cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf git commit: Add the ability to specify a spring configuration file for the STS Login Module
Date Tue, 06 Jan 2015 17:20:00 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes e42c37315 -> 6d6eca000


Add the ability to specify a spring configuration file for the STS Login Module


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/6d6eca00
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/6d6eca00
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/6d6eca00

Branch: refs/heads/3.0.x-fixes
Commit: 6d6eca000515975fc34f385a0d37630ae52d43ba
Parents: e42c373
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue Jan 6 17:18:32 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Tue Jan 6 17:19:51 2015 +0000

----------------------------------------------------------------------
 .../cxf/ws/security/trust/STSLoginModule.java   | 24 ++++++-
 .../apache/cxf/systest/sts/jaas/JAASTest.java   | 44 +++++++++++++
 .../apache/cxf/systest/sts/jaas/Server2.java    | 46 +++++++++++++
 .../cxf/systest/sts/jaas/cxf-service2.xml       | 69 ++++++++++++++++++++
 .../cxf/systest/sts/jaas/cxf-sts-client.xml     | 32 +++++++++
 .../systests/basic/src/test/resources/sts.jaas  | 11 ++++
 6 files changed, 225 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/6d6eca00/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java
index 029c11b..e6bb31d 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java
@@ -40,10 +40,12 @@ import javax.security.auth.callback.UnsupportedCallbackException;
 import javax.security.auth.login.LoginException;
 import javax.security.auth.spi.LoginModule;
 
+
 import org.w3c.dom.Document;
 import org.apache.cxf.Bus;
 import org.apache.cxf.BusException;
 import org.apache.cxf.BusFactory;
+import org.apache.cxf.bus.spring.SpringBusFactory;
 import org.apache.cxf.common.classloader.ClassLoaderUtils;
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.security.SimplePrincipal;
@@ -60,6 +62,7 @@ import org.apache.cxf.ws.security.tokenstore.TokenStoreFactory;
 import org.apache.cxf.ws.security.trust.claims.RoleClaimsCallbackHandler;
 import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.common.util.Loader;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.handler.RequestData;
 import org.apache.wss4j.dom.message.token.UsernameToken;
@@ -127,6 +130,13 @@ public class STSLoginModule implements LoginModule {
      */
     public static final String WS_TRUST_NAMESPACE = "ws.trust.namespace";
     
+    /**
+     * The location of a Spring configuration file that can be used to configure the
+     * STS client (for example, to configure the TrustStore if TLS is used). This is
+     * designed to be used if the service that is being secured is not CXF-based.
+     */
+    public static final String CXF_SPRING_CFG = "cxf.spring.config";
+    
     private static final Logger LOG = LogUtils.getL7dLogger(STSLoginModule.class);
     private static final String TOKEN_STORE_KEY = "sts.login.module.tokenstore";
     
@@ -139,6 +149,7 @@ public class STSLoginModule implements LoginModule {
     private String wsdlLocation;
     private String serviceName;
     private String endpointName;
+    private String cxfSpringCfg;
     private int keySize;
     private String keyType = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer";
     private String tokenType = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";
@@ -177,6 +188,9 @@ public class STSLoginModule implements LoginModule {
         if (options.containsKey(WS_TRUST_NAMESPACE)) {
             namespace = (String)options.get(WS_TRUST_NAMESPACE);
         }
+        if (options.containsKey(CXF_SPRING_CFG)) {
+            cxfSpringCfg = (String)options.get(CXF_SPRING_CFG);
+        }
         
         stsClientProperties.clear();
         for (String s : SecurityConstants.ALL_PROPERTIES) {
@@ -253,7 +267,15 @@ public class STSLoginModule implements LoginModule {
     
     private STSClient configureSTSClient(Message msg) throws BusException, EndpointException
{
         STSClient c = null;
-        if (msg == null) {
+        if (cxfSpringCfg != null) {
+            SpringBusFactory bf = new SpringBusFactory();
+            URL busFile = Loader.getResource(cxfSpringCfg);
+
+            Bus bus = bf.createBus(busFile.toString());
+            SpringBusFactory.setDefaultBus(bus);
+            SpringBusFactory.setThreadDefaultBus(bus);
+            c = new STSClient(bus);
+        } else if (msg == null) {
             Bus bus = BusFactory.getDefaultBus(true);
             c = new STSClient(bus);
         } else {

http://git-wip-us.apache.org/repos/asf/cxf/blob/6d6eca00/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/JAASTest.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/JAASTest.java
b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/JAASTest.java
index cdc2043..4073f4b 100644
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/JAASTest.java
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/JAASTest.java
@@ -52,6 +52,7 @@ public class JAASTest extends AbstractBusClientServerTestBase {
     private static final QName SERVICE_QNAME = new QName(NAMESPACE, "DoubleItService");
 
     private static final String PORT = allocatePort(Server.class);
+    private static final String PORT2 = allocatePort(Server2.class);
     
     @BeforeClass
     public static void startServers() throws Exception {
@@ -65,6 +66,12 @@ public class JAASTest extends AbstractBusClientServerTestBase {
                    "Server failed to launch",
                    // run the server in the same process
                    // set this to false to fork
+                   launchServer(Server2.class, true)
+        );
+        assertTrue(
+                   "Server failed to launch",
+                   // run the server in the same process
+                   // set this to false to fork
                    launchServer(STSServer.class, true)
         );
         
@@ -301,6 +308,37 @@ public class JAASTest extends AbstractBusClientServerTestBase {
         bus.shutdown(true);
     }
     
+    // Here the service config has no TLS settings for the call to the STS...it's configured
+    // separately via the JAAS configuration
+    @org.junit.Test
+    @org.junit.Ignore
+    public void testSuccessfulInvocationConfig() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = JAASTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = JAASTest.class.getResource("DoubleIt.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItUTPort");
+        DoubleItPortType utPort = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(utPort, PORT2);
+        
+        ((BindingProvider)utPort).getRequestContext().put(
+            SecurityConstants.USERNAME, "alice");
+        ((BindingProvider)utPort).getRequestContext().put(
+            SecurityConstants.PASSWORD, "clarinet");
+        
+        doubleIt(utPort, 25);
+        
+        ((java.io.Closeable)utPort).close();
+        bus.shutdown(true);
+    }
+    
     @org.junit.Test
     public void testJAXRSSuccessfulInvocation() throws Exception {
         final String address = "https://localhost:" + PORT + "/doubleit/services/doubleit-rs";
@@ -337,6 +375,12 @@ public class JAASTest extends AbstractBusClientServerTestBase {
         doubleIt("bob", "trombone", address, true);
     }
     
+    @org.junit.Test
+    public void testJAXRSSuccessfulInvocationConfig() throws Exception {
+        final String address = "https://localhost:" + PORT2 + "/doubleit/services/doubleit-rs";
+        doubleIt("alice", "clarinet", address, false);
+    }
+    
     private static void doubleIt(DoubleItPortType port, int numToDouble) {
         int resp = port.doubleIt(numToDouble);
         assertEquals(numToDouble * 2 , resp);

http://git-wip-us.apache.org/repos/asf/cxf/blob/6d6eca00/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/Server2.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/Server2.java
b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/Server2.java
new file mode 100644
index 0000000..910ddb05
--- /dev/null
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/jaas/Server2.java
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.jaas;
+
+import java.net.URL;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
+
+public class Server2 extends AbstractBusTestServerBase {
+
+    public Server2() {
+
+    }
+
+    protected void run()  {
+        URL busFile = Server2.class.getResource("cxf-service2.xml");
+        Bus busLocal = new SpringBusFactory().createBus(busFile);
+        BusFactory.setDefaultBus(busLocal);
+        setBus(busLocal);
+
+        try {
+            new Server2();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/6d6eca00/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/cxf-service2.xml
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/cxf-service2.xml
b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/cxf-service2.xml
new file mode 100644
index 0000000..d879635
--- /dev/null
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/cxf-service2.xml
@@ -0,0 +1,69 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ 
+ http://www.apache.org/licenses/LICENSE-2.0
+ 
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:cxf="http://cxf.apache.org/core"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://cxf.apache.org/configuration/security"
xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:jaxrs="http://cxf.apache.org/jaxrs" xsi:schemaLocation="
            http://cxf.apache.org/core             http://cxf.apache.org/schemas/core.xsd
            http://cxf.apache.org/configuration/security             http://cxf.apache.org/schemas/configuration/security.xsd
            http://cxf.apache.org/jaxws             http://cxf.apache.org/schemas/jaxws.xsd
      http://cxf.apache.org/jaxrs             http://cxf.apache.org/schemas/jaxrs.xsd    
 http://cxf.apache.org/transports/http/configuration             http://cxf.apache.org/schemas/configuration/http-conf.xsd
            http://cxf.ap
 ache.org/transports/http-jetty/configuration             http://cxf.apache.org/schemas/configuration/http-jetty.xsd
            http://www.springframework.org/schema/beans             http://www.springframework.org/schema/beans/spring-beans.xsd">
+    <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+    
+    <!-- JAX-WS service -->
+    <bean id="authenticationInterceptor" class="org.apache.cxf.interceptor.security.JAASLoginInterceptor">
+        <property name="contextName" value="sts_standalone_config"/>
+    </bean>
+    
+    <bean id="authorizationInterceptor" 
+         class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor">
+       <property name="methodRolesMap">
+           <map>
+               <entry key="doubleIt" value="admin-user"/>
+           </map>
+       </property>
+    </bean>
+    
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="doubleitut"
implementor="org.apache.cxf.systest.sts.jaas.DoubleItPortTypeImpl" endpointName="s:DoubleItUTPort"
serviceName="s:DoubleItService" depends-on="ClientAuthHttpsSettings" address="https://localhost:${testutil.ports.Server2}/doubleit/services/doubleitut"
wsdlLocation="org/apache/cxf/systest/sts/jaas/DoubleIt.wsdl">
+        <jaxws:properties>
+            <entry key="ws-security.validate.token" value="false"/>
+        </jaxws:properties>
+        <jaxws:inInterceptors>
+            <ref bean="authenticationInterceptor"/>
+            <ref bean="authorizationInterceptor"/>
+        </jaxws:inInterceptors>
+    </jaxws:endpoint>
+    
+    <!-- JAX-RS service -->
+    <jaxrs:server modelRef="classpath:org/apache/cxf/systest/sts/jaas/jaxrs.xml" depends-on="ClientAuthHttpsSettings"
address="https://localhost:${testutil.ports.Server2}/doubleit/services/doubleit-rs">
+        <jaxrs:inInterceptors>
+            <ref bean="authenticationInterceptor"/>
+            <ref bean="authorizationInterceptor"/>
+        </jaxrs:inInterceptors>
+    </jaxrs:server>
+    
+    <httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf">
+        <httpj:engine port="${testutil.ports.Server2}">
+            <httpj:tlsServerParameters>
+                <sec:keyManagers keyPassword="skpass">
+                    <sec:keyStore type="jks" password="sspass" resource="servicestore.jks"/>
+                </sec:keyManagers>
+                <sec:trustManagers>
+                    <sec:keyStore type="jks" password="stsspass" resource="stsstore.jks"/>
+                </sec:trustManagers>
+                <sec:clientAuthentication want="true" required="true"/>
+            </httpj:tlsServerParameters>
+        </httpj:engine>
+    </httpj:engine-factory>
+    
+</beans>

http://git-wip-us.apache.org/repos/asf/cxf/blob/6d6eca00/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/cxf-sts-client.xml
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/cxf-sts-client.xml
b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/cxf-sts-client.xml
new file mode 100644
index 0000000..92cc8b2
--- /dev/null
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/jaas/cxf-sts-client.xml
@@ -0,0 +1,32 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ 
+ http://www.apache.org/licenses/LICENSE-2.0
+ 
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:cxf="http://cxf.apache.org/core"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://cxf.apache.org/configuration/security"
xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:jaxrs="http://cxf.apache.org/jaxrs" xsi:schemaLocation="
            http://cxf.apache.org/core             http://cxf.apache.org/schemas/core.xsd
            http://cxf.apache.org/configuration/security             http://cxf.apache.org/schemas/configuration/security.xsd
            http://cxf.apache.org/jaxws             http://cxf.apache.org/schemas/jaxws.xsd
      http://cxf.apache.org/jaxrs             http://cxf.apache.org/schemas/jaxrs.xsd    
 http://cxf.apache.org/transports/http/configuration             http://cxf.apache.org/schemas/configuration/http-conf.xsd
            http://cxf.ap
 ache.org/transports/http-jetty/configuration             http://cxf.apache.org/schemas/configuration/http-jetty.xsd
            http://www.springframework.org/schema/beans             http://www.springframework.org/schema/beans/spring-beans.xsd">
+    
+    <http:conduit name="https://localhost.*">
+        <http:tlsClientParameters disableCNCheck="true">
+            <sec:keyManagers keyPassword="skpass">
+                <sec:keyStore type="jks" password="sspass" resource="servicestore.jks"/>
+            </sec:keyManagers>
+            <sec:trustManagers>
+                <sec:keyStore type="jks" password="sspass" resource="servicestore.jks"/>
+            </sec:trustManagers>
+        </http:tlsClientParameters>
+    </http:conduit>
+</beans>

http://git-wip-us.apache.org/repos/asf/cxf/blob/6d6eca00/services/sts/systests/basic/src/test/resources/sts.jaas
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/resources/sts.jaas b/services/sts/systests/basic/src/test/resources/sts.jaas
index b9da508..b5ce6b6 100644
--- a/services/sts/systests/basic/src/test/resources/sts.jaas
+++ b/services/sts/systests/basic/src/test/resources/sts.jaas
@@ -21,3 +21,14 @@ sts_standalone_passthrough {
     service.name="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"
     endpoint.name="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port";
 };
+
+sts_standalone_config {
+    org.apache.cxf.ws.security.trust.STSLoginModule required 
+    require.roles="true"
+    cxf.spring.config="org/apache/cxf/systest/sts/jaas/cxf-sts-client.xml"
+    wsdl.location="https://localhost:${testutil.ports.STSServer}/SecurityTokenService/Transport?wsdl"
+    service.name="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"
+    endpoint.name="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port"
+    ws-security.username="bob"
+    ws-security.password="trombone";
+};


Mime
View raw message