Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5B63217D55 for ; Mon, 13 Apr 2015 12:05:49 +0000 (UTC) Received: (qmail 78271 invoked by uid 500); 13 Apr 2015 12:04:51 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 78088 invoked by uid 500); 13 Apr 2015 12:04:51 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 78058 invoked by uid 99); 13 Apr 2015 12:04:50 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 13 Apr 2015 12:04:50 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id C7D79E058E; Mon, 13 Apr 2015 12:04:50 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: coheigea@apache.org To: commits@cxf.apache.org Date: Mon, 13 Apr 2015 12:04:51 -0000 Message-Id: <628bab579feb48faaf6255a9a1347b3a@git.apache.org> In-Reply-To: <301fc685189247558db5481448a0c797@git.apache.org> References: <301fc685189247558db5481448a0c797@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [2/4] cxf git commit: Adding a new cxf-rt-security-saml module to remove OpenSAML dependencies from cxf-rt-security http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptor.java b/rt/security/src/main/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptor.java deleted file mode 100644 index 22d61cf..0000000 --- a/rt/security/src/main/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptor.java +++ /dev/null @@ -1,242 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rt.security.claims; - -import java.lang.reflect.Method; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Collections; -import java.util.HashMap; -import java.util.HashSet; -import java.util.List; -import java.util.Map; -import java.util.Set; -import java.util.logging.Logger; - -import org.apache.cxf.common.logging.LogUtils; -import org.apache.cxf.common.util.ClassHelper; -import org.apache.cxf.interceptor.Fault; -import org.apache.cxf.interceptor.security.AccessDeniedException; -import org.apache.cxf.message.Message; -import org.apache.cxf.phase.AbstractPhaseInterceptor; -import org.apache.cxf.phase.Phase; -import org.apache.cxf.rt.security.saml.SAMLSecurityContext; -import org.apache.cxf.security.SecurityContext; -import org.apache.cxf.security.claims.authorization.Claim; -import org.apache.cxf.security.claims.authorization.ClaimMode; -import org.apache.cxf.security.claims.authorization.Claims; -import org.apache.cxf.service.Service; -import org.apache.cxf.service.invoker.MethodDispatcher; -import org.apache.cxf.service.model.BindingOperationInfo; - - -public class ClaimsAuthorizingInterceptor extends AbstractPhaseInterceptor { - - private static final Logger LOG = LogUtils.getL7dLogger(ClaimsAuthorizingInterceptor.class); - - private static final Set SKIP_METHODS; - static { - SKIP_METHODS = new HashSet<>(); - SKIP_METHODS.addAll(Arrays.asList( - new String[] {"wait", "notify", "notifyAll", - "equals", "toString", "hashCode"})); - } - - private Map> claims = new HashMap<>(); - private Map nameAliases = Collections.emptyMap(); - private Map formatAliases = Collections.emptyMap(); - - public ClaimsAuthorizingInterceptor() { - super(Phase.PRE_INVOKE); - } - - public void handleMessage(Message message) throws Fault { - SecurityContext sc = message.get(SecurityContext.class); - if (!(sc instanceof SAMLSecurityContext)) { - throw new AccessDeniedException("Security Context is unavailable or unrecognized"); - } - - Method method = getTargetMethod(message); - - if (authorize((SAMLSecurityContext)sc, method)) { - return; - } - - throw new AccessDeniedException("Unauthorized"); - } - - public void setClaims(Map> claimsMap) { - claims.putAll(claimsMap); - } - - protected Method getTargetMethod(Message m) { - BindingOperationInfo bop = m.getExchange().get(BindingOperationInfo.class); - if (bop != null) { - MethodDispatcher md = (MethodDispatcher) - m.getExchange().get(Service.class).get(MethodDispatcher.class.getName()); - return md.getMethod(bop); - } - Method method = (Method)m.get("org.apache.cxf.resource.method"); - if (method != null) { - return method; - } - throw new AccessDeniedException("Method is not available : Unauthorized"); - } - - protected boolean authorize(SAMLSecurityContext sc, Method method) { - List list = claims.get(method.getName()); - org.apache.cxf.rt.security.claims.ClaimCollection actualClaims = sc.getClaims(); - - for (ClaimBean claimBean : list) { - org.apache.cxf.rt.security.claims.Claim claim = claimBean.getClaim(); - org.apache.cxf.rt.security.claims.Claim matchingClaim = null; - for (org.apache.cxf.rt.security.claims.Claim cl : actualClaims) { - if (cl instanceof SAMLClaim - && ((SAMLClaim)cl).getName().equals(((SAMLClaim)claim).getName()) - && ((SAMLClaim)cl).getNameFormat().equals(((SAMLClaim)claim).getNameFormat())) { - matchingClaim = cl; - break; - } - } - if (matchingClaim == null) { - if (claimBean.getClaimMode() == ClaimMode.STRICT) { - return false; - } else { - continue; - } - } - List claimValues = claim.getValues(); - List matchingClaimValues = matchingClaim.getValues(); - if (claimBean.isMatchAll() - && !matchingClaimValues.containsAll(claimValues)) { - return false; - } else { - boolean matched = false; - for (Object value : matchingClaimValues) { - if (claimValues.contains(value)) { - matched = true; - break; - } - } - if (!matched) { - return false; - } - } - } - return true; - } - - public void setSecuredObject(Object object) { - Class cls = ClassHelper.getRealClass(object); - findClaims(cls); - if (claims.isEmpty()) { - LOG.warning("The claims list is empty, the service object is not protected"); - } - } - - protected void findClaims(Class cls) { - if (cls == null || cls == Object.class) { - return; - } - List clsClaims = - getClaims(cls.getAnnotation(Claims.class), cls.getAnnotation(Claim.class)); - for (Method m : cls.getMethods()) { - if (SKIP_METHODS.contains(m.getName())) { - continue; - } - List methodClaims = - getClaims(m.getAnnotation(Claims.class), m.getAnnotation(Claim.class)); - - List allClaims = new ArrayList<>(methodClaims); - for (ClaimBean bean : clsClaims) { - if (isClaimOverridden(bean, methodClaims)) { - continue; - } - allClaims.add(bean); - } - - claims.put(m.getName(), allClaims); - } - if (!claims.isEmpty()) { - return; - } - - findClaims(cls.getSuperclass()); - - if (!claims.isEmpty()) { - return; - } - - for (Class interfaceCls : cls.getInterfaces()) { - findClaims(interfaceCls); - } - } - - private static boolean isClaimOverridden(ClaimBean bean, List mClaims) { - for (ClaimBean methodBean : mClaims) { - if (bean.getClaim().getName().equals(methodBean.getClaim().getName()) - && bean.getClaim().getNameFormat().equals(methodBean.getClaim().getNameFormat())) { - return true; - } - } - return false; - } - - private List getClaims( - Claims claimsAnn, Claim claimAnn) { - List claimsList = new ArrayList<>(); - - List annClaims = new ArrayList<>(); - if (claimsAnn != null) { - annClaims.addAll(Arrays.asList(claimsAnn.value())); - } else if (claimAnn != null) { - annClaims.add(claimAnn); - } - for (Claim ann : annClaims) { - SAMLClaim claim = new SAMLClaim(); - - String claimName = ann.name(); - if (nameAliases.containsKey(claimName)) { - claimName = nameAliases.get(claimName); - } - String claimFormat = ann.format(); - if (formatAliases.containsKey(claimFormat)) { - claimFormat = formatAliases.get(claimFormat); - } - - claim.setName(claimName); - claim.setNameFormat(claimFormat); - for (String value : ann.value()) { - claim.addValue(value); - } - - claimsList.add(new ClaimBean(claim, ann.mode(), ann.matchAll())); - } - return claimsList; - } - - public void setNameAliases(Map nameAliases) { - this.nameAliases = nameAliases; - } - - public void setFormatAliases(Map formatAliases) { - this.formatAliases = formatAliases; - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/claims/SAMLClaim.java ---------------------------------------------------------------------- diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/claims/SAMLClaim.java b/rt/security/src/main/java/org/apache/cxf/rt/security/claims/SAMLClaim.java deleted file mode 100644 index a76747c..0000000 --- a/rt/security/src/main/java/org/apache/cxf/rt/security/claims/SAMLClaim.java +++ /dev/null @@ -1,66 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.cxf.rt.security.claims; - - -/** - * This represents a Claim that is coupled to a SAML Assertion - */ -public class SAMLClaim extends Claim { - - /** - * This configuration tag specifies the default attribute name where the roles are present - * The default is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role". - */ - public static final String SAML_ROLE_ATTRIBUTENAME_DEFAULT = - "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"; - - private static final long serialVersionUID = 5530712294179589442L; - - private String nameFormat; - private String name; - private String friendlyName; - - public String getNameFormat() { - return nameFormat; - } - - public void setNameFormat(String nameFormat) { - this.nameFormat = nameFormat; - } - - public String getName() { - return name; - } - - public void setName(String name) { - this.name = name; - } - - public String getFriendlyName() { - return friendlyName; - } - - public void setFriendlyName(String friendlyName) { - this.friendlyName = friendlyName; - } - - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLSecurityContext.java ---------------------------------------------------------------------- diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLSecurityContext.java b/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLSecurityContext.java deleted file mode 100644 index 4287eb2..0000000 --- a/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLSecurityContext.java +++ /dev/null @@ -1,104 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rt.security.saml; - -import java.security.Principal; -import java.util.Set; - -import org.w3c.dom.Element; -import org.apache.cxf.rt.security.claims.ClaimCollection; -import org.apache.cxf.rt.security.claims.ClaimsSecurityContext; - -public class SAMLSecurityContext implements ClaimsSecurityContext { - - private final Principal principal; - private Set roles; - private Element assertionElement; - private String issuer; - private ClaimCollection claims; - - public SAMLSecurityContext(Principal principal) { - this(principal, null); - } - - public SAMLSecurityContext( - Principal principal, - Set roles - ) { - this(principal, roles, null); - } - - public SAMLSecurityContext( - Principal principal, - Set roles, - ClaimCollection claims - ) { - this.principal = principal; - this.roles = roles; - this.claims = claims; - } - - public ClaimCollection getClaims() { - return claims; - } - - public Principal getUserPrincipal() { - return principal; - } - - public boolean isUserInRole(String role) { - if (roles == null) { - return false; - } - for (Principal principalRole : roles) { - if (principalRole.getName().equals(role)) { - return true; - } - } - return false; - } - - public javax.security.auth.Subject getSubject() { - return null; - } - - public void setUserRoles(Set userRoles) { - this.roles = userRoles; - } - - public Set getUserRoles() { - return roles; - } - - public void setAssertionElement(Element assertionElement) { - this.assertionElement = assertionElement; - } - - public Element getAssertionElement() { - return assertionElement; - } - - public void setIssuer(String issuer) { - this.issuer = issuer; - } - - public String getIssuer() { - return issuer; - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java ---------------------------------------------------------------------- diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java b/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java deleted file mode 100644 index 8229a07..0000000 --- a/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java +++ /dev/null @@ -1,141 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rt.security.saml; - -import java.net.URI; -import java.security.Principal; -import java.util.HashSet; -import java.util.List; -import java.util.Set; - -import org.w3c.dom.Element; -import org.apache.cxf.common.security.SimpleGroup; -import org.apache.cxf.rt.security.claims.Claim; -import org.apache.cxf.rt.security.claims.ClaimCollection; -import org.apache.cxf.rt.security.claims.SAMLClaim; -import org.apache.wss4j.common.saml.SamlAssertionWrapper; -import org.opensaml.core.xml.XMLObject; -import org.opensaml.saml.common.SAMLVersion; -import org.opensaml.saml.saml2.core.Attribute; -import org.opensaml.saml.saml2.core.AttributeStatement; - -public final class SAMLUtils { - - private SAMLUtils() { - - } - - /** - * Extract Claims from a SAML Assertion - */ - public static ClaimCollection getClaims(SamlAssertionWrapper assertion) { - ClaimCollection claims = new ClaimCollection(); - - if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { - List statements = assertion.getSaml2().getAttributeStatements(); - for (AttributeStatement as : statements) { - for (Attribute atr : as.getAttributes()) { - SAMLClaim claim = new SAMLClaim(); - claim.setClaimType(URI.create(atr.getName())); - - claim.setName(atr.getName()); - claim.setNameFormat(atr.getNameFormat()); - claim.setFriendlyName(atr.getFriendlyName()); - - for (XMLObject o : atr.getAttributeValues()) { - String attrValue = o.getDOM().getTextContent(); - claim.getValues().add(attrValue); - } - - claims.add(claim); - } - } - } else { - List attributeStatements = - assertion.getSaml1().getAttributeStatements(); - - for (org.opensaml.saml.saml1.core.AttributeStatement statement : attributeStatements) { - for (org.opensaml.saml.saml1.core.Attribute atr : statement.getAttributes()) { - SAMLClaim claim = new SAMLClaim(); - - String claimType = atr.getAttributeName(); - if (atr.getAttributeNamespace() != null) { - claimType = atr.getAttributeNamespace() + "/" + claimType; - } - claim.setClaimType(URI.create(claimType)); - - claim.setName(atr.getAttributeName()); - claim.setNameFormat(atr.getAttributeNamespace()); - - for (XMLObject o : atr.getAttributeValues()) { - String attrValue = o.getDOM().getTextContent(); - claim.getValues().add(attrValue); - } - - claims.add(claim); - } - } - } - - return claims; - } - - /** - * Extract roles from the given Claims - */ - public static Set parseRolesFromClaims( - ClaimCollection claims, - String name, - String nameFormat - ) { - String roleAttributeName = name; - if (roleAttributeName == null) { - roleAttributeName = SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT; - } - - Set roles = new HashSet<>(); - - for (Claim claim : claims) { - if (claim instanceof SAMLClaim && ((SAMLClaim)claim).getName().equals(name) - && (nameFormat == null - || claim instanceof SAMLClaim && nameFormat.equals(((SAMLClaim)claim).getNameFormat()))) { - for (Object claimValue : claim.getValues()) { - if (claimValue instanceof String) { - roles.add(new SimpleGroup((String)claimValue)); - } - } - if (claim.getValues().size() > 1) { - // Don't search for other attributes with the same name if > 1 claim value - break; - } - } - } - - return roles; - } - - public static String getIssuer(Object assertion) { - return ((SamlAssertionWrapper)assertion).getIssuerString(); - } - - public static Element getAssertionElement(Object assertion) { - return ((SamlAssertionWrapper)assertion).getElement(); - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java deleted file mode 100644 index fe109e5..0000000 --- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java +++ /dev/null @@ -1,170 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.cxf.rt.security.xacml; - -import java.security.Principal; -import java.util.ArrayList; -import java.util.List; -import java.util.Set; -import java.util.logging.Level; -import java.util.logging.Logger; - -import org.w3c.dom.Document; -import org.w3c.dom.Element; - -import org.apache.cxf.common.logging.LogUtils; -import org.apache.cxf.helpers.DOMUtils; -import org.apache.cxf.interceptor.Fault; -import org.apache.cxf.interceptor.security.AccessDeniedException; -import org.apache.cxf.message.Message; -import org.apache.cxf.phase.AbstractPhaseInterceptor; -import org.apache.cxf.phase.Phase; -import org.apache.cxf.security.LoginSecurityContext; -import org.apache.cxf.security.SecurityContext; -import org.apache.wss4j.common.saml.OpenSAMLUtil; -import org.apache.wss4j.common.util.DOM2Writer; -import org.opensaml.xacml.ctx.DecisionType.DECISION; -import org.opensaml.xacml.ctx.RequestType; -import org.opensaml.xacml.ctx.ResponseType; -import org.opensaml.xacml.ctx.ResultType; -import org.opensaml.xacml.ctx.StatusType; - - -/** - * An abstract interceptor to perform an XACML authorization request to a remote PDP, - * and make an authorization decision based on the response. It takes the principal and roles - * from the SecurityContext, and uses the XACMLRequestBuilder to construct an XACML Request - * statement. - * - * This class must be subclassed to actually perform the request to the PDP. - * - * @deprecated: Use XACMLAuthorizingInterceptor instead - */ -@Deprecated -public abstract class AbstractXACMLAuthorizingInterceptor extends AbstractPhaseInterceptor { - - private static final Logger LOG = LogUtils.getL7dLogger(AbstractXACMLAuthorizingInterceptor.class); - - private XACMLRequestBuilder requestBuilder = new DefaultXACMLRequestBuilder(); - - public AbstractXACMLAuthorizingInterceptor() { - super(Phase.PRE_INVOKE); - org.apache.wss4j.common.saml.OpenSAMLUtil.initSamlEngine(); - } - - public void handleMessage(Message message) throws Fault { - SecurityContext sc = message.get(SecurityContext.class); - - if (sc instanceof LoginSecurityContext) { - Principal principal = sc.getUserPrincipal(); - - LoginSecurityContext loginSecurityContext = (LoginSecurityContext)sc; - Set principalRoles = loginSecurityContext.getUserRoles(); - List roles = new ArrayList<>(); - if (principalRoles != null) { - for (Principal p : principalRoles) { - if (p != principal) { - roles.add(p.getName()); - } - } - } - - try { - if (authorize(principal, roles, message)) { - return; - } - } catch (Exception e) { - LOG.log(Level.FINE, "Unauthorized: " + e.getMessage(), e); - throw new AccessDeniedException("Unauthorized"); - } - } else { - LOG.log( - Level.FINE, - "The SecurityContext was not an instance of LoginSecurityContext. No authorization " - + "is possible as a result" - ); - } - - throw new AccessDeniedException("Unauthorized"); - } - - public XACMLRequestBuilder getRequestBuilder() { - return requestBuilder; - } - - public void setRequestBuilder(XACMLRequestBuilder requestBuilder) { - this.requestBuilder = requestBuilder; - } - - /** - * Perform a (remote) authorization decision and return a boolean depending on the result - */ - protected boolean authorize( - Principal principal, List roles, Message message - ) throws Exception { - RequestType request = requestBuilder.createRequest(principal, roles, message); - if (LOG.isLoggable(Level.FINE)) { - Document doc = DOMUtils.createDocument(); - Element requestElement = OpenSAMLUtil.toDom(request, doc); - LOG.log(Level.FINE, DOM2Writer.nodeToString(requestElement)); - } - - ResponseType response = performRequest(request, message); - - List results = response.getResults(); - - if (results == null) { - return false; - } - - for (ResultType result : results) { - // Handle any Obligations returned by the PDP - handleObligations(request, principal, message, result); - - DECISION decision = result.getDecision() != null ? result.getDecision().getDecision() : DECISION.Deny; - String code = ""; - String statusMessage = ""; - if (result.getStatus() != null) { - StatusType status = result.getStatus(); - code = status.getStatusCode() != null ? status.getStatusCode().getValue() : ""; - statusMessage = status.getStatusMessage() != null ? status.getStatusMessage().getValue() : ""; - } - LOG.fine("XACML authorization result: " + decision + ", code: " + code + ", message: " + statusMessage); - return decision == DECISION.Permit; - } - - return false; - } - - public abstract ResponseType performRequest(RequestType request, Message message) throws Exception; - - /** - * Handle any Obligations returned by the PDP - */ - protected void handleObligations( - RequestType request, - Principal principal, - Message message, - ResultType result - ) throws Exception { - // Do nothing by default - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/CXFMessageParser.java ---------------------------------------------------------------------- diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/CXFMessageParser.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/CXFMessageParser.java deleted file mode 100644 index 5da3359..0000000 --- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/CXFMessageParser.java +++ /dev/null @@ -1,97 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rt.security.xacml; - -import javax.xml.namespace.QName; - -import org.w3c.dom.Element; -import org.apache.cxf.message.Message; -import org.apache.cxf.rt.security.saml.SAMLSecurityContext; -import org.apache.cxf.security.SecurityContext; -import org.apache.wss4j.common.ext.WSSecurityException; -import org.apache.wss4j.common.saml.SamlAssertionWrapper; - -public class CXFMessageParser { - private Message message; - - /** - * @param message - */ - public CXFMessageParser(Message message) { - this.message = message; - } - - public boolean isSOAPService() { - return getWSDLOperation() != null; - } - - public QName getWSDLOperation() { - if (message != null && message.get(Message.WSDL_OPERATION) != null) { - return (QName)message.get(Message.WSDL_OPERATION); - } - return null; - } - - public QName getWSDLService() { - if (message != null && message.get(Message.WSDL_SERVICE) != null) { - return (QName)message.get(Message.WSDL_SERVICE); - } - return null; - } - - /** - * @param fullRequestURL Whether to send the full Request URL as the resource or not. If set to true, the - * full Request URL will be sent for both a JAX-WS and JAX-RS service. If set to false (the - * default), a JAX-WS service will send the "{namespace}operation" QName, and a JAX-RS service - * will send the RequestURI (i.e. minus the initial https: prefix) - */ - public String getResourceURI(boolean fullRequestURL) { - String property = fullRequestURL ? Message.REQUEST_URL : Message.REQUEST_URI; - if (message != null && message.get(property) != null) { - return (String)message.get(property); - } - return null; - } - - public String getAction(String defaultSOAPAction) { - String actionToUse = defaultSOAPAction; - // For REST use the HTTP Verb - if (message.get(Message.WSDL_OPERATION) == null && message.get(Message.HTTP_REQUEST_METHOD) != null) { - actionToUse = (String)message.get(Message.HTTP_REQUEST_METHOD); - } - return actionToUse; - } - - /** - * Get the Issuer of the SAML Assertion - */ - public String getIssuer() throws WSSecurityException { - SecurityContext sc = message.get(SecurityContext.class); - - if (sc instanceof SAMLSecurityContext) { - Element assertionElement = ((SAMLSecurityContext)sc).getAssertionElement(); - if (assertionElement != null) { - SamlAssertionWrapper wrapper = new SamlAssertionWrapper(assertionElement); - return wrapper.getIssuerString(); - } - } - - return null; - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java ---------------------------------------------------------------------- diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java deleted file mode 100644 index c2bb40b..0000000 --- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java +++ /dev/null @@ -1,217 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.cxf.rt.security.xacml; - -import java.security.Principal; -import java.util.ArrayList; -import java.util.Collections; -import java.util.List; - -import javax.xml.namespace.QName; - -import org.apache.cxf.message.Message; -import org.joda.time.DateTime; -import org.opensaml.xacml.ctx.ActionType; -import org.opensaml.xacml.ctx.AttributeType; -import org.opensaml.xacml.ctx.AttributeValueType; -import org.opensaml.xacml.ctx.EnvironmentType; -import org.opensaml.xacml.ctx.RequestType; -import org.opensaml.xacml.ctx.ResourceType; -import org.opensaml.xacml.ctx.SubjectType; - -/** - * This class constructs an XACML Request given a Principal, list of roles and MessageContext, - * following the SAML 2.0 profile of XACML 2.0. The principal name is inserted as the Subject ID, - * and the list of roles associated with that principal are inserted as Subject roles. The action - * to send defaults to "execute". - * - * For a SOAP Service, the resource-id Attribute refers to the - * "{serviceNamespace}serviceName#{operationNamespace}operationName" String (shortened to - * "{serviceNamespace}serviceName#operationName" if the namespaces are identical). The - * "{serviceNamespace}serviceName", "{operationNamespace}operationName" and resource URI are also - * sent to simplify processing at the PDP side. - * - * For a REST service the request URL is the resource. You can also configure the ability to - * send the truncated request URI instead for a SOAP or REST service. The current DateTime is - * also sent in an Environment, however this can be disabled via configuration. - */ -public class DefaultXACMLRequestBuilder implements XACMLRequestBuilder { - - private boolean sendDateTime = true; - private String action = "execute"; - private boolean sendFullRequestURL = true; - - /** - * Create an XACML Request given a Principal, list of roles and Message. - */ - public RequestType createRequest(Principal principal, List roles, Message message) - throws Exception { - CXFMessageParser messageParser = new CXFMessageParser(message); - String issuer = messageParser.getIssuer(); - - String actionToUse = messageParser.getAction(action); - - SubjectType subjectType = createSubjectType(principal, roles, issuer); - ResourceType resourceType = createResourceType(messageParser); - AttributeType actionAttribute = createAttribute(XACMLConstants.ACTION_ID, XACMLConstants.XS_STRING, - null, actionToUse); - ActionType actionType = RequestComponentBuilder.createActionType(Collections.singletonList(actionAttribute)); - - return RequestComponentBuilder.createRequestType(Collections.singletonList(subjectType), - Collections.singletonList(resourceType), - actionType, - createEnvironmentType()); - } - - private ResourceType createResourceType(CXFMessageParser messageParser) { - List attributes = new ArrayList<>(); - - // Resource-id - String resourceId = null; - boolean isSoapService = messageParser.isSOAPService(); - if (isSoapService) { - QName serviceName = messageParser.getWSDLService(); - QName operationName = messageParser.getWSDLOperation(); - - if (serviceName != null) { - resourceId = serviceName.toString() + "#"; - if (serviceName.getNamespaceURI() != null - && serviceName.getNamespaceURI().equals(operationName.getNamespaceURI())) { - resourceId += operationName.getLocalPart(); - } else { - resourceId += operationName.toString(); - } - } else { - resourceId = operationName.toString(); - } - } else { - resourceId = messageParser.getResourceURI(sendFullRequestURL); - } - - attributes.add(createAttribute(XACMLConstants.RESOURCE_ID, XACMLConstants.XS_STRING, null, - resourceId)); - - if (isSoapService) { - // WSDL Service - QName wsdlService = messageParser.getWSDLService(); - if (wsdlService != null) { - attributes.add(createAttribute(XACMLConstants.RESOURCE_WSDL_SERVICE_ID, XACMLConstants.XS_STRING, null, - wsdlService.toString())); - } - - // WSDL Operation - QName wsdlOperation = messageParser.getWSDLOperation(); - attributes.add(createAttribute(XACMLConstants.RESOURCE_WSDL_OPERATION_ID, XACMLConstants.XS_STRING, null, - wsdlOperation.toString())); - - // WSDL Endpoint - String endpointURI = messageParser.getResourceURI(sendFullRequestURL); - attributes.add(createAttribute(XACMLConstants.RESOURCE_WSDL_ENDPOINT, XACMLConstants.XS_STRING, null, - endpointURI)); - } - - return RequestComponentBuilder.createResourceType(attributes, null); - } - - private EnvironmentType createEnvironmentType() { - if (sendDateTime) { - List attributes = new ArrayList<>(); - AttributeType environmentAttribute = createAttribute(XACMLConstants.CURRENT_DATETIME, - XACMLConstants.XS_DATETIME, null, - new DateTime().toString()); - attributes.add(environmentAttribute); - return RequestComponentBuilder.createEnvironmentType(attributes); - } - - List attributes = Collections.emptyList(); - return RequestComponentBuilder.createEnvironmentType(attributes); - } - - private SubjectType createSubjectType(Principal principal, List roles, String issuer) { - List attributes = new ArrayList<>(); - attributes.add(createAttribute(XACMLConstants.SUBJECT_ID, XACMLConstants.XS_STRING, issuer, - principal.getName())); - - if (roles != null) { - List roleAttributes = new ArrayList<>(); - for (String role : roles) { - if (role != null) { - AttributeValueType subjectRoleAttributeValue = - RequestComponentBuilder.createAttributeValueType(role); - roleAttributes.add(subjectRoleAttributeValue); - } - } - - if (!roleAttributes.isEmpty()) { - AttributeType subjectRoleAttribute = - createAttribute( - XACMLConstants.SUBJECT_ROLE, - XACMLConstants.XS_ANY_URI, - issuer, - roleAttributes - ); - attributes.add(subjectRoleAttribute); - } - } - - return RequestComponentBuilder.createSubjectType(attributes, null); - } - - private AttributeType createAttribute(String id, String type, String issuer, List values) { - return RequestComponentBuilder.createAttributeType(id, type, issuer, values); - } - - private AttributeType createAttribute(String id, String type, String issuer, String value) { - return createAttribute(id, type, issuer, - Collections.singletonList(RequestComponentBuilder.createAttributeValueType(value))); - } - - /** - * Set a new Action String to use - */ - public void setAction(String action) { - this.action = action; - } - - public void setSendDateTime(boolean sendDateTime) { - this.sendDateTime = sendDateTime; - } - - /** - * Whether to send the full Request URL as the resource or not. If set to true, - * the full Request URL will be sent for both a JAX-WS and JAX-RS service. If set - * to false (the default), a JAX-WS service will send the "{namespace}operation" QName, - * and a JAX-RS service will send the RequestURI (i.e. minus the initial https: prefix). - */ - public void setSendFullRequestURL(boolean sendFullRequestURL) { - this.sendFullRequestURL = sendFullRequestURL; - } - - @Override - public List getResources(Message message) { - throw new IllegalAccessError("Deprecated"); - } - - @Override - public String getResource(Message message) { - throw new IllegalAccessError("Deprecated"); - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java ---------------------------------------------------------------------- diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java deleted file mode 100644 index 1086364..0000000 --- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java +++ /dev/null @@ -1,183 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.cxf.rt.security.xacml; - -import java.util.List; - -import org.opensaml.core.xml.XMLObjectBuilderFactory; -import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; -import org.opensaml.xacml.XACMLObjectBuilder; -import org.opensaml.xacml.ctx.ActionType; -import org.opensaml.xacml.ctx.AttributeType; -import org.opensaml.xacml.ctx.AttributeValueType; -import org.opensaml.xacml.ctx.EnvironmentType; -import org.opensaml.xacml.ctx.RequestType; -import org.opensaml.xacml.ctx.ResourceContentType; -import org.opensaml.xacml.ctx.ResourceType; -import org.opensaml.xacml.ctx.SubjectType; - -/** - * A set of utility methods to construct XACML 2.0 Request statements - */ -public final class RequestComponentBuilder { - private static volatile XACMLObjectBuilder attributeValueTypeBuilder; - - private static volatile XACMLObjectBuilder attributeTypeBuilder; - - private static volatile XACMLObjectBuilder subjectTypeBuilder; - - private static volatile XACMLObjectBuilder resourceTypeBuilder; - - private static volatile XACMLObjectBuilder actionTypeBuilder; - - private static volatile XACMLObjectBuilder environmentTypeBuilder; - - private static volatile XACMLObjectBuilder requestTypeBuilder; - - private static volatile XMLObjectBuilderFactory builderFactory = - XMLObjectProviderRegistrySupport.getBuilderFactory(); - - private RequestComponentBuilder() { - // complete - } - - @SuppressWarnings("unchecked") - public static AttributeValueType createAttributeValueType( - String value - ) { - if (attributeValueTypeBuilder == null) { - attributeValueTypeBuilder = (XACMLObjectBuilder) - builderFactory.getBuilder(AttributeValueType.DEFAULT_ELEMENT_NAME); - } - AttributeValueType attributeValue = attributeValueTypeBuilder.buildObject(); - attributeValue.setValue(value); - - return attributeValue; - } - - @SuppressWarnings("unchecked") - public static AttributeType createAttributeType( - String attributeId, - String dataType, - String issuer, - List attributeValues - ) { - if (attributeTypeBuilder == null) { - attributeTypeBuilder = (XACMLObjectBuilder) - builderFactory.getBuilder(AttributeType.DEFAULT_ELEMENT_NAME); - } - AttributeType attributeType = attributeTypeBuilder.buildObject(); - attributeType.setAttributeID(attributeId); - attributeType.setDataType(dataType); - attributeType.setIssuer(issuer); - attributeType.getAttributeValues().addAll(attributeValues); - - return attributeType; - } - - @SuppressWarnings("unchecked") - public static SubjectType createSubjectType( - List attributes, - String subjectCategory - ) { - if (subjectTypeBuilder == null) { - subjectTypeBuilder = (XACMLObjectBuilder) - builderFactory.getBuilder(SubjectType.DEFAULT_ELEMENT_NAME); - } - SubjectType subject = subjectTypeBuilder.buildObject(); - if (attributes != null) { - subject.getAttributes().addAll(attributes); - } - subject.setSubjectCategory(subjectCategory); - - return subject; - } - - @SuppressWarnings("unchecked") - public static ResourceType createResourceType( - List attributes, - ResourceContentType resourceContent - ) { - if (resourceTypeBuilder == null) { - resourceTypeBuilder = (XACMLObjectBuilder) - builderFactory.getBuilder(ResourceType.DEFAULT_ELEMENT_NAME); - } - ResourceType resource = resourceTypeBuilder.buildObject(); - if (attributes != null) { - resource.getAttributes().addAll(attributes); - } - resource.setResourceContent(resourceContent); - - return resource; - } - - @SuppressWarnings("unchecked") - public static ActionType createActionType( - List attributes - ) { - if (actionTypeBuilder == null) { - actionTypeBuilder = (XACMLObjectBuilder) - builderFactory.getBuilder(ActionType.DEFAULT_ELEMENT_NAME); - } - ActionType action = actionTypeBuilder.buildObject(); - if (attributes != null) { - action.getAttributes().addAll(attributes); - } - - return action; - } - - @SuppressWarnings("unchecked") - public static EnvironmentType createEnvironmentType( - List attributes - ) { - if (environmentTypeBuilder == null) { - environmentTypeBuilder = (XACMLObjectBuilder) - builderFactory.getBuilder(EnvironmentType.DEFAULT_ELEMENT_NAME); - } - EnvironmentType enviroment = environmentTypeBuilder.buildObject(); - if (attributes != null) { - enviroment.getAttributes().addAll(attributes); - } - - return enviroment; - } - - @SuppressWarnings("unchecked") - public static RequestType createRequestType( - List subjects, - List resources, - ActionType action, - EnvironmentType environment - ) { - if (requestTypeBuilder == null) { - requestTypeBuilder = (XACMLObjectBuilder) - builderFactory.getBuilder(RequestType.DEFAULT_ELEMENT_NAME); - } - RequestType request = requestTypeBuilder.buildObject(); - request.getSubjects().addAll(subjects); - request.getResources().addAll(resources); - request.setAction(action); - request.setEnvironment(environment); - - return request; - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java ---------------------------------------------------------------------- diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java deleted file mode 100644 index 353815c..0000000 --- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java +++ /dev/null @@ -1,118 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.cxf.rt.security.xacml; - -import java.util.UUID; - -import org.joda.time.DateTime; -import org.opensaml.core.xml.XMLObjectBuilderFactory; -import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; -import org.opensaml.saml.common.SAMLObjectBuilder; -import org.opensaml.saml.common.SAMLVersion; -import org.opensaml.saml.saml2.core.Issuer; -import org.opensaml.xacml.XACMLObjectBuilder; -import org.opensaml.xacml.ctx.RequestType; -import org.opensaml.xacml.profile.saml.SAMLProfileConstants; -import org.opensaml.xacml.profile.saml.XACMLAuthzDecisionQueryType; - -/** - * A set of utility methods to construct XACML SAML Request statements, based on the - * SAML 2.0 profile of XACML v2.0 specification. - */ -public final class SamlRequestComponentBuilder { - private static volatile XACMLObjectBuilder xacmlAuthzDecisionQueryTypeBuilder; - - private static volatile SAMLObjectBuilder issuerBuilder; - - private static volatile XMLObjectBuilderFactory builderFactory = - XMLObjectProviderRegistrySupport.getBuilderFactory(); - - private SamlRequestComponentBuilder() { - // complete - } - - /** - * Create an AuthzDecisionQuery using the defaults - */ - public static XACMLAuthzDecisionQueryType createAuthzDecisionQuery( - String issuerValue, - RequestType request, - String namespace - ) { - return createAuthzDecisionQuery(false, false, issuerValue, request, namespace); - } - - @SuppressWarnings("unchecked") - public static XACMLAuthzDecisionQueryType createAuthzDecisionQuery( - boolean inputContextOnly, - boolean returnContext, - String issuerValue, - RequestType request, - String namespace - ) { - if (xacmlAuthzDecisionQueryTypeBuilder == null) { - xacmlAuthzDecisionQueryTypeBuilder = (XACMLObjectBuilder) - builderFactory.getBuilder(XACMLAuthzDecisionQueryType.DEFAULT_ELEMENT_NAME_XACML20); - } - XACMLAuthzDecisionQueryType authzQuery = - xacmlAuthzDecisionQueryTypeBuilder.buildObject( - namespace, - XACMLAuthzDecisionQueryType.DEFAULT_ELEMENT_LOCAL_NAME, - SAMLProfileConstants.SAML20XACMLPROTOCOL_PREFIX - ); - authzQuery.setID("_" + UUID.randomUUID().toString()); - authzQuery.setVersion(SAMLVersion.VERSION_20); - authzQuery.setIssueInstant(new DateTime()); - authzQuery.setInputContextOnly(Boolean.valueOf(inputContextOnly)); - authzQuery.setReturnContext(Boolean.valueOf(returnContext)); - - if (issuerValue != null) { - Issuer issuer = createIssuer(issuerValue); - authzQuery.setIssuer(issuer); - } - - authzQuery.setRequest(request); - - return authzQuery; - } - - - /** - * Create an Issuer object - * - * @param issuerValue of type String - * @return an Issuer object - */ - @SuppressWarnings("unchecked") - public static Issuer createIssuer(String issuerValue) { - if (issuerBuilder == null) { - issuerBuilder = (SAMLObjectBuilder) - builderFactory.getBuilder(Issuer.DEFAULT_ELEMENT_NAME); - - } - Issuer issuer = issuerBuilder.buildObject(); - // - // The SAML authority that is making the claim(s) in the assertion. The issuer SHOULD - // be unambiguous to the intended relying parties. - issuer.setValue(issuerValue); - return issuer; - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java deleted file mode 100644 index 2194908..0000000 --- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java +++ /dev/null @@ -1,87 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.cxf.rt.security.xacml; - -import javax.xml.transform.Source; -import javax.xml.transform.Transformer; -import javax.xml.transform.TransformerFactory; -import javax.xml.transform.dom.DOMResult; -import javax.xml.transform.dom.DOMSource; - -import org.w3c.dom.Document; -import org.w3c.dom.Element; -import org.w3c.dom.Node; - -import org.apache.cxf.helpers.DOMUtils; -import org.apache.cxf.message.Message; -import org.apache.cxf.rt.security.xacml.pdp.api.PolicyDecisionPoint; -import org.apache.wss4j.common.ext.WSSecurityException; -import org.apache.wss4j.common.saml.OpenSAMLUtil; -import org.opensaml.xacml.ctx.RequestType; -import org.opensaml.xacml.ctx.ResponseType; - -/** - * An interceptor to perform an XACML authorization request to a remote PDP, - * and make an authorization decision based on the response. It takes the principal and roles - * from the SecurityContext, and uses the XACMLRequestBuilder to construct an XACML Request - * statement. - */ -@SuppressWarnings("deprecation") -public class XACMLAuthorizingInterceptor extends AbstractXACMLAuthorizingInterceptor { - private PolicyDecisionPoint pdp; - - public XACMLAuthorizingInterceptor(PolicyDecisionPoint pdp) { - super(); - this.pdp = pdp; - } - - @Override - public ResponseType performRequest(RequestType request, Message message) throws Exception { - Source requestSource = requestType2Source(request); - Source responseSource = this.pdp.evaluate(requestSource); - return responseSourceToResponseType(responseSource); - } - - private Source requestType2Source(RequestType request) { - Document doc = DOMUtils.createDocument(); - Element requestElement; - try { - requestElement = OpenSAMLUtil.toDom(request, doc); - } catch (WSSecurityException e) { - throw new RuntimeException("Error converting PDP RequestType to Dom", e); - } - return new DOMSource(requestElement); - } - - private ResponseType responseSourceToResponseType(Source responseSource) { - try { - Transformer trans = TransformerFactory.newInstance().newTransformer(); - DOMResult res = new DOMResult(); - trans.transform(responseSource, res); - Node nd = res.getNode(); - if (nd instanceof Document) { - nd = ((Document)nd).getDocumentElement(); - } - return (ResponseType)OpenSAMLUtil.fromDom((Element)nd); - } catch (Exception e) { - throw new RuntimeException("Error converting pdp response to ResponseType", e); - } - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLConstants.java ---------------------------------------------------------------------- diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLConstants.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLConstants.java deleted file mode 100644 index 3480d8b..0000000 --- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLConstants.java +++ /dev/null @@ -1,206 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.cxf.rt.security.xacml; - - - -/** - * XACML 1.x and 2.0 Constants. - */ -public final class XACMLConstants { - - // - // Attributes - // - - public static final String CURRENT_TIME = - "urn:oasis:names:tc:xacml:1.0:environment:current-time"; - public static final String CURRENT_DATE = - "urn:oasis:names:tc:xacml:1.0:environment:current-date"; - public static final String CURRENT_DATETIME = - "urn:oasis:names:tc:xacml:1.0:environment:current-dateTime"; - - // - // Identifiers - // - - public static final String SUBJECT_DNS_NAME = - "urn:oasis:names:tc:xacml:1.0:subject:authn-locality:dns-name"; - public static final String SUBJECT_IP_ADDR = - "urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address"; - public static final String SUBJECT_AUTHN_METHOD = - "urn:oasis:names:tc:xacml:1.0:subject:authentication-method"; - public static final String SUBJECT_AUTHN_TIME = - "urn:oasis:names:tc:xacml:1.0:subject:authentication-time"; - public static final String SUBJECT_KEY_INFO = - "urn:oasis:names:tc:xacml:1.0:subject:key-info"; - public static final String SUBJECT_REQ_TIME = - "urn:oasis:names:tc:xacml:1.0:subject:request-time"; - public static final String SUBJECT_START_TIME = - "urn:oasis:names:tc:xacml:1.0:subject:session-start-time"; - public static final String SUBJECT_ID = - "urn:oasis:names:tc:xacml:1.0:subject:subject-id"; - public static final String SUBJECT_ID_QUALIFIER = - "urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifier"; - public static final String SUBJECT_CAT_ACCESS_SUBJECT = - "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"; - public static final String SUBJECT_CAT_CODEBASE = - "urn:oasis:names:tc:xacml:1.0:subject-category:codebase"; - public static final String SUBJECT_CAT_INTERMED_SUBJECT = - "urn:oasis:names:tc:xacml:1.0:subject-category:intermediary-subject"; - public static final String SUBJECT_CAT_REC_SUBJECT = - "urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject"; - public static final String SUBJECT_CAT_REQ_MACHINE = - "urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine"; - public static final String RESOURCE_LOC = - "urn:oasis:names:tc:xacml:1.0:resource:resource-location"; - public static final String RESOURCE_ID = - "urn:oasis:names:tc:xacml:1.0:resource:resource-id"; - - // Non-standard (CXF-specific) tags for sending information about SOAP services to the PDP - public static final String RESOURCE_WSDL_OPERATION_ID = - "urn:cxf:apache:org:wsdl:operation-id"; - public static final String RESOURCE_WSDL_SERVICE_ID = - "urn:cxf:apache:org:wsdl:service-id"; - public static final String RESOURCE_WSDL_ENDPOINT = - "urn:cxf:apache:org:wsdl:endpoint"; - - public static final String RESOURCE_FILE_NAME = - "urn:oasis:names:tc:xacml:1.0:resource:simple-file-name"; - public static final String ACTION_ID = - "urn:oasis:names:tc:xacml:1.0:action:action-id"; - public static final String ACTION_IMPLIED = - "urn:oasis:names:tc:xacml:1.0:action:implied-action"; - public static final String SUBJECT_ROLE = - "urn:oasis:names:tc:xacml:2.0:subject:role"; - - - // - // Datatypes - // - - public static final String XS_STRING = - "http://www.w3.org/2001/XMLSchema#string"; - public static final String XS_BOOLEAN = - "http://www.w3.org/2001/XMLSchema#boolean"; - public static final String XS_INT = - "http://www.w3.org/2001/XMLSchema#integer"; - public static final String XS_DOUBLE = - "http://www.w3.org/2001/XMLSchema#double"; - public static final String XS_TIME = - "http://www.w3.org/2001/XMLSchema#time"; - public static final String XS_DATE = - "http://www.w3.org/2001/XMLSchema#date"; - public static final String XS_DATETIME = - "http://www.w3.org/2001/XMLSchema#dateTime"; - public static final String XS_ANY_URI = - "http://www.w3.org/2001/XMLSchema#anyURI"; - public static final String XS_HEX = - "http://www.w3.org/2001/XMLSchema#hexBinary"; - public static final String XS_BASE64 = - "http://www.w3.org/2001/XMLSchema#base64Binary"; - public static final String RFC_822_NAME = - "urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"; - public static final String X500_NAME = - "urn:oasis:names:tc:xacml:1.0:data-type:x500Name"; - - // - // Functions - // - public static final String FUNC_STRING_EQUAL = - "urn:oasis:names:tc:xacml:1.0:function:string-equal"; - public static final String FUNC_BOOL_EQUAL = - "urn:oasis:names:tc:xacml:1.0:function:boolean-equal"; - public static final String FUNC_INT_EQUAL = - "urn:oasis:names:tc:xacml:1.0:function:integer-equal"; - public static final String FUNC_DOUBLE_EQUAL = - "urn:oasis:names:tc:xacml:1.0:function:double-equal"; - public static final String FUNC_DATE_EQUAL = - "urn:oasis:names:tc:xacml:1.0:function:date-equal"; - public static final String FUNC_TIME_EQUAL = - "urn:oasis:names:tc:xacml:1.0:function:time-equal"; - public static final String FUNC_DATETIME_EQUAL = - "urn:oasis:names:tc:xacml:1.0:function:dateTime-equal"; - public static final String FUNC_ANY_URI_EQUAL = - "urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"; - public static final String FUNC_X500_NAME_EQUAL = - "urn:oasis:names:tc:xacml:1.0:function:x500Name-equal"; - public static final String FUNC_RFC_822_NAME_EQUAL = - "urn:oasis:names:tc:xacml:1.0:function:rfc822Name-equal"; - public static final String FUNC_HEX_EQUAL = - "urn:oasis:names:tc:xacml:1.0:function:hexBinary-equal"; - public static final String FUNC_BASE64_EQUAL = - "urn:oasis:names:tc:xacml:1.0:function:base64Binary-equal"; - - public static final String FUNC_INT_GT = - "urn:oasis:names:tc:xacml:1.0:function:integer-greater-than"; - public static final String FUNC_INT_GTE = - "urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal"; - public static final String FUNC_INT_LT = - "urn:oasis:names:tc:xacml:1.0:function:integer-less-than"; - public static final String FUNC_INT_LTE = - "urn:oasis:names:tc:xacml:1.0:function:integer-less-than-or-equal"; - public static final String FUNC_DOUBLE_GT = - "urn:oasis:names:tc:xacml:1.0:function:double-greater-than"; - public static final String FUNC_DOUBLE_GTE = - "urn:oasis:names:tc:xacml:1.0:function:double-greater-than-or-equal"; - public static final String FUNC_DOUBLE_LT = - "urn:oasis:names:tc:xacml:1.0:function:double-less-than"; - public static final String FUNC_DOUBLE_LTE = - "urn:oasis:names:tc:xacml:1.0:function:double-less-than-or-equal"; - - public static final String FUNC_STRING_GT = - "urn:oasis:names:tc:xacml:1.0:function:string-greater-than"; - public static final String FUNC_STRING_GTE = - "urn:oasis:names:tc:xacml:1.0:function:string-greater-than-or-equal"; - public static final String FUNC_STRING_LT = - "urn:oasis:names:tc:xacml:1.0:function:string-less-than"; - public static final String FUNC_STRING_LTE = - "urn:oasis:names:tc:xacml:1.0:function:string-less-than-or-equal"; - public static final String FUNC_TIME_GT = - "urn:oasis:names:tc:xacml:1.0:function:time-greater-than"; - public static final String FUNC_TIME_GTE = - "urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal"; - public static final String FUNC_TIME_LT = - "urn:oasis:names:tc:xacml:1.0:function:time-less-than"; - public static final String FUNC_TIME_LTE = - "urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal"; - public static final String FUNC_DATETIME_GT = - "urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than"; - public static final String FUNC_DATETIME_GTE = - "urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than-or-equal"; - public static final String FUNC_DATETIME_LT = - "urn:oasis:names:tc:xacml:1.0:function:dateTime-less-than"; - public static final String FUNC_DATETIME_LTE = - "urn:oasis:names:tc:xacml:1.0:function:dateTime-less-than-or-equal"; - public static final String FUNC_DATE_GT = - "urn:oasis:names:tc:xacml:1.0:function:date-greater-than"; - public static final String FUNC_DATE_GTE = - "urn:oasis:names:tc:xacml:1.0:function:date-greater-than-or-equal"; - public static final String FUNC_DATE_LT = - "urn:oasis:names:tc:xacml:1.0:function:date-less-than"; - public static final String FUNC_DATE_LTE = - "urn:oasis:names:tc:xacml:1.0:function:date-less-than-or-equal"; - - - private XACMLConstants() { - // complete - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java ---------------------------------------------------------------------- diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java deleted file mode 100644 index f3a1e6e..0000000 --- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java +++ /dev/null @@ -1,62 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.cxf.rt.security.xacml; - -import java.security.Principal; -import java.util.List; - -import org.apache.cxf.message.Message; -import org.opensaml.xacml.ctx.RequestType; - - -/** - * This interface defines a way to create an XACML Request. - */ -public interface XACMLRequestBuilder { - - /** - * Create an XACML Request given a Principal, list of roles and Message. - * - * @param principal The principal to insert into the Subject of the Request - * @param roles The list of roles associated with the principal - * @param message The Message from which to retrieve the resource - * @return An OpenSAML RequestType object - * @throws Exception - */ - RequestType createRequest(Principal principal, List roles, Message message) throws Exception; - - /** - * Return the list of Resources that have been inserted into the Request. - * - * @param message The Message from which to retrieve the resource - * @return the list of Resources that have been inserted into the Request - */ - @Deprecated - List getResources(Message message); - - /** - * Return the Resource that has been inserted into the Request. - * - * @param message The Message from which to retrieve the resource - * @return the Resource that has been inserted into the Request - */ - @Deprecated - String getResource(Message message); -} http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PolicyDecisionPoint.java ---------------------------------------------------------------------- diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PolicyDecisionPoint.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PolicyDecisionPoint.java deleted file mode 100644 index c23272f..0000000 --- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PolicyDecisionPoint.java +++ /dev/null @@ -1,35 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rt.security.xacml.pdp.api; - -import javax.xml.transform.Source; - -/** - * An interface that describes a PolicyDecisionPoint (PDP). - */ -public interface PolicyDecisionPoint { - - /** - * Evaluate an XACML Request and return a Response - * @param request an XACML Request as a Source - * @return the XACML Response as a Source - */ - Source evaluate(Source request); - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/test/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptorTest.java ---------------------------------------------------------------------- diff --git a/rt/security/src/test/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptorTest.java b/rt/security/src/test/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptorTest.java deleted file mode 100644 index 4d9e11d..0000000 --- a/rt/security/src/test/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptorTest.java +++ /dev/null @@ -1,295 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rt.security.claims; - -import java.lang.annotation.ElementType; -import java.lang.annotation.Retention; -import java.lang.annotation.RetentionPolicy; -import java.lang.annotation.Target; -import java.security.Principal; -import java.util.Arrays; -import java.util.Collections; -import java.util.Set; - -import org.apache.cxf.common.security.SimplePrincipal; -import org.apache.cxf.interceptor.security.AccessDeniedException; -import org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor; -import org.apache.cxf.message.ExchangeImpl; -import org.apache.cxf.message.Message; -import org.apache.cxf.message.MessageImpl; -import org.apache.cxf.rt.security.saml.SAMLSecurityContext; -import org.apache.cxf.rt.security.saml.SAMLUtils; -import org.apache.cxf.security.SecurityContext; -import org.apache.cxf.security.claims.authorization.Claim; -import org.apache.cxf.security.claims.authorization.ClaimMode; -import org.apache.cxf.security.claims.authorization.Claims; -import org.apache.wss4j.common.saml.builder.SAML2Constants; -import org.junit.Assert; -import org.junit.Before; -import org.junit.Test; - - -public class ClaimsAuthorizingInterceptorTest extends Assert { - - private ClaimsAuthorizingInterceptor interceptor; - - @Before - public void setUp() { - interceptor = new ClaimsAuthorizingInterceptor(); - interceptor.setNameAliases( - Collections.singletonMap("authentication", "http://authentication")); - interceptor.setFormatAliases( - Collections.singletonMap("claims", "http://claims")); - interceptor.setSecuredObject(new TestService()); - - } - - @Test - public void testClaimDefaultNameAndFormat() throws Exception { - doTestClaims("claimWithDefaultNameAndFormat", - createDefaultClaim("admin", "user"), - createClaim("http://authentication", "http://claims", "password")); - try { - doTestClaims("claimWithDefaultNameAndFormat", - createDefaultClaim("user"), - createClaim("http://authentication", "http://claims", "password")); - fail("AccessDeniedException expected"); - } catch (AccessDeniedException ex) { - // expected - } - } - - @Test - public void testClaimMatchAll() throws Exception { - doTestClaims("claimMatchAll", - createDefaultClaim("admin", "manager"), - createClaim("http://authentication", "http://claims", "password")); - try { - doTestClaims("claimMatchAll", - createDefaultClaim("admin"), - createClaim("http://authentication", "http://claims", "password")); - doTestClaims("claimMatchAll", - createDefaultClaim("manager"), - createClaim("http://authentication", "http://claims", "password")); - fail("AccessDeniedException expected"); - } catch (AccessDeniedException ex) { - // expected - } - } - - @Test - public void testMissingExpectedClaim() throws Exception { - doTestClaims("claimWithDefaultNameAndFormat", - createDefaultClaim("admin"), - createClaim("http://authentication", "http://claims", "password")); - try { - doTestClaims("claimWithDefaultNameAndFormat", - createDefaultClaim("admin")); - fail("AccessDeniedException expected"); - } catch (AccessDeniedException ex) { - // expected - } - } - - @Test - public void testExtraNonExpectedClaim() throws Exception { - doTestClaims("claimWithDefaultNameAndFormat", - createDefaultClaim("admin", "user"), - createClaim("http://authentication", "http://claims", "password"), - createClaim("http://extra/claims", "http://claims", "claim")); - } - - @Test - public void testClaimSpecificNameAndFormat() throws Exception { - doTestClaims("claimWithSpecificNameAndFormat", - createClaim("http://cxf/roles", "http://claims", "admin", "user"), - createClaim("http://authentication", "http://claims", "password")); - try { - doTestClaims("claimWithSpecificNameAndFormat", - createDefaultClaim("admin", "user"), - createClaim("http://authentication", "http://claims", "password")); - fail("AccessDeniedException expected"); - } catch (AccessDeniedException ex) { - // expected - } - } - - @Test - public void testClaimLaxMode() throws Exception { - doTestClaims("claimLaxMode", - createClaim("http://authentication", "http://claims", "password")); - doTestClaims("claimLaxMode"); - try { - doTestClaims("claimLaxMode", - createClaim("http://authentication", "http://claims", "smartcard")); - fail("AccessDeniedException expected"); - } catch (AccessDeniedException ex) { - // expected - } - } - - @Test - public void testMultipleClaims() throws Exception { - doTestClaims("multipleClaims", - createDefaultClaim("admin"), - createClaim("http://authentication", "http://claims", "smartcard"), - createClaim("http://location", "http://claims", "UK")); - doTestClaims("multipleClaims", - createDefaultClaim("admin"), - createClaim("http://authentication", "http://claims", "password"), - createClaim("http://location", "http://claims", "USA")); - try { - doTestClaims("multipleClaims", - createDefaultClaim("admin"), - createClaim("http://authentication", "http://claims", "unsecuretransport"), - createClaim("http://location", "http://claims", "UK")); - fail("AccessDeniedException expected"); - } catch (AccessDeniedException ex) { - // expected - } - } - - @Test - public void testUserInRoleAndClaims() throws Exception { - SecureAnnotationsInterceptor in = new SecureAnnotationsInterceptor(); - in.setAnnotationClassName(SecureRole.class.getName()); - in.setSecuredObject(new TestService2()); - - Message m = prepareMessage(TestService2.class, "test", - createDefaultClaim("admin"), - createClaim("a", "b", "c")); - - in.handleMessage(m); - - ClaimsAuthorizingInterceptor in2 = new ClaimsAuthorizingInterceptor(); - org.apache.cxf.rt.security.claims.SAMLClaim claim = - new org.apache.cxf.rt.security.claims.SAMLClaim(); - claim.setNameFormat("a"); - claim.setName("b"); - claim.addValue("c"); - in2.setClaims(Collections.singletonMap("test", - Collections.singletonList( - new ClaimBean(claim)))); - in2.handleMessage(m); - - try { - in.handleMessage(prepareMessage(TestService2.class, "test", - createDefaultClaim("user"))); - fail("AccessDeniedException expected"); - } catch (AccessDeniedException ex) { - // expected - } - } - - - private void doTestClaims(String methodName, - org.apache.cxf.rt.security.claims.Claim... claim) - throws Exception { - Message m = prepareMessage(TestService.class, methodName, claim); - interceptor.handleMessage(m); - } - - private Message prepareMessage(Class cls, - String methodName, - org.apache.cxf.rt.security.claims.Claim... claim) - throws Exception { - ClaimCollection claims = new ClaimCollection(); - claims.addAll(Arrays.asList(claim)); - - Set roles = - SAMLUtils.parseRolesFromClaims(claims, SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT, - SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED); - - SecurityContext sc = new SAMLSecurityContext(new SimplePrincipal("user"), roles, claims); - Message m = new MessageImpl(); - m.setExchange(new ExchangeImpl()); - m.put(SecurityContext.class, sc); - m.put("org.apache.cxf.resource.method", - cls.getMethod(methodName, new Class[]{})); - return m; - } - - private org.apache.cxf.rt.security.claims.Claim createDefaultClaim( - Object... values) { - return createClaim(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT, - SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED, - values); - } - - private org.apache.cxf.rt.security.claims.Claim createClaim( - String name, String format, Object... values) { - SAMLClaim claim = new SAMLClaim(); - claim.setName(name); - claim.setNameFormat(format); - claim.setValues(Arrays.asList(values)); - return claim; - } - - @Claim(name = "authentication", format = "claims", - value = "password") - public static class TestService { - // default name and format are used - @Claim({"admin", "manager" }) - public void claimWithDefaultNameAndFormat() { - - } - - // explicit name and format - @Claim(name = "http://cxf/roles", format = "http://claims", - value = {"admin", "manager" }) - public void claimWithSpecificNameAndFormat() { - - } - - @Claim(name = "http://authentication", format = "http://claims", - value = "password", mode = ClaimMode.LAX) - public void claimLaxMode() { - - } - - @Claims({ - @Claim(name = "http://location", format = "http://claims", - value = {"UK", "USA" }), - @Claim(value = {"admin", "manager" }), - @Claim(name = "authentication", format = "claims", - value = {"password", "smartcard" }) - }) - public void multipleClaims() { - - } - - // user must have both admin and manager roles, default is 'or' - @Claim(value = {"admin", "manager" }, - matchAll = true) - public void claimMatchAll() { - - } - } - public static class TestService2 { - @SecureRole("admin") - public void test() { - - } - } - @Target(ElementType.METHOD) - @Retention(RetentionPolicy.RUNTIME) - public @interface SecureRole { - String[] value(); - } -}