Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cxf.apache.org
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: coheigea@apache.org
To: commits@cxf.apache.org
Message-Id: <b94df4d015524ec4b58caffb868d4618@git.apache.org>
Subject: cxf git commit: [CXF-6607] - Cached STS-issued tokens are not renewed
 on expiry in delegation scenario
Date: Thu, 24 Sep 2015 13:39:56 +0000 (UTC)

Repository: cxf
Updated Branches:
  refs/heads/master 88b3f238c -> 008c8835a


[CXF-6607] - Cached STS-issued tokens are not renewed on expiry in delegation scenario


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/008c8835
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/008c8835
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/008c8835

Branch: refs/heads/master
Commit: 008c8835a460736b6491204aa999712442c7b364
Parents: 88b3f23
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Sep 24 14:39:23 2015 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Sep 24 14:39:51 2015 +0100

----------------------------------------------------------------------
 .../ws/security/trust/STSTokenRetriever.java    |  5 +-
 .../cxf/systest/sts/renew/SAMLRenewTest.java    | 13 ++++
 .../sts/renew/UsernameTokenValidator.java       | 67 ++++++++++++++++++++
 .../apache/cxf/systest/sts/renew/DoubleIt.wsdl  |  3 +
 .../apache/cxf/systest/sts/renew/cxf-client.xml | 34 +++++++++-
 .../cxf/systest/sts/renew/cxf-service.xml       |  6 ++
 .../cxf/systest/sts/renew/cxf-sts-pop.xml       |  9 +++
 7 files changed, 135 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/008c8835/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenRetriever.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenRetriever.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenRetriever.java
index 1e60888..3b57bda 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenRetriever.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenRetriever.java
@@ -150,7 +150,10 @@ public final class STSTokenRetriever {
                                      message, onBehalfOfToken, actAsToken, appliesTo,
                                      enableAppliesTo
                     );
-                if (secToken == null) {
+                if (secToken != null) {
+                    // Check to see whether the delegated token needs to be renewed
+                    secToken = renewToken(message, secToken, params);
+                } else {
                     secToken = getTokenFromSTS(message, client, maps, appliesTo, params);
                 }
                 storeDelegationTokens(

http://git-wip-us.apache.org/repos/asf/cxf/blob/008c8835/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/SAMLRenewTest.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/SAMLRenewTest.java b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/SAMLRenewTest.java
index a2fd15d..9a2c957 100644
--- a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/SAMLRenewTest.java
+++ b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/SAMLRenewTest.java
@@ -105,11 +105,21 @@ public class SAMLRenewTest extends AbstractBusClientServerTestBase {
             service.getPort(saml2NoRenewPortQName, DoubleItPortType.class);
         updateAddressPort(saml2NoRenewPort, PORT);
         
+        QName saml2IntermediaryPortQName = new QName(NAMESPACE, "DoubleItTransportSaml2IntermediaryPort");
+        DoubleItPortType saml2IntermediaryPort = 
+            service.getPort(saml2IntermediaryPortQName, DoubleItPortType.class);
+        updateAddressPort(saml2IntermediaryPort, PORT);
+        
+        ((BindingProvider)saml2IntermediaryPort).getRequestContext().put(
+            "security.username", "alice"
+        );
+        
         // Make initial successful invocation(s)
         doubleIt(saml1Port, 25);
         doubleIt(saml1BearerPort, 30);
         doubleIt(saml2Port, 35);
         doubleIt(saml2NoRenewPort, 35);
+        doubleIt(saml2IntermediaryPort, 40);
         
         // Now sleep to expire the token(s)
         Thread.sleep(8 * 1000);
@@ -138,9 +148,12 @@ public class SAMLRenewTest extends AbstractBusClientServerTestBase {
         // Renew should fail here, but it should fall back to issue
         doubleIt(saml2NoRenewPort, 35);
         
+        doubleIt(saml2IntermediaryPort, 40);
+        
         ((java.io.Closeable)saml1Port).close();
         ((java.io.Closeable)saml1BearerPort).close();
         ((java.io.Closeable)saml2Port).close();
+        ((java.io.Closeable)saml2IntermediaryPort).close();
         bus.shutdown(true);
     }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/008c8835/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/UsernameTokenValidator.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/UsernameTokenValidator.java b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/UsernameTokenValidator.java
new file mode 100644
index 0000000..7f0ec75
--- /dev/null
+++ b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/UsernameTokenValidator.java
@@ -0,0 +1,67 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.renew;
+
+import org.apache.cxf.sts.request.ReceivedToken;
+import org.apache.cxf.sts.request.ReceivedToken.STATE;
+import org.apache.cxf.sts.token.validator.TokenValidator;
+import org.apache.cxf.sts.token.validator.TokenValidatorParameters;
+import org.apache.cxf.sts.token.validator.TokenValidatorResponse;
+import org.apache.cxf.ws.security.sts.provider.model.secext.UsernameTokenType;
+import org.apache.wss4j.common.principal.CustomTokenPrincipal;
+
+public class UsernameTokenValidator implements TokenValidator {
+    
+    /**
+     * Return true if this TokenValidator implementation is capable of validating the
+     * ReceivedToken argument.
+     */
+    public boolean canHandleToken(ReceivedToken validateTarget) {
+        return canHandleToken(validateTarget, null);
+    }
+    
+    /**
+     * Return true if this TokenValidator implementation is capable of validating the
+     * ReceivedToken argument. The realm is ignored in this token Validator.
+     */
+    public boolean canHandleToken(ReceivedToken validateTarget, String realm) {
+        return validateTarget.getToken() instanceof UsernameTokenType;
+    }
+    
+    /**
+     * Validate a Token using the given TokenValidatorParameters.
+     */
+    public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParameters) {
+        TokenValidatorResponse response = new TokenValidatorResponse();
+        ReceivedToken validateTarget = tokenParameters.getToken();
+        validateTarget.setState(STATE.INVALID);
+        response.setToken(validateTarget);
+        
+        UsernameTokenType usernameTokenType = (UsernameTokenType)validateTarget.getToken();
+        // Ignore the fact that no password is provided
+        // Some other requirements must be met to issue a token onbehalfof a subject
+        // whose authentication is not proved
+        validateTarget.setState(STATE.VALID);
+        response.setPrincipal(new CustomTokenPrincipal(usernameTokenType.getUsername().getValue()));
+        
+        return response;
+    }
+
+}
+        

http://git-wip-us.apache.org/repos/asf/cxf/blob/008c8835/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/DoubleIt.wsdl
----------------------------------------------------------------------
diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/DoubleIt.wsdl b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/DoubleIt.wsdl
index b586a48..ff4eb32 100644
--- a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/DoubleIt.wsdl
+++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/DoubleIt.wsdl
@@ -77,6 +77,9 @@
         <wsdl:port name="DoubleItTransportSaml2NoRenewPort" binding="tns:DoubleItTransportSaml2Binding">
             <soap:address location="https://localhost:8081/doubleit/services/doubleittransportsaml2norenew"/>
         </wsdl:port>
+        <wsdl:port name="DoubleItTransportSaml2IntermediaryPort" binding="tns:DoubleItTransportSaml2Binding">
+            <soap:address location="https://localhost:8081/doubleit/services/doubleittransportsaml2intermediary"/>
+        </wsdl:port>
     </wsdl:service>
     <wsp:Policy wsu:Id="DoubleItBindingTransportSaml1Policy">
         <wsp:ExactlyOne>

http://git-wip-us.apache.org/repos/asf/cxf/blob/008c8835/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-client.xml
----------------------------------------------------------------------
diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-client.xml b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-client.xml
index e6821f0..4e61494 100644
--- a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-client.xml
+++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-client.xml
@@ -96,7 +96,7 @@
         </jaxws:properties>
     </jaxws:client>
     
-     <bean id="saml2STSNoRenewClient" class="org.apache.cxf.ws.security.trust.STSClient">
+    <bean id="saml2STSNoRenewClient" class="org.apache.cxf.ws.security.trust.STSClient">
         <constructor-arg ref="cxf"/>
         <property name="wsdlLocation" value="https://localhost:${testutil.ports.renew.STSServerPOP}/SecurityTokenService/TransportSoap12?wsdl"/>
         <property name="serviceName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"/>
@@ -122,6 +122,38 @@
             <entry key="security.sts.client" value-ref="saml2STSNoRenewClient" />
         </jaxws:properties>
     </jaxws:client>
+    
+    <bean id="delegationCallbackHandler" class="org.apache.cxf.ws.security.trust.delegation.WSSUsernameCallbackHandler"/>
+    
+    <bean id="saml2STSIntermediaryClient" class="org.apache.cxf.ws.security.trust.STSClient">
+        <constructor-arg ref="cxf"/>
+        <property name="wsdlLocation" value="https://localhost:${testutil.ports.renew.STSServerPOP}/SecurityTokenService/Transport?wsdl"/>
+        <property name="serviceName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"/>
+        <property name="endpointName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port"/>
+        <property name="ttl" value="8"/>
+        <property name="enableLifetime" value="true"/>
+        <property name="allowRenewingAfterExpiry" value="true"/>
+        <property name="onBehalfOf" ref="delegationCallbackHandler"/>
+        <property name="properties">
+            <map>
+                <entry key="security.sts.token.username" value="myclientkey"/>
+                <entry key="security.sts.token.properties" value="clientKeystore.properties"/>
+                <entry key="security.sts.token.usecert" value="true"/>
+            </map>
+        </property>
+    </bean>
+    
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItTransportSaml2IntermediaryPort" createdFromAPI="true">
+        <jaxws:properties>
+            <entry key="security.username" value="alice"/>
+            <entry key="security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
+            <entry key="security.signature.properties" value="clientKeystore.properties"/>
+            <entry key="security.signature.username" value="myclientkey"/>
+            <entry key="security.sts.client" value-ref="saml2STSIntermediaryClient" />
+            <entry key="ws-security.cache.issued.token.in.endpoint" value="false"/>
+        </jaxws:properties>
+    </jaxws:client>
+    
     <http:conduit name="https://localhost:.*">
         <http:tlsClientParameters disableCNCheck="true">
             <sec:trustManagers>

http://git-wip-us.apache.org/repos/asf/cxf/blob/008c8835/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-service.xml
----------------------------------------------------------------------
diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-service.xml b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-service.xml
index 5ed8ac2..c60b8a9 100644
--- a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-service.xml
+++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-service.xml
@@ -48,6 +48,12 @@
             <entry key="security.signature.properties" value="serviceKeystore.properties"/>
         </jaxws:properties>
     </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="doubleittransportsaml2intermediary" implementor="org.apache.cxf.systest.sts.common.DoubleItPortTypeImpl" endpointName="s:DoubleItTransportSaml2IntermediaryPort" serviceName="s:DoubleItService" depends-on="ClientAuthHttpsSettings" address="https://localhost:${testutil.ports.renew.Server}/doubleit/services/doubleittransportsaml2intermediary" wsdlLocation="org/apache/cxf/systest/sts/renew/DoubleIt.wsdl">
+        <jaxws:properties>
+            <entry key="security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
+            <entry key="security.signature.properties" value="serviceKeystore.properties"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
     <httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf">
         <httpj:engine port="${testutil.ports.renew.Server}">
             <httpj:tlsServerParameters>

http://git-wip-us.apache.org/repos/asf/cxf/blob/008c8835/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-sts-pop.xml
----------------------------------------------------------------------
diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-sts-pop.xml b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-sts-pop.xml
index ed4c5e3..21600a6 100644
--- a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-sts-pop.xml
+++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-sts-pop.xml
@@ -24,6 +24,12 @@
             <cxf:logging/>
         </cxf:features>
     </cxf:bus>
+    
+    <bean id="utDelegationHandler" class="org.apache.cxf.sts.token.delegation.UsernameTokenDelegationHandler"/>
+    <util:list id="delegationHandlers">
+        <ref bean="utDelegationHandler"/>
+    </util:list>
+    
     <bean id="transportSTSProviderBean" class="org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider">
         <property name="issueOperation" ref="transportIssueDelegate"/>
         <property name="validateOperation" ref="transportValidateDelegate"/>
@@ -35,6 +41,8 @@
         <property name="stsProperties" ref="transportSTSProperties"/>
         <property name="claimsManager" ref="claimsManager"/>
         <property name="tokenStore" ref="defaultTokenStore"/>
+        <property name="delegationHandlers" ref="delegationHandlers"/>
+        <property name="tokenValidators" ref="transportTokenValidators"/>
     </bean>
     <bean id="transportValidateDelegate" class="org.apache.cxf.sts.operation.TokenValidateOperation">
         <property name="tokenProviders" ref="transportTokenProviders"/>
@@ -55,6 +63,7 @@
     </util:list>
     <util:list id="transportTokenValidators">
         <ref bean="transportSamlTokenValidator"/>
+        <bean class="org.apache.cxf.systest.sts.renew.UsernameTokenValidator"/>
     </util:list>
     <util:list id="transportTokenRenewers">
         <ref bean="transportSamlTokenRenewer"/>