cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/3] cxf git commit: Adding some OnBehalfOf/ActAs tests for JWT tokens
Date Tue, 10 Nov 2015 12:48:20 GMT
Adding some OnBehalfOf/ActAs tests for JWT tokens


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2df2ef20
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2df2ef20
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2df2ef20

Branch: refs/heads/master
Commit: 2df2ef2025e389f9c0cec16e84646e5e011ae724
Parents: 123616f
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue Nov 10 12:12:17 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Tue Nov 10 12:15:07 2015 +0000

----------------------------------------------------------------------
 .../sts/operation/IssueJWTClaimsUnitTest.java   | 108 ++--
 .../operation/IssueJWTOnbehalfofUnitTest.java   | 507 +++++++++++++++++++
 .../token/provider/JWTProviderActAsTest.java    | 196 +++++++
 .../provider/JWTProviderOnBehalfOfTest.java     | 196 +++++++
 4 files changed, 947 insertions(+), 60 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/2df2ef20/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueJWTClaimsUnitTest.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueJWTClaimsUnitTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueJWTClaimsUnitTest.java
index 5e92191..ab20e96 100644
--- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueJWTClaimsUnitTest.java
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueJWTClaimsUnitTest.java
@@ -77,7 +77,6 @@ import org.apache.cxf.ws.security.sts.provider.model.OnBehalfOfType;
 import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseCollectionType;
 import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType;
 import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType;
-import org.apache.cxf.ws.security.sts.provider.model.RequestedSecurityTokenType;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.crypto.CryptoFactory;
 import org.apache.wss4j.common.ext.WSSecurityException;
@@ -283,14 +282,12 @@ public class IssueJWTClaimsUnitTest extends org.junit.Assert {
     }
     
     /**
-     * Test to successfully issue a SAML 2 token (realm "B") on-behalf-of a SAML 2 token
+     * Test to successfully issue a JWT token (realm "B") on-behalf-of a SAML 2 token
      * which was issued by realm "A".
      * The relationship type between realm A and B is: FederateClaims
-     * TODO
      */
     @org.junit.Test
-    @org.junit.Ignore
-    public void testIssueSaml2TokenOnBehalfOfSaml2DifferentRealmFederateClaims() 
+    public void testIssueJWTTokenOnBehalfOfSaml2DifferentRealmFederateClaims() 
         throws Exception {
         TokenIssueOperation issueOperation = new TokenIssueOperation();
         
@@ -298,13 +295,9 @@ public class IssueJWTClaimsUnitTest extends org.junit.Assert {
         
         // Add Token Provider
         List<TokenProvider> providerList = new ArrayList<TokenProvider>();
-        SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
-        samlTokenProvider.setRealmMap(realms);
-        List<AttributeStatementProvider> customProviderList = 
-            new ArrayList<AttributeStatementProvider>();
-        customProviderList.add(new ClaimsAttributeStatementProvider());
-        samlTokenProvider.setAttributeStatementProviders(customProviderList);
-        providerList.add(samlTokenProvider);
+        JWTTokenProvider tokenProvider = new JWTTokenProvider();
+        tokenProvider.setRealmMap(realms);
+        providerList.add(tokenProvider);
         issueOperation.setTokenProviders(providerList);
         
         TokenDelegationHandler delegationHandler = new SAMLDelegationHandler();
@@ -342,7 +335,7 @@ public class IssueJWTClaimsUnitTest extends org.junit.Assert {
         RequestSecurityTokenType request = new RequestSecurityTokenType();
         JAXBElement<String> tokenType = 
             new JAXBElement<String>(
-                QNameConstants.TOKEN_TYPE, String.class, WSConstants.WSS_SAML2_TOKEN_TYPE
+                QNameConstants.TOKEN_TYPE, String.class, JWTTokenProvider.JWT_TOKEN_TYPE
             );
         request.getAny().add(tokenType);
         
@@ -392,57 +385,55 @@ public class IssueJWTClaimsUnitTest extends org.junit.Assert {
         
         List<RequestSecurityTokenResponseType> securityTokenResponseList = issueToken(issueOperation,
                 request, webServiceContext);       
-        RequestSecurityTokenResponseType securityTokenResponse = securityTokenResponseList.get(0);
         
         // Test the generated token.
-        Element assertion = null;
-        for (Object tokenObject : securityTokenResponse.getAny()) {
-            if (tokenObject instanceof JAXBElement<?>
-                && REQUESTED_SECURITY_TOKEN.equals(((JAXBElement<?>)tokenObject).getName())) {
-                RequestedSecurityTokenType rstType = 
-                    (RequestedSecurityTokenType)((JAXBElement<?>)tokenObject).getValue();
-                assertion = (Element)rstType.getAny();
+        String jwtToken = null;
+        for (Object tokenObject : securityTokenResponseList.get(0).getAny()) {
+            if (tokenObject instanceof Element
+                && REQUESTED_SECURITY_TOKEN.getLocalPart().equals(((Element)tokenObject).getLocalName())
+                && REQUESTED_SECURITY_TOKEN.getNamespaceURI().equals(((Element)tokenObject).getNamespaceURI())) {
+                jwtToken = ((Element)tokenObject).getTextContent();
                 break;
             }
         }
-        assertNotNull(assertion);
-        String tokenString = DOM2Writer.nodeToString(assertion);
-        assertTrue(tokenString.contains("AttributeStatement"));
-        assertTrue(tokenString.contains("alice"));  //subject unchanged
-        assertTrue(tokenString.contains("DOE")); //transformed claim (to uppercase)
-        assertTrue(tokenString.contains(SAML2Constants.CONF_BEARER));
+        
+        assertNotNull(jwtToken);
+        
+        // Validate the token
+        JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(jwtToken);
+        JwtToken jwt = jwtConsumer.getJwtToken();
+        // subject unchanged
+        Assert.assertEquals("alice", jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
+        // transformed claim (to uppercase)
+        assertEquals(jwt.getClaim(ClaimTypes.LASTNAME.toString()), "DOE");
     }
     
     /**
-     * Test to successfully issue a SAML 2 token (realm "B") on-behalf-of a SAML 2 token
+     * Test to successfully issue a JWT token (realm "B") on-behalf-of a SAML 2 token
      * which was issued by realm "A".
      * The relationship type between realm A and B is: FederateIdentity
      * IdentityMapper is configured globally in STSPropertiesMBean
-     * TODO
      */
     @org.junit.Test
-    @org.junit.Ignore
-    public void testIssueSaml2TokenOnBehalfOfSaml2DifferentRealmFederateIdentityGlobalConfig()
+    public void testIssueJWTTokenOnBehalfOfSaml2DifferentRealmFederateIdentityGlobalConfig()
         throws Exception {
-        runIssueSaml2TokenOnBehalfOfSaml2DifferentRealmFederateIdentity(true);
+        runIssueJWTTokenOnBehalfOfSaml2DifferentRealmFederateIdentity(true);
     }
     
     
     /**
-     * Test to successfully issue a SAML 2 token (realm "B") on-behalf-of a SAML 2 token
+     * Test to successfully issue a JWT token (realm "B") on-behalf-of a SAML 2 token
      * which was issued by realm "A".
      * The relationship type between realm A and B is: FederateIdentity
      * IdentityMapper is configured in the Relationship
-     * TODO
      */
     @org.junit.Test
-    @org.junit.Ignore
-    public void testIssueSaml2TokenOnBehalfOfSaml2DifferentRealmFederateIdentityRelationshipConfig()
+    public void testIssueJWTTokenOnBehalfOfSaml2DifferentRealmFederateIdentityRelationshipConfig()
         throws Exception {
-        runIssueSaml2TokenOnBehalfOfSaml2DifferentRealmFederateIdentity(false);
+        runIssueJWTTokenOnBehalfOfSaml2DifferentRealmFederateIdentity(false);
     }
 
-    private void runIssueSaml2TokenOnBehalfOfSaml2DifferentRealmFederateIdentity(
+    private void runIssueJWTTokenOnBehalfOfSaml2DifferentRealmFederateIdentity(
             boolean useGlobalIdentityMapper) throws WSSecurityException {
         TokenIssueOperation issueOperation = new TokenIssueOperation();
         
@@ -450,13 +441,9 @@ public class IssueJWTClaimsUnitTest extends org.junit.Assert {
         
         // Add Token Provider
         List<TokenProvider> providerList = new ArrayList<TokenProvider>();
-        SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
-        samlTokenProvider.setRealmMap(realms);
-        List<AttributeStatementProvider> customProviderList = 
-            new ArrayList<AttributeStatementProvider>();
-        customProviderList.add(new ClaimsAttributeStatementProvider());
-        samlTokenProvider.setAttributeStatementProviders(customProviderList);
-        providerList.add(samlTokenProvider);
+        JWTTokenProvider tokenProvider = new JWTTokenProvider();
+        tokenProvider.setRealmMap(realms);
+        providerList.add(tokenProvider);
         issueOperation.setTokenProviders(providerList);
         
         TokenDelegationHandler delegationHandler = new SAMLDelegationHandler();
@@ -500,7 +487,7 @@ public class IssueJWTClaimsUnitTest extends org.junit.Assert {
         RequestSecurityTokenType request = new RequestSecurityTokenType();
         JAXBElement<String> tokenType = 
             new JAXBElement<String>(
-                QNameConstants.TOKEN_TYPE, String.class, WSConstants.WSS_SAML2_TOKEN_TYPE
+                QNameConstants.TOKEN_TYPE, String.class, JWTTokenProvider.JWT_TOKEN_TYPE
             );
         request.getAny().add(tokenType);
         
@@ -550,26 +537,27 @@ public class IssueJWTClaimsUnitTest extends org.junit.Assert {
         
         List<RequestSecurityTokenResponseType> securityTokenResponseList = issueToken(issueOperation,
                 request, webServiceContext);       
-        RequestSecurityTokenResponseType securityTokenResponse = securityTokenResponseList.get(0);
         
         // Test the generated token.
-        Element assertion = null;
-        for (Object tokenObject : securityTokenResponse.getAny()) {
-            if (tokenObject instanceof JAXBElement<?>
-                && REQUESTED_SECURITY_TOKEN.equals(((JAXBElement<?>)tokenObject).getName())) {
-                RequestedSecurityTokenType rstType = 
-                    (RequestedSecurityTokenType)((JAXBElement<?>)tokenObject).getValue();
-                assertion = (Element)rstType.getAny();
+        String jwtToken = null;
+        for (Object tokenObject : securityTokenResponseList.get(0).getAny()) {
+            if (tokenObject instanceof Element
+                && REQUESTED_SECURITY_TOKEN.getLocalPart().equals(((Element)tokenObject).getLocalName())
+                && REQUESTED_SECURITY_TOKEN.getNamespaceURI().equals(((Element)tokenObject).getNamespaceURI())) {
+                jwtToken = ((Element)tokenObject).getTextContent();
                 break;
             }
         }
         
-        assertNotNull(assertion);
-        String tokenString = DOM2Writer.nodeToString(assertion);
-        assertTrue(tokenString.contains("AttributeStatement"));
-        assertTrue(tokenString.contains("ALICE"));  //subject changed (to uppercase)
-        assertTrue(tokenString.contains("doe"));  //claim unchanged but requested
-        assertTrue(tokenString.contains(SAML2Constants.CONF_BEARER));
+        assertNotNull(jwtToken);
+        
+        // Validate the token
+        JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(jwtToken);
+        JwtToken jwt = jwtConsumer.getJwtToken();
+        // subject changed (to uppercase)
+        Assert.assertEquals("ALICE", jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
+        // claim unchanged but requested
+        assertEquals(jwt.getClaim(ClaimTypes.LASTNAME.toString()), "doe");
     }
     
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/2df2ef20/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueJWTOnbehalfofUnitTest.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueJWTOnbehalfofUnitTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueJWTOnbehalfofUnitTest.java
new file mode 100644
index 0000000..dc2352f
--- /dev/null
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueJWTOnbehalfofUnitTest.java
@@ -0,0 +1,507 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.sts.operation;
+
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+
+import javax.security.auth.callback.CallbackHandler;
+import javax.xml.bind.JAXBElement;
+import javax.xml.namespace.QName;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import org.apache.cxf.jaxws.context.WebServiceContextImpl;
+import org.apache.cxf.jaxws.context.WrappedMessageContext;
+import org.apache.cxf.message.MessageImpl;
+import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
+import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
+import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.sts.QNameConstants;
+import org.apache.cxf.sts.STSConstants;
+import org.apache.cxf.sts.STSPropertiesMBean;
+import org.apache.cxf.sts.StaticSTSProperties;
+import org.apache.cxf.sts.common.PasswordCallbackHandler;
+import org.apache.cxf.sts.request.KeyRequirements;
+import org.apache.cxf.sts.request.ReceivedKey;
+import org.apache.cxf.sts.request.TokenRequirements;
+import org.apache.cxf.sts.service.EncryptionProperties;
+import org.apache.cxf.sts.service.ServiceMBean;
+import org.apache.cxf.sts.service.StaticService;
+import org.apache.cxf.sts.token.delegation.SAMLDelegationHandler;
+import org.apache.cxf.sts.token.delegation.TokenDelegationHandler;
+import org.apache.cxf.sts.token.delegation.UsernameTokenDelegationHandler;
+import org.apache.cxf.sts.token.provider.SAMLTokenProvider;
+import org.apache.cxf.sts.token.provider.TokenProvider;
+import org.apache.cxf.sts.token.provider.TokenProviderParameters;
+import org.apache.cxf.sts.token.provider.TokenProviderResponse;
+import org.apache.cxf.sts.token.provider.jwt.JWTTokenProvider;
+import org.apache.cxf.sts.token.realm.RealmProperties;
+import org.apache.cxf.sts.token.validator.IssuerSAMLRealmCodec;
+import org.apache.cxf.sts.token.validator.SAMLTokenValidator;
+import org.apache.cxf.sts.token.validator.TokenValidator;
+import org.apache.cxf.sts.token.validator.UsernameTokenValidator;
+import org.apache.cxf.ws.security.sts.provider.STSException;
+import org.apache.cxf.ws.security.sts.provider.model.OnBehalfOfType;
+import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseCollectionType;
+import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType;
+import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType;
+import org.apache.cxf.ws.security.sts.provider.model.secext.AttributedString;
+import org.apache.cxf.ws.security.sts.provider.model.secext.PasswordString;
+import org.apache.cxf.ws.security.sts.provider.model.secext.UsernameTokenType;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoFactory;
+import org.apache.wss4j.common.crypto.CryptoType;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.principal.CustomTokenPrincipal;
+import org.apache.wss4j.dom.WSConstants;
+import org.junit.Assert;
+
+/**
+ * Issue JWT tokens on behalf of other tokens.
+ */
+public class IssueJWTOnbehalfofUnitTest extends org.junit.Assert {
+
+    public static final QName REQUESTED_SECURITY_TOKEN = 
+        QNameConstants.WS_TRUST_FACTORY.createRequestedSecurityToken(null).getName();
+    
+    /**
+     * Test to successfully issue a JWT token on-behalf-of a SAML 2 token
+     */
+    @org.junit.Test
+    public void testIssueJWTTokenOnBehalfOfSaml2() throws Exception {
+        TokenIssueOperation issueOperation = new TokenIssueOperation();
+
+        // Add Token Provider
+        List<TokenProvider> providerList = new ArrayList<TokenProvider>();
+        providerList.add(new JWTTokenProvider());
+        issueOperation.setTokenProviders(providerList);
+        
+        // Add Token Validator
+        List<TokenValidator> validatorList = new ArrayList<TokenValidator>();
+        validatorList.add(new SAMLTokenValidator());
+        issueOperation.setTokenValidators(validatorList);
+
+        // Add Service
+        ServiceMBean service = new StaticService();
+        service.setEndpoints(Collections.singletonList("http://dummy-service.com/dummy"));
+        issueOperation.setServices(Collections.singletonList(service));
+
+        // Add STSProperties object
+        STSPropertiesMBean stsProperties = new StaticSTSProperties();
+        Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
+        stsProperties.setEncryptionCrypto(crypto);
+        stsProperties.setSignatureCrypto(crypto);
+        stsProperties.setEncryptionUsername("myservicekey");
+        stsProperties.setSignatureUsername("mystskey");
+        stsProperties.setCallbackHandler(new PasswordCallbackHandler());
+        stsProperties.setIssuer("STS");
+        issueOperation.setStsProperties(stsProperties);
+        
+        TokenDelegationHandler delegationHandler = new SAMLDelegationHandler();
+        issueOperation.setDelegationHandlers(Collections.singletonList(delegationHandler));
+
+        // Mock up a request
+        RequestSecurityTokenType request = new RequestSecurityTokenType();
+        JAXBElement<String> tokenType = 
+            new JAXBElement<String>(
+                    QNameConstants.TOKEN_TYPE, String.class, JWTTokenProvider.JWT_TOKEN_TYPE
+            );
+        request.getAny().add(tokenType);
+
+        // Get a SAML Token via the SAMLTokenProvider
+        CallbackHandler callbackHandler = new PasswordCallbackHandler();
+        Element samlToken = 
+            createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler);
+        Document doc = samlToken.getOwnerDocument();
+        samlToken = (Element)doc.appendChild(samlToken);
+        OnBehalfOfType onbehalfof = new OnBehalfOfType();
+        onbehalfof.setAny(samlToken);
+
+        JAXBElement<OnBehalfOfType> onbehalfofType = 
+            new JAXBElement<OnBehalfOfType>(
+                    QNameConstants.ON_BEHALF_OF, OnBehalfOfType.class, onbehalfof
+            );
+        request.getAny().add(onbehalfofType);
+        
+        // Mock up message context
+        MessageImpl msg = new MessageImpl();
+        WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
+        WebServiceContextImpl webServiceContext = new WebServiceContextImpl(msgCtx);
+
+        // Issue a token
+        RequestSecurityTokenResponseCollectionType response = 
+            issueOperation.issue(request, webServiceContext);
+        List<RequestSecurityTokenResponseType> securityTokenResponse = 
+            response.getRequestSecurityTokenResponse();
+        assertTrue(!securityTokenResponse.isEmpty());
+        
+        // Test the generated token.
+        String jwtToken = null;
+        for (Object tokenObject : securityTokenResponse.get(0).getAny()) {
+            if (tokenObject instanceof Element
+                && REQUESTED_SECURITY_TOKEN.getLocalPart().equals(((Element)tokenObject).getLocalName())
+                && REQUESTED_SECURITY_TOKEN.getNamespaceURI().equals(((Element)tokenObject).getNamespaceURI())) {
+                jwtToken = ((Element)tokenObject).getTextContent();
+                break;
+            }
+        }
+        
+        assertNotNull(jwtToken);
+        
+        // Validate the token
+        JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(jwtToken);
+        JwtToken jwt = jwtConsumer.getJwtToken();
+        Assert.assertEquals("alice", jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
+    }
+    
+    /**
+     * Test to successfully issue a JWT token on-behalf-of a UsernameToken
+     */
+    @org.junit.Test
+    public void testIssueJWTTokenOnBehalfOfUsernameToken() throws Exception {
+        TokenIssueOperation issueOperation = new TokenIssueOperation();
+
+        // Add Token Provider
+        List<TokenProvider> providerList = new ArrayList<TokenProvider>();
+        providerList.add(new JWTTokenProvider());
+        issueOperation.setTokenProviders(providerList);
+        
+        // Add Token Validator
+        List<TokenValidator> validatorList = new ArrayList<TokenValidator>();
+        validatorList.add(new UsernameTokenValidator());
+        issueOperation.setTokenValidators(validatorList);
+
+        // Add Service
+        ServiceMBean service = new StaticService();
+        service.setEndpoints(Collections.singletonList("http://dummy-service.com/dummy"));
+        issueOperation.setServices(Collections.singletonList(service));
+
+        // Add STSProperties object
+        STSPropertiesMBean stsProperties = new StaticSTSProperties();
+        Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
+        stsProperties.setEncryptionCrypto(crypto);
+        stsProperties.setSignatureCrypto(crypto);
+        stsProperties.setEncryptionUsername("myservicekey");
+        stsProperties.setSignatureUsername("mystskey");
+        stsProperties.setCallbackHandler(new PasswordCallbackHandler());
+        stsProperties.setIssuer("STS");
+        issueOperation.setStsProperties(stsProperties);
+
+        // Mock up a request
+        RequestSecurityTokenType request = new RequestSecurityTokenType();
+        JAXBElement<String> tokenType = 
+            new JAXBElement<String>(
+                    QNameConstants.TOKEN_TYPE, String.class, JWTTokenProvider.JWT_TOKEN_TYPE
+            );
+        request.getAny().add(tokenType);
+
+        
+        // Create a UsernameToken
+        JAXBElement<UsernameTokenType> usernameTokenType = createUsernameToken("alice", "clarinet");
+        OnBehalfOfType onbehalfof = new OnBehalfOfType();
+        onbehalfof.setAny(usernameTokenType);
+        
+        JAXBElement<OnBehalfOfType> onbehalfofType = 
+            new JAXBElement<OnBehalfOfType>(
+                    QNameConstants.ON_BEHALF_OF, OnBehalfOfType.class, onbehalfof
+            );
+        request.getAny().add(onbehalfofType);
+        
+
+        // Mock up message context
+        MessageImpl msg = new MessageImpl();
+        WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
+        WebServiceContextImpl webServiceContext = new WebServiceContextImpl(msgCtx);
+
+        // Issue a token
+        
+        // This should fail as the default DelegationHandler does not allow UsernameTokens
+        try {
+            issueOperation.issue(request, webServiceContext);
+            fail("Failure expected as UsernameTokens are not accepted for OnBehalfOf by default");
+        } catch (STSException ex) {
+            // expected
+        }
+        
+        TokenDelegationHandler delegationHandler = new UsernameTokenDelegationHandler();
+        issueOperation.setDelegationHandlers(Collections.singletonList(delegationHandler));
+        
+        RequestSecurityTokenResponseCollectionType response = 
+            issueOperation.issue(request, webServiceContext);
+        List<RequestSecurityTokenResponseType> securityTokenResponse = 
+            response.getRequestSecurityTokenResponse();
+        assertTrue(!securityTokenResponse.isEmpty());
+        
+        // Test the generated token.
+        String jwtToken = null;
+        for (Object tokenObject : securityTokenResponse.get(0).getAny()) {
+            if (tokenObject instanceof Element
+                && REQUESTED_SECURITY_TOKEN.getLocalPart().equals(((Element)tokenObject).getLocalName())
+                && REQUESTED_SECURITY_TOKEN.getNamespaceURI().equals(((Element)tokenObject).getNamespaceURI())) {
+                jwtToken = ((Element)tokenObject).getTextContent();
+                break;
+            }
+        }
+        
+        assertNotNull(jwtToken);
+        
+        // Validate the token
+        JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(jwtToken);
+        JwtToken jwt = jwtConsumer.getJwtToken();
+        Assert.assertEquals("alice", jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
+    }
+    
+    /**
+     * Test to successfully issue a JWT Token (realm "B") on-behalf-of a SAML 2 token
+     * on-behalf-of token issued by realm "A".
+     */
+    @org.junit.Test
+    public void testIssueJWTTokenOnBehalfOfSaml2DifferentRealm() throws Exception {
+        TokenIssueOperation issueOperation = new TokenIssueOperation();
+        
+        // Add Token Provider
+        List<TokenProvider> providerList = new ArrayList<TokenProvider>();
+        JWTTokenProvider tokenProvider = new JWTTokenProvider();
+        providerList.add(tokenProvider);
+        issueOperation.setTokenProviders(providerList);
+        
+        TokenDelegationHandler delegationHandler = new SAMLDelegationHandler();
+        issueOperation.setDelegationHandlers(Collections.singletonList(delegationHandler));
+        
+        // Add Token Validator
+        List<TokenValidator> validatorList = new ArrayList<TokenValidator>();
+        SAMLTokenValidator samlTokenValidator = new SAMLTokenValidator();
+        samlTokenValidator.setSamlRealmCodec(new IssuerSAMLRealmCodec());
+        validatorList.add(samlTokenValidator);
+        issueOperation.setTokenValidators(validatorList);
+
+        // Add Service
+        ServiceMBean service = new StaticService();
+        service.setEndpoints(Collections.singletonList("http://dummy-service.com/dummy"));
+        issueOperation.setServices(Collections.singletonList(service));
+        
+        // Add STSProperties object
+        STSPropertiesMBean stsProperties = new StaticSTSProperties();
+        Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
+        stsProperties.setEncryptionCrypto(crypto);
+        stsProperties.setSignatureCrypto(crypto);
+        stsProperties.setEncryptionUsername("myservicekey");
+        stsProperties.setSignatureUsername("mystskey");
+        stsProperties.setCallbackHandler(new PasswordCallbackHandler());
+        stsProperties.setIssuer("STS");
+        stsProperties.setRealmParser(new CustomRealmParser());
+        stsProperties.setIdentityMapper(new CustomIdentityMapper());
+        issueOperation.setStsProperties(stsProperties);
+        
+        Map<String, RealmProperties> realms = createSamlRealms();
+        
+        // Mock up a request
+        RequestSecurityTokenType request = new RequestSecurityTokenType();
+        JAXBElement<String> tokenType = 
+            new JAXBElement<String>(
+                QNameConstants.TOKEN_TYPE, String.class, JWTTokenProvider.JWT_TOKEN_TYPE
+            );
+        request.getAny().add(tokenType);
+        
+        // Get a SAML Token via the SAMLTokenProvider
+        CallbackHandler callbackHandler = new PasswordCallbackHandler();
+        Element samlToken = 
+            createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey",
+                    callbackHandler, realms, STSConstants.BEARER_KEY_KEYTYPE);
+        Document doc = samlToken.getOwnerDocument();
+        samlToken = (Element)doc.appendChild(samlToken);
+        OnBehalfOfType onbehalfof = new OnBehalfOfType();
+        onbehalfof.setAny(samlToken);
+
+        JAXBElement<OnBehalfOfType> onbehalfofType = 
+            new JAXBElement<OnBehalfOfType>(
+                    QNameConstants.ON_BEHALF_OF, OnBehalfOfType.class, onbehalfof
+            );
+        request.getAny().add(onbehalfofType);
+        
+        // Mock up message context
+        MessageImpl msg = new MessageImpl();
+        WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
+        msgCtx.put("url", "https");
+        WebServiceContextImpl webServiceContext = new WebServiceContextImpl(msgCtx);
+        
+        tokenProvider.setRealmMap(realms);
+        
+        RequestSecurityTokenResponseCollectionType response = 
+            issueOperation.issue(request, webServiceContext);
+        List<RequestSecurityTokenResponseType> securityTokenResponse = 
+            response.getRequestSecurityTokenResponse();
+        assertTrue(!securityTokenResponse.isEmpty());
+        
+        // Test the generated token.
+        String jwtToken = null;
+        for (Object tokenObject : securityTokenResponse.get(0).getAny()) {
+            if (tokenObject instanceof Element
+                && REQUESTED_SECURITY_TOKEN.getLocalPart().equals(((Element)tokenObject).getLocalName())
+                && REQUESTED_SECURITY_TOKEN.getNamespaceURI().equals(((Element)tokenObject).getNamespaceURI())) {
+                jwtToken = ((Element)tokenObject).getTextContent();
+                break;
+            }
+        }
+        
+        assertNotNull(jwtToken);
+        
+        // Validate the token
+        JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(jwtToken);
+        JwtToken jwt = jwtConsumer.getJwtToken();
+        Assert.assertEquals("ALICE", jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
+    }
+    
+    /*
+     * Mock up an SAML assertion element
+     */
+    private Element createSAMLAssertion(
+            String tokenType, Crypto crypto, String signatureUsername, CallbackHandler callbackHandler
+    ) throws WSSecurityException {
+        return createSAMLAssertion(tokenType, crypto, signatureUsername, 
+                                   callbackHandler, null, STSConstants.BEARER_KEY_KEYTYPE);
+    }
+
+    /*
+     * Mock up an SAML assertion element
+     */
+    private Element createSAMLAssertion(
+            String tokenType, Crypto crypto, String signatureUsername, CallbackHandler callbackHandler,
+            Map<String, RealmProperties> realms, String keyType
+    ) throws WSSecurityException {
+        SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
+        samlTokenProvider.setRealmMap(realms);
+
+        TokenProviderParameters providerParameters = 
+            createProviderParameters(
+                    tokenType, keyType, crypto, signatureUsername, callbackHandler
+            );
+        if (realms != null) {
+            providerParameters.setRealm("A");
+        }
+        TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
+        assertTrue(providerResponse != null);
+        assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
+
+        return (Element)providerResponse.getToken();
+    }
+
+    private TokenProviderParameters createProviderParameters(
+            String tokenType, String keyType, Crypto crypto, 
+            String signatureUsername, CallbackHandler callbackHandler
+    ) throws WSSecurityException {
+        TokenProviderParameters parameters = new TokenProviderParameters();
+
+        TokenRequirements tokenRequirements = new TokenRequirements();
+        tokenRequirements.setTokenType(tokenType);
+        parameters.setTokenRequirements(tokenRequirements);
+
+        KeyRequirements keyRequirements = new KeyRequirements();
+        keyRequirements.setKeyType(keyType);
+        
+        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+        cryptoType.setAlias("myclientkey");
+        X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
+        ReceivedKey receivedKey = new ReceivedKey();
+        receivedKey.setX509Cert(certs[0]);
+        keyRequirements.setReceivedKey(receivedKey);
+        
+        parameters.setKeyRequirements(keyRequirements);
+
+        parameters.setPrincipal(new CustomTokenPrincipal("alice"));
+        // Mock up message context
+        MessageImpl msg = new MessageImpl();
+        WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
+        WebServiceContextImpl webServiceContext = new WebServiceContextImpl(msgCtx);
+        parameters.setWebServiceContext(webServiceContext);
+
+        parameters.setAppliesToAddress("http://dummy-service.com/dummy");
+
+        // Add STSProperties object
+        StaticSTSProperties stsProperties = new StaticSTSProperties();
+        stsProperties.setSignatureCrypto(crypto);
+        stsProperties.setSignatureUsername(signatureUsername);
+        stsProperties.setCallbackHandler(callbackHandler);
+        stsProperties.setIssuer("STS");
+        stsProperties.setEncryptionUsername("myservicekey");
+        stsProperties.setEncryptionCrypto(crypto);
+        parameters.setStsProperties(stsProperties);
+
+        parameters.setEncryptionProperties(new EncryptionProperties());
+
+        return parameters;
+    }
+
+    private JAXBElement<UsernameTokenType> createUsernameToken(String name, String password) {
+        UsernameTokenType usernameToken = new UsernameTokenType();
+        AttributedString username = new AttributedString();
+        username.setValue(name);
+        usernameToken.setUsername(username);
+
+        // Add a password
+        if (password != null) {
+            PasswordString passwordString = new PasswordString();
+            passwordString.setValue(password);
+            passwordString.setType(WSConstants.PASSWORD_TEXT);
+            JAXBElement<PasswordString> passwordType = 
+                new JAXBElement<PasswordString>(
+                        QNameConstants.PASSWORD, PasswordString.class, passwordString
+                );
+            usernameToken.getAny().add(passwordType);
+        }
+
+        JAXBElement<UsernameTokenType> tokenType = 
+            new JAXBElement<UsernameTokenType>(
+                    QNameConstants.USERNAME_TOKEN, UsernameTokenType.class, usernameToken
+            );
+
+        return tokenType;
+    }
+
+    private Map<String, RealmProperties> createSamlRealms() {
+        // Create Realms
+        Map<String, RealmProperties> samlRealms = new HashMap<String, RealmProperties>();
+        RealmProperties samlRealm = new RealmProperties();
+        samlRealm.setIssuer("A-Issuer");
+        samlRealms.put("A", samlRealm);
+        samlRealm = new RealmProperties();
+        samlRealm.setIssuer("B-Issuer");
+        samlRealms.put("B", samlRealm);
+        return samlRealms;
+    }
+
+    private Properties getEncryptionProperties() {
+        Properties properties = new Properties();
+        properties.put(
+                "org.apache.wss4j.crypto.provider", "org.apache.wss4j.common.crypto.Merlin"
+        );
+        properties.put("org.apache.wss4j.crypto.merlin.keystore.password", "stsspass");
+        properties.put("org.apache.wss4j.crypto.merlin.keystore.file", "stsstore.jks");
+
+        return properties;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/2df2ef20/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTProviderActAsTest.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTProviderActAsTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTProviderActAsTest.java
new file mode 100644
index 0000000..9e0fcd6
--- /dev/null
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTProviderActAsTest.java
@@ -0,0 +1,196 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.sts.token.provider;
+
+import java.util.Properties;
+
+import javax.xml.bind.JAXBElement;
+
+import org.w3c.dom.Element;
+
+import org.apache.cxf.jaxws.context.WebServiceContextImpl;
+import org.apache.cxf.jaxws.context.WrappedMessageContext;
+import org.apache.cxf.message.MessageImpl;
+import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
+import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
+import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.sts.QNameConstants;
+import org.apache.cxf.sts.STSConstants;
+import org.apache.cxf.sts.StaticSTSProperties;
+import org.apache.cxf.sts.common.PasswordCallbackHandler;
+import org.apache.cxf.sts.request.KeyRequirements;
+import org.apache.cxf.sts.request.ReceivedToken;
+import org.apache.cxf.sts.request.ReceivedToken.STATE;
+import org.apache.cxf.sts.request.TokenRequirements;
+import org.apache.cxf.sts.service.EncryptionProperties;
+import org.apache.cxf.sts.token.provider.jwt.JWTTokenProvider;
+import org.apache.cxf.ws.security.sts.provider.model.secext.AttributedString;
+import org.apache.cxf.ws.security.sts.provider.model.secext.UsernameTokenType;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoFactory;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.principal.CustomTokenPrincipal;
+import org.apache.wss4j.dom.WSConstants;
+import org.junit.Assert;
+
+/**
+ * Some unit tests for creating JWT Tokens with an ActAs element.
+ */
+public class JWTProviderActAsTest extends org.junit.Assert {
+    
+    /**
+     * Create a JWT Token with ActAs from a UsernameToken
+     */
+    @org.junit.Test
+    public void testJWTActAsUsernameToken() throws Exception {
+        TokenProvider tokenProvider = new JWTTokenProvider();
+        
+        UsernameTokenType usernameToken = new UsernameTokenType();
+        AttributedString username = new AttributedString();
+        username.setValue("bob");
+        usernameToken.setUsername(username);
+        JAXBElement<UsernameTokenType> usernameTokenType = 
+            new JAXBElement<UsernameTokenType>(
+                QNameConstants.USERNAME_TOKEN, UsernameTokenType.class, usernameToken
+            );
+        
+        TokenProviderParameters providerParameters = 
+            createProviderParameters(
+                JWTTokenProvider.JWT_TOKEN_TYPE, usernameTokenType
+            );
+        //Principal must be set in ReceivedToken/ActAs
+        providerParameters.getTokenRequirements().getActAs().setPrincipal(
+                new CustomTokenPrincipal(username.getValue()));
+        
+        assertTrue(tokenProvider.canHandleToken(JWTTokenProvider.JWT_TOKEN_TYPE));
+        TokenProviderResponse providerResponse = tokenProvider.createToken(providerParameters);
+        assertTrue(providerResponse != null);
+        assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
+        
+        String token = (String)providerResponse.getToken();
+        assertNotNull(token);
+        
+        // Validate the token
+        JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token);
+        JwtToken jwt = jwtConsumer.getJwtToken();
+        Assert.assertEquals("bob", jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
+    }
+    
+    /**
+     * Create a JWT Token with ActAs from a SAML Assertion
+     */
+    @org.junit.Test
+    public void testJWTActAsAssertion() throws Exception {
+        TokenProvider tokenProvider = new JWTTokenProvider();
+        
+        String user = "alice";
+        Element saml1Assertion = getSAMLAssertion(user);
+        
+        TokenProviderParameters providerParameters = 
+            createProviderParameters(
+                JWTTokenProvider.JWT_TOKEN_TYPE, saml1Assertion
+            );
+        //Principal must be set in ReceivedToken/ActAs
+        providerParameters.getTokenRequirements().getActAs().setPrincipal(
+                new CustomTokenPrincipal(user));
+        
+        assertTrue(tokenProvider.canHandleToken(JWTTokenProvider.JWT_TOKEN_TYPE));
+        TokenProviderResponse providerResponse = tokenProvider.createToken(providerParameters);
+        assertTrue(providerResponse != null);
+        assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
+        
+        String token = (String)providerResponse.getToken();
+        assertNotNull(token);
+        
+        // Validate the token
+        JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token);
+        JwtToken jwt = jwtConsumer.getJwtToken();
+        Assert.assertEquals(user, jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
+    }
+    
+    private Element getSAMLAssertion(String user) throws Exception {
+        TokenProvider samlTokenProvider = new SAMLTokenProvider();
+        TokenProviderParameters providerParameters = 
+            createProviderParameters(WSConstants.WSS_SAML_TOKEN_TYPE, null);
+        providerParameters.getKeyRequirements().setKeyType(STSConstants.BEARER_KEY_KEYTYPE);
+        providerParameters.setPrincipal(new CustomTokenPrincipal(user));
+        assertTrue(samlTokenProvider.canHandleToken(WSConstants.WSS_SAML_TOKEN_TYPE));
+        TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
+        assertTrue(providerResponse != null);
+        assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
+
+        return (Element)providerResponse.getToken();
+    }
+
+    private TokenProviderParameters createProviderParameters(
+        String tokenType, Object actAs
+    ) throws WSSecurityException {
+        TokenProviderParameters parameters = new TokenProviderParameters();
+        
+        TokenRequirements tokenRequirements = new TokenRequirements();
+        tokenRequirements.setTokenType(tokenType);
+        
+        if (actAs != null) {
+            ReceivedToken actAsToken = new ReceivedToken(actAs);
+            actAsToken.setState(STATE.VALID);
+            tokenRequirements.setActAs(actAsToken);
+            
+        }
+        parameters.setTokenRequirements(tokenRequirements);
+        
+        KeyRequirements keyRequirements = new KeyRequirements();
+        parameters.setKeyRequirements(keyRequirements);
+        
+        parameters.setPrincipal(new CustomTokenPrincipal("alice"));
+        // Mock up message context
+        MessageImpl msg = new MessageImpl();
+        WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
+        WebServiceContextImpl webServiceContext = new WebServiceContextImpl(msgCtx);
+        parameters.setWebServiceContext(webServiceContext);
+        
+        parameters.setAppliesToAddress("http://dummy-service.com/dummy");
+        
+        // Add STSProperties object
+        StaticSTSProperties stsProperties = new StaticSTSProperties();
+        Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
+        stsProperties.setSignatureCrypto(crypto);
+        stsProperties.setSignatureUsername("mystskey");
+        stsProperties.setCallbackHandler(new PasswordCallbackHandler());
+        stsProperties.setIssuer("STS");
+        parameters.setStsProperties(stsProperties);
+        
+        parameters.setEncryptionProperties(new EncryptionProperties());
+        
+        return parameters;
+    }
+    
+    private Properties getEncryptionProperties() {
+        Properties properties = new Properties();
+        properties.put(
+            "org.apache.wss4j.crypto.provider", "org.apache.wss4j.common.crypto.Merlin"
+        );
+        properties.put("org.apache.wss4j.crypto.merlin.keystore.password", "stsspass");
+        properties.put("org.apache.wss4j.crypto.merlin.keystore.file", "stsstore.jks");
+        
+        return properties;
+    }
+    
+  
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/2df2ef20/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTProviderOnBehalfOfTest.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTProviderOnBehalfOfTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTProviderOnBehalfOfTest.java
new file mode 100644
index 0000000..265b48c
--- /dev/null
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTProviderOnBehalfOfTest.java
@@ -0,0 +1,196 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.sts.token.provider;
+
+import java.util.Properties;
+
+import javax.xml.bind.JAXBElement;
+
+import org.w3c.dom.Element;
+
+import org.apache.cxf.jaxws.context.WebServiceContextImpl;
+import org.apache.cxf.jaxws.context.WrappedMessageContext;
+import org.apache.cxf.message.MessageImpl;
+import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
+import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
+import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.sts.QNameConstants;
+import org.apache.cxf.sts.STSConstants;
+import org.apache.cxf.sts.StaticSTSProperties;
+import org.apache.cxf.sts.common.PasswordCallbackHandler;
+import org.apache.cxf.sts.request.KeyRequirements;
+import org.apache.cxf.sts.request.ReceivedToken;
+import org.apache.cxf.sts.request.ReceivedToken.STATE;
+import org.apache.cxf.sts.request.TokenRequirements;
+import org.apache.cxf.sts.service.EncryptionProperties;
+import org.apache.cxf.sts.token.provider.jwt.JWTTokenProvider;
+import org.apache.cxf.ws.security.sts.provider.model.secext.AttributedString;
+import org.apache.cxf.ws.security.sts.provider.model.secext.UsernameTokenType;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoFactory;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.principal.CustomTokenPrincipal;
+import org.apache.wss4j.dom.WSConstants;
+import org.junit.Assert;
+
+/**
+ * Some unit tests for creating JWT Tokens with an OnBehalfOf element.
+ */
+public class JWTProviderOnBehalfOfTest extends org.junit.Assert {
+    
+    /**
+     * Create a JWT Token with OnBehalfOf from a UsernameToken
+     */
+    @org.junit.Test
+    public void testJWTOnBehalfOfUsernameToken() throws Exception {
+        TokenProvider tokenProvider = new JWTTokenProvider();
+        
+        UsernameTokenType usernameToken = new UsernameTokenType();
+        AttributedString username = new AttributedString();
+        username.setValue("bob");
+        usernameToken.setUsername(username);
+        JAXBElement<UsernameTokenType> usernameTokenType = 
+            new JAXBElement<UsernameTokenType>(
+                QNameConstants.USERNAME_TOKEN, UsernameTokenType.class, usernameToken
+            );
+        
+        TokenProviderParameters providerParameters = 
+            createProviderParameters(
+                JWTTokenProvider.JWT_TOKEN_TYPE, usernameTokenType
+            );
+        //Principal must be set in ReceivedToken/OnBehalfOf
+        providerParameters.getTokenRequirements().getOnBehalfOf().setPrincipal(
+                new CustomTokenPrincipal(username.getValue()));
+        
+        assertTrue(tokenProvider.canHandleToken(JWTTokenProvider.JWT_TOKEN_TYPE));
+        TokenProviderResponse providerResponse = tokenProvider.createToken(providerParameters);
+        assertTrue(providerResponse != null);
+        assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
+        
+        String token = (String)providerResponse.getToken();
+        assertNotNull(token);
+        
+        // Validate the token
+        JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token);
+        JwtToken jwt = jwtConsumer.getJwtToken();
+        Assert.assertEquals("bob", jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
+    }
+    
+    /**
+     * Create a JWT Token with OnBehalfOf from a SAML Assertion
+     */
+    @org.junit.Test
+    public void testJWTOnBehalfOfAssertion() throws Exception {
+        TokenProvider tokenProvider = new JWTTokenProvider();
+        
+        String user = "alice";
+        Element saml1Assertion = getSAMLAssertion(user);
+        
+        TokenProviderParameters providerParameters = 
+            createProviderParameters(
+                JWTTokenProvider.JWT_TOKEN_TYPE, saml1Assertion
+            );
+        //Principal must be set in ReceivedToken/OnBehalfOf
+        providerParameters.getTokenRequirements().getOnBehalfOf().setPrincipal(
+                new CustomTokenPrincipal(user));
+        
+        assertTrue(tokenProvider.canHandleToken(JWTTokenProvider.JWT_TOKEN_TYPE));
+        TokenProviderResponse providerResponse = tokenProvider.createToken(providerParameters);
+        assertTrue(providerResponse != null);
+        assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
+        
+        String token = (String)providerResponse.getToken();
+        assertNotNull(token);
+        
+        // Validate the token
+        JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token);
+        JwtToken jwt = jwtConsumer.getJwtToken();
+        Assert.assertEquals(user, jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
+    }
+    
+    private Element getSAMLAssertion(String user) throws Exception {
+        TokenProvider samlTokenProvider = new SAMLTokenProvider();
+        TokenProviderParameters providerParameters = 
+            createProviderParameters(WSConstants.WSS_SAML_TOKEN_TYPE, null);
+        providerParameters.getKeyRequirements().setKeyType(STSConstants.BEARER_KEY_KEYTYPE);
+        providerParameters.setPrincipal(new CustomTokenPrincipal(user));
+        assertTrue(samlTokenProvider.canHandleToken(WSConstants.WSS_SAML_TOKEN_TYPE));
+        TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
+        assertTrue(providerResponse != null);
+        assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
+
+        return (Element)providerResponse.getToken();
+    }
+
+    private TokenProviderParameters createProviderParameters(
+        String tokenType, Object onBehalfOf
+    ) throws WSSecurityException {
+        TokenProviderParameters parameters = new TokenProviderParameters();
+        
+        TokenRequirements tokenRequirements = new TokenRequirements();
+        tokenRequirements.setTokenType(tokenType);
+        
+        if (onBehalfOf != null) {
+            ReceivedToken onBehalfOfToken = new ReceivedToken(onBehalfOf);
+            onBehalfOfToken.setState(STATE.VALID);
+            tokenRequirements.setOnBehalfOf(onBehalfOfToken);
+            
+        }
+        parameters.setTokenRequirements(tokenRequirements);
+        
+        KeyRequirements keyRequirements = new KeyRequirements();
+        parameters.setKeyRequirements(keyRequirements);
+        
+        parameters.setPrincipal(new CustomTokenPrincipal("alice"));
+        // Mock up message context
+        MessageImpl msg = new MessageImpl();
+        WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
+        WebServiceContextImpl webServiceContext = new WebServiceContextImpl(msgCtx);
+        parameters.setWebServiceContext(webServiceContext);
+        
+        parameters.setAppliesToAddress("http://dummy-service.com/dummy");
+        
+        // Add STSProperties object
+        StaticSTSProperties stsProperties = new StaticSTSProperties();
+        Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
+        stsProperties.setSignatureCrypto(crypto);
+        stsProperties.setSignatureUsername("mystskey");
+        stsProperties.setCallbackHandler(new PasswordCallbackHandler());
+        stsProperties.setIssuer("STS");
+        parameters.setStsProperties(stsProperties);
+        
+        parameters.setEncryptionProperties(new EncryptionProperties());
+        
+        return parameters;
+    }
+    
+    private Properties getEncryptionProperties() {
+        Properties properties = new Properties();
+        properties.put(
+            "org.apache.wss4j.crypto.provider", "org.apache.wss4j.common.crypto.Merlin"
+        );
+        properties.put("org.apache.wss4j.crypto.merlin.keystore.password", "stsspass");
+        properties.put("org.apache.wss4j.crypto.merlin.keystore.file", "stsstore.jks");
+        
+        return properties;
+    }
+    
+  
+    
+}


Mime
View raw message