014 +0100

----------------------------------------------------------------------
 .../cxf/ws/security/trust/STSLoginModule.java   | 194 +++++++++++++++++++
 services/sts/systests/basic/pom.xml             |   7 +
 .../sts/deployment/CustomClaimsHandler.java     |   6 +-
 .../systest/sts/jaas/DoubleItPortTypeImpl.java  |  36 ++++
 .../apache/cxf/systest/sts/jaas/JAASTest.java   | 125 +++++++++++-
 .../apache/cxf/systest/sts/jaas/cxf-service.xml |  34 ++--
 .../org/apache/cxf/systest/sts/jaas/jaxrs.xml   |  26 +++
 .../systests/basic/src/test/resources/sts.jaas  |   4 +
 8 files changed, 414 insertions(+), 18 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/a279a14a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java
new file mode 100644
index 0000000..fbf1f1e
--- /dev/null
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java
@@ -0,0 +1,194 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.trust;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.LoginException;
+import javax.security.auth.spi.LoginModule;
+
+import org.w3c.dom.Document;
+
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.common.security.SimplePrincipal;
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.phase.PhaseInterceptorChain;
+import org.apache.cxf.rt.security.claims.ClaimCollection;
+import org.apache.cxf.rt.security.saml.SAMLUtils;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.message.token.UsernameToken;
+import org.apache.wss4j.dom.validate.Credential;
+
+/**
+ * A JAAS LoginModule for authenticating a Username/Password to the STS. The 
+ * STSClient object itself must be configured separately and picked up either via 
+ * the endpoint name or else as the "default" STSClient.
+ */
+public class STSLoginModule implements LoginModule {
+    /**
+     * Whether we require roles or not from the STS. If this is not set then the 
+     * WS-Trust validate binding is used. If it is set then the issue binding is 
+     * used, where the Username + Password credentials are passed via "OnBehalfOf".
+     */
+    public static final String REQUIRE_ROLES = "require.roles";
+    
+    private static final Logger LOG = LogUtils.getL7dLogger(STSLoginModule.class);
+    
+    private Set<Principal> principals = new HashSet<Principal>();
+    private Subject subject;
+    private CallbackHandler callbackHandler;
+    private boolean requireRoles;
+    
+    @Override
+    public void initialize(Subject subj, CallbackHandler cbHandler, Map<String, ?>
sharedState,
+                           Map<String, ?> options) {
+        subject = subj;
+        callbackHandler = cbHandler;
+        if (options.containsKey(REQUIRE_ROLES)) {
+            requireRoles = Boolean.parseBoolean((String)options.get(REQUIRE_ROLES));
+        }
+    }
+
+    @Override
+    public boolean login() throws LoginException {
+        // Get username and password
+        Callback[] callbacks = new Callback[2];
+        callbacks[0] = new NameCallback("Username: ");
+        callbacks[1] = new PasswordCallback("Password: ", false);
+
+        try {
+            callbackHandler.handle(callbacks);
+        } catch (IOException ioException) {
+            throw new LoginException(ioException.getMessage());
+        } catch (UnsupportedCallbackException unsupportedCallbackException) {
+            throw new LoginException(unsupportedCallbackException.getMessage() 
+                                     + " not available to obtain information from user.");
+        }
+
+        String user = ((NameCallback) callbacks[0]).getName();
+
+        char[] tmpPassword = ((PasswordCallback) callbacks[1]).getPassword();
+        if (tmpPassword == null) {
+            tmpPassword = new char[0];
+        }
+        String password = new String(tmpPassword);
+        
+        principals = new HashSet<Principal>();
+        
+        STSTokenValidator validator = new STSTokenValidator(true);
+        validator.setUseIssueBinding(requireRoles);
+        
+        // Authenticate token
+        try {
+            UsernameToken token = convertToToken(user, password);
+            Credential credential = new Credential();
+            credential.setUsernametoken(token);
+            
+            RequestData data = new RequestData();
+            Message message = PhaseInterceptorChain.getCurrentMessage();
+            data.setMsgContext(message);
+            credential = validator.validate(credential, data);
+
+            // Add user principal
+            principals.add(new SimplePrincipal(user));
+            
+            // Add roles if a SAML Assertion was returned from the STS
+            principals.addAll(getRoles(message, credential));
+        } catch (Exception e) {
+            LOG.log(Level.INFO, "User " + user + "authentication failed", e);
+            throw new LoginException("User " + user + " authentication failed: " + e.getMessage());
+        }
+        
+        return true;
+    }
+
+    private UsernameToken convertToToken(String username, String password) 
+        throws Exception {
+
+        Document doc = DOMUtils.createDocument();
+        UsernameToken token = new UsernameToken(false, doc, 
+                                                WSConstants.PASSWORD_TEXT);
+        token.setName(username);
+        token.setPassword(password);
+        return token;
+    }
+    
+    private Set<Principal> getRoles(Message msg, Credential credential) {
+        SamlAssertionWrapper samlAssertion = credential.getTransformedToken();
+        if (samlAssertion == null) {
+            samlAssertion = credential.getSamlAssertion();
+        }
+        if (samlAssertion != null) {
+            String roleAttributeName = 
+                (String)msg.getContextualProperty(SecurityConstants.SAML_ROLE_ATTRIBUTENAME);
+            if (roleAttributeName == null || roleAttributeName.length() == 0) {
+                roleAttributeName = WSS4JInInterceptor.SAML_ROLE_ATTRIBUTENAME_DEFAULT;
+            }
+
+            ClaimCollection claims = 
+                SAMLUtils.getClaims((SamlAssertionWrapper)samlAssertion);
+            return SAMLUtils.parseRolesFromClaims(claims, roleAttributeName, null);
+        }
+        
+        return Collections.emptySet();
+    }
+
+    
+    @Override
+    public boolean commit() throws LoginException {
+        if (principals.isEmpty()) {
+            return false;
+        }
+        subject.getPrincipals().addAll(principals);
+        return true;
+    }
+
+    @Override
+    public boolean abort() throws LoginException {
+        return true;
+    }
+
+    @Override
+    public boolean logout() throws LoginException {
+        subject.getPrincipals().removeAll(principals);
+        principals.clear();
+        return true;
+    }
+    
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/a279a14a/services/sts/systests/basic/pom.xml
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/pom.xml b/services/sts/systests/basic/pom.xml
index 6b9410f..dc6d12f 100644
--- a/services/sts/systests/basic/pom.xml
+++ b/services/sts/systests/basic/pom.xml
@@ -50,6 +50,12 @@
         </dependency>
         <dependency>
             <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-rs-client</artifactId>
+            <version>${project.version}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
             <artifactId>cxf-rt-frontend-jaxws</artifactId>
             <version>${project.version}</version>
             <scope>test</scope>
@@ -164,6 +170,7 @@
                             <systemPropertyVariables>
                                 <sts.deployment>standalone</sts.deployment>
                                 <java.io.tmpdir>${basedir}/target/tmp</java.io.tmpdir>
+                                <java.security.auth.login.config>src/test/resources/sts.jaas</java.security.auth.login.config>
                             </systemPropertyVariables>
                         </configuration>
                     </plugin>

http://git-wip-us.apache.org/repos/asf/cxf/blob/a279a14a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/deployment/CustomClaimsHandler.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/deployment/CustomClaimsHandler.java
b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/deployment/CustomClaimsHandler.java
index d77b355..03abf85 100644
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/deployment/CustomClaimsHandler.java
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/deployment/CustomClaimsHandler.java
@@ -52,7 +52,11 @@ public class CustomClaimsHandler implements ClaimsHandler {
                 claim.setIssuer("Test Issuer");
                 claim.setOriginalIssuer("Original Issuer");
                 if (ROLE.equals(requestClaim.getClaimType())) {
-                    claim.addValue("admin-user");
+                    if ("alice".equals(parameters.getPrincipal().getName())) {
+                        claim.addValue("admin-user");
+                    } else {
+                        claim.addValue("ordinary-user");
+                    }
                 } else if (GIVEN_NAME.equals(requestClaim.getClaimType())) {
                     claim.addValue(parameters.getPrincipal().getName());
                 } else if (LANGUAGE.equals(requestClaim.getClaimType())) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/a279a14a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/DoubleItPortTypeImpl.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/DoubleItPortTypeImpl.java
b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/DoubleItPortTypeImpl.java
new file mode 100644
index 0000000..deb0b32
--- /dev/null
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/DoubleItPortTypeImpl.java
@@ -0,0 +1,36 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.jaas;
+
+import javax.jws.WebService;
+
+import org.apache.cxf.feature.Features;
+import org.example.contract.doubleit.DoubleItPortType;
+
+@WebService(targetNamespace = "http://www.example.org/contract/DoubleIt", 
+            serviceName = "DoubleItService", 
+            endpointInterface = "org.example.contract.doubleit.DoubleItPortType")
+@Features(features = "org.apache.cxf.feature.LoggingFeature")              
+public class DoubleItPortTypeImpl implements DoubleItPortType {
+    
+    public int doubleIt(int numberToDouble) {
+        return numberToDouble * 2;
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/a279a14a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/JAASTest.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/JAASTest.java
b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/JAASTest.java
index 348b5e8..c02705f 100644
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/JAASTest.java
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/JAASTest.java
@@ -20,12 +20,14 @@ package org.apache.cxf.systest.sts.jaas;
 
 import java.net.URL;
 
+import javax.ws.rs.WebApplicationException;
 import javax.xml.namespace.QName;
 import javax.xml.ws.BindingProvider;
 import javax.xml.ws.Service;
 
 import org.apache.cxf.Bus;
 import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.jaxrs.client.WebClient;
 import org.apache.cxf.systest.sts.common.SecurityTestUtil;
 import org.apache.cxf.systest.sts.deployment.STSServer;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
@@ -34,10 +36,12 @@ import org.example.contract.doubleit.DoubleItPortType;
 import org.junit.BeforeClass;
 
 /**
- * This tests JAAS authentication to the STS. The service has a UsernameToken policy.
- * The client sends a WS-Security UsernameToken, and it is dispatches to the STS for
- * validation via JAAS. The service also asks for a SAML Token with roles enabled in it,
- * and these roles are stored in the security context for authorization.
+ * This tests JAAS authentication to the STS. A Username + Password extracted from either
+ * a WS-Security UsernameToken for the JAX-WS service, or via HTTP/BA for a JAX-RS service,

+ * is dispatches to the STS for validation via JAAS. 
+ * 
+ * The service also asks for a SAML Token with roles enabled in it, and these roles 
+ * are stored in the security context for authorization.
  */
 public class JAASTest extends AbstractBusClientServerTestBase {
     
@@ -63,6 +67,7 @@ public class JAASTest extends AbstractBusClientServerTestBase {
                    // set this to false to fork
                    launchServer(STSServer.class, true)
         );
+        
     }
     
     @org.junit.AfterClass
@@ -72,7 +77,7 @@ public class JAASTest extends AbstractBusClientServerTestBase {
     }
 
     @org.junit.Test
-    public void testSuccessfulAuthentication() throws Exception {
+    public void testSuccessfulInvocation() throws Exception {
 
         SpringBusFactory bf = new SpringBusFactory();
         URL busFile = JAASTest.class.getResource("cxf-client.xml");
@@ -95,12 +100,122 @@ public class JAASTest extends AbstractBusClientServerTestBase {
         
         doubleIt(utPort, 25);
         
+        // Note that the UsernameToken should be cached for the second invocation
+        doubleIt(utPort, 35);
+        
+        ((java.io.Closeable)utPort).close();
+        bus.shutdown(true);
+    }
+    
+    @org.junit.Test
+    public void testUnsuccessfulAuthentication() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = JAASTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = JAASTest.class.getResource("DoubleIt.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItUTPort");
+        DoubleItPortType utPort = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(utPort, PORT);
+        
+        ((BindingProvider)utPort).getRequestContext().put(
+            SecurityConstants.USERNAME, "alice");
+        ((BindingProvider)utPort).getRequestContext().put(
+            SecurityConstants.PASSWORD, "clarinet2");
+        
+        try {
+            doubleIt(utPort, 25);
+            fail("Failure expected on an incorrect password");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        ((java.io.Closeable)utPort).close();
+        bus.shutdown(true);
+    }
+    
+    @org.junit.Test
+    public void testUnsuccessfulAuthorization() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = JAASTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = JAASTest.class.getResource("DoubleIt.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItUTPort");
+        DoubleItPortType utPort = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(utPort, PORT);
+        
+        ((BindingProvider)utPort).getRequestContext().put(
+            SecurityConstants.USERNAME, "bob");
+        ((BindingProvider)utPort).getRequestContext().put(
+            SecurityConstants.PASSWORD, "trombone");
+        
+        try {
+            doubleIt(utPort, 25);
+            fail("Failure expected on an incorrect role");
+        } catch (Exception ex) {
+            // expected
+        }
+        
         ((java.io.Closeable)utPort).close();
         bus.shutdown(true);
     }
     
+    @org.junit.Test
+    public void testJAXRSSuccessfulInvocation() throws Exception {
+        doubleIt("alice", "clarinet", false);
+    }
+    
+    @org.junit.Test
+    public void testJAXRSUnsuccessfulAuthentication() throws Exception {
+        doubleIt("alice", "clarinet2", true);
+    }
+    
+    @org.junit.Test
+    public void testJAXRSUnsuccessfulAuthorization() throws Exception {
+        doubleIt("bob", "trombone", true);
+    }
+    
     private static void doubleIt(DoubleItPortType port, int numToDouble) {
         int resp = port.doubleIt(numToDouble);
         assertEquals(numToDouble * 2 , resp);
     }
+    
+    private static void doubleIt(String username, String password, boolean authFailureExpected)
{
+        final String configLocation = "org/apache/cxf/systest/sts/jaas/cxf-client.xml";
+        final String address = "https://localhost:" + PORT + "/doubleit/services/doubleit-rs";
+        final int numToDouble = 25;  
+       
+        WebClient client = null;
+        if (username != null && password != null) {
+            client = WebClient.create(address, username, password, configLocation);
+        } else {
+            client = WebClient.create(address, configLocation);
+        }
+        client.type("text/plain").accept("text/plain");
+        try {
+            int resp = client.post(numToDouble, Integer.class);
+            if (authFailureExpected) {
+                throw new RuntimeException("Exception expected");
+            }
+            org.junit.Assert.assertEquals(2 * numToDouble, resp);
+        } catch (WebApplicationException ex) {
+            if (!authFailureExpected) {
+                throw new RuntimeException("Unexpected exception");
+            }
+            org.junit.Assert.assertEquals(500, ex.getResponse().getStatus());
+        }
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a279a14a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/cxf-service.xml
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/cxf-service.xml
b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/cxf-service.xml
index 1c6c864..f3373d1 100644
--- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/cxf-service.xml
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/cxf-service.xml
@@ -17,13 +17,15 @@
  specific language governing permissions and limitations
  under the License.
 -->
-<beans xmlns="http://www.springframework.org/schema/beans" xmlns:cxf="http://cxf.apache.org/core"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://cxf.apache.org/configuration/security"
xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
xmlns:jaxws="http://cxf.apache.org/jaxws" xsi:schemaLocation="             http://cxf.apache.org/core
            http://cxf.apache.org/schemas/core.xsd             http://cxf.apache.org/configuration/security
            http://cxf.apache.org/schemas/configuration/security.xsd             http://cxf.apache.org/jaxws
            http://cxf.apache.org/schemas/jaxws.xsd             http://cxf.apache.org/transports/http/configuration
            http://cxf.apache.org/schemas/configuration/http-conf.xsd             http://cxf.apache.org/transports/http-jetty/configuration
            http://cxf.apache.org/schemas/configuration/http-jetty.xsd      
        http://www.springframework.org/schema/beans             http://www.springframework.org/schema/beans/spring-beans.xsd">
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:cxf="http://cxf.apache.org/core"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://cxf.apache.org/configuration/security"
xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:jaxrs="http://cxf.apache.org/jaxrs" xsi:schemaLocation="
            http://cxf.apache.org/core             http://cxf.apache.org/schemas/core.xsd
            http://cxf.apache.org/configuration/security             http://cxf.apache.org/schemas/configuration/security.xsd
            http://cxf.apache.org/jaxws             http://cxf.apache.org/schemas/jaxws.xsd
      http://cxf.apache.org/jaxrs             http://cxf.apache.org/schemas/jaxrs.xsd    
 http://cxf.apache.org/transports/http/configuration             http://cxf.apache.org/schemas/configuration/http-conf.xsd
            http://cxf.ap
 ache.org/transports/http-jetty/configuration             http://cxf.apache.org/schemas/configuration/http-jetty.xsd
            http://www.springframework.org/schema/beans             http://www.springframework.org/schema/beans/spring-beans.xsd">
     <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
     
    <bean id="roleClaimsCallbackHandler" 
          class="org.apache.cxf.systest.sts.jaas.ClaimsCallbackHandler" />
     
-   <bean id="stsClient" class="org.apache.cxf.ws.security.trust.STSClient">
+   <bean id="stsClient" class="org.apache.cxf.ws.security.trust.STSClient"
+        name="default.sts-client"
+        abstract="true">
         <constructor-arg ref="cxf"/>
         <property name="wsdlLocation" value="https://localhost:${testutil.ports.STSServer}/SecurityTokenService/Transport?wsdl"/>
         <property name="serviceName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"/>
@@ -37,6 +39,8 @@
         <property name="claimsCallbackHandler" ref="roleClaimsCallbackHandler"/>
         <property name="tokenType" 
                   value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
+        <property name="keyType"
+                  value="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer"/>
    </bean>
     
     <bean id="authorizationInterceptor" 
@@ -48,23 +52,29 @@
        </property>
     </bean>
     
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="doubleitut"
implementor="org.apache.cxf.systest.sts.common.DoubleItPortTypeImpl" endpointName="s:DoubleItUTPort"
serviceName="s:DoubleItService" depends-on="ClientAuthHttpsSettings" address="https://localhost:${testutil.ports.Server}/doubleit/services/doubleitut"
wsdlLocation="org/apache/cxf/systest/sts/jaas/DoubleIt.wsdl">
+    <bean id="authenticationInterceptor" class="org.apache.cxf.interceptor.security.JAASLoginInterceptor">
+        <property name="contextName" value="sts"/>
+    </bean>
+    
+    <!-- JAX-WS service -->
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="doubleitut"
implementor="org.apache.cxf.systest.sts.jaas.DoubleItPortTypeImpl" endpointName="s:DoubleItUTPort"
serviceName="s:DoubleItService" depends-on="ClientAuthHttpsSettings" address="https://localhost:${testutil.ports.Server}/doubleit/services/doubleitut"
wsdlLocation="org/apache/cxf/systest/sts/jaas/DoubleIt.wsdl">
         <jaxws:properties>
-            <entry key="ws-security.ut.validator">
-                <bean class="org.apache.cxf.ws.security.trust.STSTokenValidator">
-                    <constructor-arg value="true"/>
-                    <property name="useIssueBinding" value="true"/>
-                </bean>
-            </entry>
-            <entry key="ws-security.sts.client">
-                <ref bean="stsClient"/>
-            </entry>
+            <entry key="ws-security.validate.token" value="false"/>
         </jaxws:properties>
         <jaxws:inInterceptors>
+            <ref bean="authenticationInterceptor"/>
             <ref bean="authorizationInterceptor"/>
         </jaxws:inInterceptors>
     </jaxws:endpoint>
     
+    <!-- JAX-RS service -->
+    <jaxrs:server modelRef="classpath:org/apache/cxf/systest/sts/jaas/jaxrs.xml" depends-on="ClientAuthHttpsSettings"
address="https://localhost:${testutil.ports.Server}/doubleit/services/doubleit-rs">
+        <jaxrs:inInterceptors>
+            <ref bean="authenticationInterceptor"/>
+            <ref bean="authorizationInterceptor"/>
+        </jaxrs:inInterceptors>
+    </jaxrs:server>
+    
     <httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf">
         <httpj:engine port="${testutil.ports.Server}">
             <httpj:tlsServerParameters>

http://git-wip-us.apache.org/repos/asf/cxf/blob/a279a14a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/jaxrs.xml
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/jaxrs.xml
b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/jaxrs.xml
new file mode 100644
index 0000000..be4cd6e
--- /dev/null
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/jaxrs.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ 
+ http://www.apache.org/licenses/LICENSE-2.0
+ 
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<model xmlns="http://cxf.apache.org/jaxrs">
+    <resource name="org.apache.cxf.systest.sts.jaas.DoubleItPortTypeImpl" path="/">
+        <operation name="doubleIt" verb="POST" path="/" consumes="text/plain" produces="text/plain">
+            <param name="numberToDouble" type="REQUEST_BODY"/>
+        </operation>
+    </resource>
+</model>

http://git-wip-us.apache.org/repos/asf/cxf/blob/a279a14a/services/sts/systests/basic/src/test/resources/sts.jaas
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/resources/sts.jaas b/services/sts/systests/basic/src/test/resources/sts.jaas
new file mode 100644
index 0000000..f1e6c19
--- /dev/null
+++ b/services/sts/systests/basic/src/test/resources/sts.jaas
@@ -0,0 +1,4 @@
+
+sts {
+    org.apache.cxf.ws.security.trust.STSLoginModule required require.roles="true";
+};


Mime
View raw message