Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cxf.apache.org
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: coheigea@apache.org
To: commits@cxf.apache.org
Message-Id: <9ae2b4101d794b5d8f1d5602c0219a64@git.apache.org>
Subject: cxf git commit: Adding some negative tests for the SAML OAuth Grant
Date: Wed,  9 Dec 2015 11:36:38 +0000 (UTC)

Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes ca1d759d9 -> 23fa55ff6


Adding some negative tests for the SAML OAuth Grant


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/23fa55ff
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/23fa55ff
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/23fa55ff

Branch: refs/heads/3.0.x-fixes
Commit: 23fa55ff62dad96fcaecb53ea32557136164d63e
Parents: ca1d759
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Dec 9 11:27:58 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Dec 9 11:33:18 2015 +0000

----------------------------------------------------------------------
 .../security/oauth2/SamlCallbackHandler.java    |  53 ++-
 .../grants/AuthorizationGrantNegativeTest.java  | 345 +++++++++++++++++++
 .../oauth2/grants/AuthorizationGrantTest.java   |   4 +-
 .../grants/BookServerOAuth2GrantsNegative.java  |  48 +++
 .../oauth2/grants/grants-negative-server.xml    | 142 ++++++++
 .../systest/jaxrs/security/smallkey.properties  |  21 ++
 6 files changed, 606 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/23fa55ff/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/SamlCallbackHandler.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/SamlCallbackHandler.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/SamlCallbackHandler.java
index dbd9eb8..f383c1e 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/SamlCallbackHandler.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/SamlCallbackHandler.java
@@ -58,6 +58,10 @@ public class SamlCallbackHandler implements CallbackHandler {
     private boolean signAssertion = true;
     private String issuer = "resourceOwner";
     private String audience = "https://localhost:" + PORT + "/oauth2/token";
+    private boolean saml2 = true;
+    private String cryptoPropertiesFile = "org/apache/cxf/systest/jaxrs/security/alice.properties";
+    private String issuerKeyName = "alice";
+    private String issuerKeyPassword = "password";
 
     public SamlCallbackHandler(boolean signAssertion) {
         this.signAssertion = signAssertion;
@@ -69,7 +73,11 @@ public class SamlCallbackHandler implements CallbackHandler {
         for (int i = 0; i < callbacks.length; i++) {
             if (callbacks[i] instanceof SAMLCallback) {
                 SAMLCallback callback = (SAMLCallback) callbacks[i];
-                callback.setSamlVersion(Version.SAML_20);
+                if (saml2) {
+                    callback.setSamlVersion(Version.SAML_20);
+                } else {
+                    callback.setSamlVersion(Version.SAML_11);
+                }
                 callback.setIssuer(issuer);
                 
                 String subjectName = m != null ? (String)m.getContextualProperty("saml.subject.name") : null;
@@ -94,6 +102,8 @@ public class SamlCallbackHandler implements CallbackHandler {
                 AuthDecisionStatementBean authDecBean = new AuthDecisionStatementBean();
                 authDecBean.setDecision(Decision.INDETERMINATE);
                 authDecBean.setResource("https://sp.example.com/SAML2");
+                authDecBean.setSubject(subjectBean);
+                
                 ActionBean actionBean = new ActionBean();
                 actionBean.setContents("Read");
                 authDecBean.setActions(Collections.singletonList(actionBean));
@@ -103,6 +113,8 @@ public class SamlCallbackHandler implements CallbackHandler {
                 authBean.setSubject(subjectBean);
                 authBean.setAuthenticationInstant(new DateTime());
                 authBean.setSessionIndex("123456");
+                authBean.setSubject(subjectBean);
+                
                 // AuthnContextClassRef is not set
                 authBean.setAuthenticationMethod(
                         "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport");
@@ -143,11 +155,10 @@ public class SamlCallbackHandler implements CallbackHandler {
                 
                 if (signAssertion) {
                     try {
-                        Crypto crypto = 
-                            CryptoFactory.getInstance("org/apache/cxf/systest/jaxrs/security/alice.properties");
+                        Crypto crypto = CryptoFactory.getInstance(cryptoPropertiesFile);
                         callback.setIssuerCrypto(crypto);
-                        callback.setIssuerKeyName("alice");
-                        callback.setIssuerKeyPassword("password");
+                        callback.setIssuerKeyName(issuerKeyName);
+                        callback.setIssuerKeyPassword(issuerKeyPassword);
                         callback.setSignAssertion(true);
                     } catch (WSSecurityException e) {
                         throw new IOException(e);
@@ -157,6 +168,30 @@ public class SamlCallbackHandler implements CallbackHandler {
         }
     }
     
+    public String getCryptoPropertiesFile() {
+        return cryptoPropertiesFile;
+    }
+
+    public void setCryptoPropertiesFile(String cryptoPropertiesFile) {
+        this.cryptoPropertiesFile = cryptoPropertiesFile;
+    }
+
+    public String getIssuerKeyName() {
+        return issuerKeyName;
+    }
+
+    public void setIssuerKeyName(String issuerKeyName) {
+        this.issuerKeyName = issuerKeyName;
+    }
+
+    public String getIssuerKeyPassword() {
+        return issuerKeyPassword;
+    }
+
+    public void setIssuerKeyPassword(String issuerKeyPassword) {
+        this.issuerKeyPassword = issuerKeyPassword;
+    }
+
     public String getIssuer() {
         return issuer;
     }
@@ -177,4 +212,12 @@ public class SamlCallbackHandler implements CallbackHandler {
         this.confirmationMethod = confMethod;
     }
     
+    public boolean isSaml2() {
+        return saml2;
+    }
+
+    public void setSaml2(boolean saml2) {
+        this.saml2 = saml2;
+    }
+    
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/23fa55ff/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantNegativeTest.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantNegativeTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantNegativeTest.java
new file mode 100644
index 0000000..09c0cb1
--- /dev/null
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantNegativeTest.java
@@ -0,0 +1,345 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.jaxrs.security.oauth2.grants;
+
+import java.net.URL;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import javax.ws.rs.core.Form;
+import javax.ws.rs.core.Response;
+
+import org.apache.cxf.common.util.Base64UrlUtility;
+import org.apache.cxf.jaxrs.client.WebClient;
+import org.apache.cxf.jaxrs.provider.json.JSONProvider;
+import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
+import org.apache.cxf.rs.security.oauth2.common.OAuthAuthorizationData;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider;
+import org.apache.cxf.systest.jaxrs.security.oauth2.SamlCallbackHandler;
+import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SAMLCallback;
+import org.apache.wss4j.common.saml.SAMLUtil;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.common.saml.builder.SAML1Constants;
+import org.apache.wss4j.common.saml.builder.SAML2Constants;
+import org.junit.BeforeClass;
+
+/**
+ * Some (negative) tests for various authorization grants.
+ */
+public class AuthorizationGrantNegativeTest extends AbstractBusClientServerTestBase {
+    public static final String PORT = BookServerOAuth2GrantsNegative.PORT;
+    
+    @BeforeClass
+    public static void startServers() throws Exception {
+        assertTrue("server did not launch correctly", 
+                   launchServer(BookServerOAuth2GrantsNegative.class, true));
+    }
+
+    //
+    // SAML Authorization grants
+    //
+    
+    @org.junit.Test
+    public void testSAML11() throws Exception {
+        URL busFile = AuthorizationGrantNegativeTest.class.getResource("client.xml");
+        
+        String address = "https://localhost:" + PORT + "/services/";
+        WebClient client = WebClient.create(address, setupProviders(), "alice", "security", busFile.toString());
+        
+        // Create the SAML Assertion
+        String assertion = createToken(address + "token", false, true);
+
+        // Get Access Token
+        client.type("application/x-www-form-urlencoded").accept("application/json");
+        client.path("token");
+        
+        Form form = new Form();
+        form.param("grant_type", "urn:ietf:params:oauth:grant-type:saml2-bearer");
+        form.param("assertion", Base64UrlUtility.encode(assertion));
+        form.param("client_id", "consumer-id");
+        
+        try {
+            Response response = client.post(form);
+            response.readEntity(ClientAccessToken.class);
+            fail("Failure expected on a SAML 1.1 assertion");
+        } catch (Exception ex) {
+            // expected
+        }
+    }
+    
+    @org.junit.Test
+    public void testSAMLAudRestr() throws Exception {
+        URL busFile = AuthorizationGrantNegativeTest.class.getResource("client.xml");
+        
+        String address = "https://localhost:" + PORT + "/services/";
+        WebClient client = WebClient.create(address, setupProviders(), "alice", "security", busFile.toString());
+        
+        // Create the SAML Assertion
+        String assertion = createToken(address + "token2", true, true);
+
+        // Get Access Token
+        client.type("application/x-www-form-urlencoded").accept("application/json");
+        client.path("token");
+        
+        Form form = new Form();
+        form.param("grant_type", "urn:ietf:params:oauth:grant-type:saml2-bearer");
+        form.param("assertion", Base64UrlUtility.encode(assertion));
+        form.param("client_id", "consumer-id");
+        
+        try {
+            Response response = client.post(form);
+            response.readEntity(ClientAccessToken.class);
+            fail("Failure expected on a bad audience restriction");
+        } catch (Exception ex) {
+            // expected
+        }
+    }
+    
+    @org.junit.Test
+    public void testSAMLUnsigned() throws Exception {
+        URL busFile = AuthorizationGrantNegativeTest.class.getResource("client.xml");
+        
+        String address = "https://localhost:" + PORT + "/services/";
+        WebClient client = WebClient.create(address, setupProviders(), "alice", "security", busFile.toString());
+        
+        // Create the SAML Assertion
+        String assertion = createToken(address + "token", true, false);
+
+        // Get Access Token
+        client.type("application/x-www-form-urlencoded").accept("application/json");
+        client.path("token");
+        
+        Form form = new Form();
+        form.param("grant_type", "urn:ietf:params:oauth:grant-type:saml2-bearer");
+        form.param("assertion", Base64UrlUtility.encode(assertion));
+        form.param("client_id", "consumer-id");
+        
+        try {
+            Response response = client.post(form);
+            response.readEntity(ClientAccessToken.class);
+            fail("Failure expected on an unsigned assertion");
+        } catch (Exception ex) {
+            // expected
+        }
+    }
+
+    @org.junit.Test
+    public void testSAMLHolderOfKey() throws Exception {
+        URL busFile = AuthorizationGrantNegativeTest.class.getResource("client.xml");
+        
+        String address = "https://localhost:" + PORT + "/services/";
+        WebClient client = WebClient.create(address, setupProviders(), "alice", "security", busFile.toString());
+        
+        // Create the SAML Assertion
+        SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler(true);
+        samlCallbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY);
+        samlCallbackHandler.setAudience(address + "token");
+        
+        SAMLCallback samlCallback = new SAMLCallback();
+        SAMLUtil.doSAMLCallback(samlCallbackHandler, samlCallback);
+
+        SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
+        samlAssertion.signAssertion(
+            samlCallback.getIssuerKeyName(),
+            samlCallback.getIssuerKeyPassword(),
+            samlCallback.getIssuerCrypto(),
+            samlCallback.isSendKeyValue(),
+            samlCallback.getCanonicalizationAlgorithm(),
+            samlCallback.getSignatureAlgorithm()
+        );
+        String assertion = samlAssertion.assertionToString();
+
+        // Get Access Token
+        client.type("application/x-www-form-urlencoded").accept("application/json");
+        client.path("token");
+        
+        Form form = new Form();
+        form.param("grant_type", "urn:ietf:params:oauth:grant-type:saml2-bearer");
+        form.param("assertion", Base64UrlUtility.encode(assertion));
+        form.param("client_id", "consumer-id");
+        
+        try {
+            Response response = client.post(form);
+            response.readEntity(ClientAccessToken.class);
+            fail("Failure expected on an incorrect subject confirmation method");
+        } catch (Exception ex) {
+            // expected
+        }
+    }
+    
+    @org.junit.Test
+    public void testSAMLUnauthenticatedSignature() throws Exception {
+        URL busFile = AuthorizationGrantNegativeTest.class.getResource("client.xml");
+        
+        String address = "https://localhost:" + PORT + "/services/";
+        WebClient client = WebClient.create(address, setupProviders(), "alice", "security", busFile.toString());
+        
+        // Create the SAML Assertion
+        SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler(true);
+        samlCallbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY);
+        samlCallbackHandler.setAudience(address + "token");
+        samlCallbackHandler.setIssuerKeyName("smallkey");
+        samlCallbackHandler.setIssuerKeyPassword("security");
+        samlCallbackHandler.setCryptoPropertiesFile("org/apache/cxf/systest/jaxrs/security/smallkey.properties");
+        
+        SAMLCallback samlCallback = new SAMLCallback();
+        SAMLUtil.doSAMLCallback(samlCallbackHandler, samlCallback);
+
+        SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
+        samlAssertion.signAssertion(
+            samlCallback.getIssuerKeyName(),
+            samlCallback.getIssuerKeyPassword(),
+            samlCallback.getIssuerCrypto(),
+            samlCallback.isSendKeyValue(),
+            samlCallback.getCanonicalizationAlgorithm(),
+            samlCallback.getSignatureAlgorithm()
+        );
+        String assertion = samlAssertion.assertionToString();
+
+        // Get Access Token
+        client.type("application/x-www-form-urlencoded").accept("application/json");
+        client.path("token");
+        
+        Form form = new Form();
+        form.param("grant_type", "urn:ietf:params:oauth:grant-type:saml2-bearer");
+        form.param("assertion", Base64UrlUtility.encode(assertion));
+        form.param("client_id", "consumer-id");
+        
+        try {
+            Response response = client.post(form);
+            response.readEntity(ClientAccessToken.class);
+            fail("Failure expected on an incorrect subject confirmation method");
+        } catch (Exception ex) {
+            // expected
+        }
+    }
+    /*
+    @org.junit.Test
+    public void testJWTAuthorizationGrant() throws Exception {
+        URL busFile = AuthorizationGrantNegativeTest.class.getResource("client.xml");
+        
+        String address = "https://localhost:" + PORT + "/services/";
+        WebClient client = WebClient.create(address, setupProviders(), "alice", "security", busFile.toString());
+        
+        // Create the JWT Token
+        String token = createToken("DoubleItSTSIssuer", "consumer-id", 
+                                   "https://localhost:" + PORT + "/services/token", true, true);
+
+        // Get Access Token
+        client.type("application/x-www-form-urlencoded").accept("application/json");
+        client.path("token");
+        
+        Form form = new Form();
+        form.param("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer");
+        form.param("assertion", token);
+        form.param("client_id", "consumer-id");
+        Response response = client.post(form);
+        
+        ClientAccessToken accessToken = response.readEntity(ClientAccessToken.class);
+        assertNotNull(accessToken.getTokenKey());
+        assertNotNull(accessToken.getRefreshToken());
+    }
+    */
+    
+    private List<Object> setupProviders() {
+        List<Object> providers = new ArrayList<Object>();
+        JSONProvider<OAuthAuthorizationData> jsonP = new JSONProvider<OAuthAuthorizationData>();
+        jsonP.setNamespaceMap(Collections.singletonMap("http://org.apache.cxf.rs.security.oauth",
+                                                       "ns2"));
+        providers.add(jsonP);
+        OAuthJSONProvider oauthProvider = new OAuthJSONProvider();
+        providers.add(oauthProvider);
+        
+        return providers;
+    }
+
+    private String createToken(String audRestr, boolean saml2, boolean sign) throws WSSecurityException {
+        SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler(sign);
+        samlCallbackHandler.setAudience(audRestr);
+        if (!saml2) {
+            samlCallbackHandler.setSaml2(false);
+            samlCallbackHandler.setConfirmationMethod(SAML1Constants.CONF_BEARER);
+        }
+        
+        SAMLCallback samlCallback = new SAMLCallback();
+        SAMLUtil.doSAMLCallback(samlCallbackHandler, samlCallback);
+
+        SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
+        if (samlCallback.isSignAssertion()) {
+            samlAssertion.signAssertion(
+                samlCallback.getIssuerKeyName(),
+                samlCallback.getIssuerKeyPassword(),
+                samlCallback.getIssuerCrypto(),
+                samlCallback.isSendKeyValue(),
+                samlCallback.getCanonicalizationAlgorithm(),
+                samlCallback.getSignatureAlgorithm()
+            );
+        }
+        
+        return samlAssertion.assertionToString();
+    }
+    /*
+    private String createToken(String issuer, String subject, String audience, 
+                               boolean expiry, boolean sign) {
+        // Create the JWT Token
+        JwtClaims claims = new JwtClaims();
+        claims.setSubject(subject);
+        if (issuer != null) {
+            claims.setIssuer(issuer);
+        }
+        claims.setIssuedAt(new Date().getTime() / 1000L);
+        if (expiry) {
+            Calendar cal = Calendar.getInstance();
+            cal.add(Calendar.SECOND, 60);
+            claims.setExpiryTime(cal.getTimeInMillis() / 1000L);
+        }
+        if (audience != null) {
+            claims.setAudiences(Collections.singletonList(audience));
+        }
+        
+        if (sign) {
+            // Sign the JWT Token
+            Properties signingProperties = new Properties();
+            signingProperties.put("rs.security.keystore.type", "jks");
+            signingProperties.put("rs.security.keystore.password", "password");
+            signingProperties.put("rs.security.keystore.alias", "alice");
+            signingProperties.put("rs.security.keystore.file", 
+                                  "org/apache/cxf/systest/jaxrs/security/certs/alice.jks");
+            signingProperties.put("rs.security.key.password", "password");
+            signingProperties.put("rs.security.signature.algorithm", "RS256");
+            
+            JwsHeaders jwsHeaders = new JwsHeaders(signingProperties);
+            JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwsHeaders, claims);
+            
+            JwsSignatureProvider sigProvider = 
+                JwsUtils.loadSignatureProvider(signingProperties, jwsHeaders);
+            
+            return jws.signWith(sigProvider);
+        }
+        
+        JwsHeaders jwsHeaders = new JwsHeaders(SignatureAlgorithm.NONE);
+        JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwsHeaders, claims);
+        return jws.getSignedEncodedJws();
+    }
+    */
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/23fa55ff/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java
index 0d6c3c5..6f5573b 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java
@@ -268,7 +268,7 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase {
         WebClient client = WebClient.create(address, setupProviders(), "alice", "security", busFile.toString());
         
         // Create the SAML Assertion
-        String assertion = createToken(address + "token", true);
+        String assertion = createToken(address + "token");
 
         // Get Access Token
         client.type("application/x-www-form-urlencoded").accept("application/json");
@@ -346,7 +346,7 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase {
         return providers;
     }
 
-    private String createToken(String audRestr, boolean sign) throws WSSecurityException {
+    private String createToken(String audRestr) throws WSSecurityException {
         SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler(true);
         samlCallbackHandler.setAudience(audRestr);
         

http://git-wip-us.apache.org/repos/asf/cxf/blob/23fa55ff/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/BookServerOAuth2GrantsNegative.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/BookServerOAuth2GrantsNegative.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/BookServerOAuth2GrantsNegative.java
new file mode 100644
index 0000000..2e544c7
--- /dev/null
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/BookServerOAuth2GrantsNegative.java
@@ -0,0 +1,48 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.jaxrs.security.oauth2.grants;
+
+import java.net.URL;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
+import org.apache.cxf.testutil.common.TestUtil;
+    
+public class BookServerOAuth2GrantsNegative extends AbstractBusTestServerBase {
+    public static final String PORT = TestUtil.getPortNumber("jaxrs-oauth2-grants-negative");
+    private static final URL SERVER_CONFIG_FILE =
+        BookServerOAuth2GrantsNegative.class.getResource("grants-negative-server.xml");
+    
+    protected void run() {
+        SpringBusFactory bf = new SpringBusFactory();
+        Bus springBus = bf.createBus(SERVER_CONFIG_FILE);
+        BusFactory.setDefaultBus(springBus);
+        setBus(springBus);
+        
+        try {
+            new BookServerOAuth2GrantsNegative();
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }        
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/23fa55ff/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-negative-server.xml
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-negative-server.xml b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-negative-server.xml
new file mode 100644
index 0000000..5b367f6
--- /dev/null
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-negative-server.xml
@@ -0,0 +1,142 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans" 
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+    xmlns:http="http://cxf.apache.org/transports/http/configuration" 
+    xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" 
+    xmlns:sec="http://cxf.apache.org/configuration/security" 
+    xmlns:cxf="http://cxf.apache.org/core" 
+    xmlns:jaxrs="http://cxf.apache.org/jaxrs" 
+    xmlns:util="http://www.springframework.org/schema/util"
+    xsi:schemaLocation="http://cxf.apache.org/jaxrs http://cxf.apache.org/schemas/jaxrs.xsd
+             http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
+             http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+             http://www.springframework.org/schema/util  http://www.springframework.org/schema/util/spring-util.xsd
+             http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd
+             http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd 
+             http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd">
+    <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+    <cxf:bus>
+        <cxf:features>
+            <cxf:logging/>
+        </cxf:features>
+        <cxf:properties> 
+          <entry key="org.apache.cxf.jaxrs.bus.providers" value-ref="busProviders"/> 
+        </cxf:properties>
+    </cxf:bus>
+    <!-- providers -->
+    <util:list id="busProviders"> 
+        <ref bean="oauthJson"/> 
+    </util:list> 
+    <bean id="oauthJson" class="org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider"/>
+    
+    <httpj:engine-factory id="tls-config">
+        <httpj:engine port="${testutil.ports.jaxrs-oauth2-grants-negative}">
+            <httpj:tlsServerParameters>
+                <sec:keyManagers keyPassword="password">
+                    <sec:keyStore type="JKS" password="password" file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/>
+                </sec:keyManagers>
+                <sec:trustManagers>
+                    <sec:keyStore type="JKS" password="password" file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
+                </sec:trustManagers>
+                <sec:clientAuthentication want="true" required="true"/>
+            </httpj:tlsServerParameters>
+            <httpj:sessionSupport>true</httpj:sessionSupport>
+        </httpj:engine>
+    </httpj:engine-factory>
+    
+   <bean id="oauthProvider" class="org.apache.cxf.systest.jaxrs.security.oauth2.grants.OAuthDataProviderImpl" />
+   
+   <bean id="authorizationService" class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService">
+      <property name="dataProvider" ref="oauthProvider"/>
+   </bean>
+   
+   <bean id="implicitService" class="org.apache.cxf.rs.security.oauth2.services.ImplicitGrantService">
+      <property name="dataProvider" ref="oauthProvider"/>
+   </bean>
+   
+   <bean id="refreshGrantHandler" class="org.apache.cxf.rs.security.oauth2.grants.refresh.RefreshTokenGrantHandler">
+      <property name="dataProvider" ref="oauthProvider"/>
+   </bean>
+   
+   <bean id="callbackHandlerLoginHandler" class="org.apache.cxf.systest.jaxrs.security.oauth2.grants.CallbackHandlerLoginHandler">
+      <property name="callbackHandler" ref="callbackHandler"/>
+   </bean>
+   
+   <bean id="passwordGrantHandler" class="org.apache.cxf.rs.security.oauth2.grants.owner.ResourceOwnerGrantHandler">
+      <property name="dataProvider" ref="oauthProvider"/>
+      <property name="loginHandler" ref="callbackHandlerLoginHandler"/>
+   </bean>
+   
+   <bean id="clientCredsGrantHandler" class="org.apache.cxf.rs.security.oauth2.grants.clientcred.ClientCredentialsGrantHandler">
+      <property name="dataProvider" ref="oauthProvider"/>
+   </bean>
+   
+   <bean id="samlGrantHandler" class="org.apache.cxf.rs.security.oauth2.grants.saml.Saml2BearerGrantHandler">
+      <property name="dataProvider" ref="oauthProvider"/>
+   </bean>
+   
+   <bean id="jwtGrantHandler" class="org.apache.cxf.rs.security.oauth2.grants.jwt.JwtBearerGrantHandler">
+      <property name="dataProvider" ref="oauthProvider"/>
+   </bean>
+   
+   <bean id="tokenService" class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
+      <property name="dataProvider" ref="oauthProvider"/>
+      <property name="grantHandlers">
+         <list>
+             <ref bean="refreshGrantHandler"/>
+             <ref bean="passwordGrantHandler"/>
+             <ref bean="clientCredsGrantHandler"/>
+             <ref bean="samlGrantHandler"/>
+             <ref bean="jwtGrantHandler"/>
+         </list>
+      </property>
+   </bean>
+   
+   <bean id="callbackHandler" class="org.apache.cxf.systest.jaxrs.security.oauth2.grants.CallbackHandlerImpl"/>
+   <bean id="basicAuthFilter" class="org.apache.cxf.systest.jaxrs.security.oauth2.grants.BasicAuthFilter">
+       <property name="callbackHandler" ref="callbackHandler"/>
+   </bean>
+   
+   <jaxrs:server 
+       depends-on="tls-config" 
+       address="https://localhost:${testutil.ports.jaxrs-oauth2-grants-negative}/services">
+       <jaxrs:serviceBeans>
+           <ref bean="authorizationService"/>
+           <ref bean="implicitService"/>
+           <ref bean="tokenService"/>
+       </jaxrs:serviceBeans>
+       <jaxrs:providers>
+           <ref bean="basicAuthFilter"/>
+       </jaxrs:providers>
+       <jaxrs:properties>
+           <entry key="security.signature.properties" 
+                  value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
+           <entry key="rs.security.keystore.type" value="jks" />
+           <entry key="rs.security.keystore.alias" value="alice"/>
+           <entry key="rs.security.keystore.password" value="password"/>
+           <entry key="rs.security.keystore.file" 
+                  value="org/apache/cxf/systest/jaxrs/security/certs/alice.jks" />
+           <entry key="rs.security.signature.algorithm" value="RS256" />
+       </jaxrs:properties>
+   </jaxrs:server>
+   
+
+</beans>

http://git-wip-us.apache.org/repos/asf/cxf/blob/23fa55ff/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/smallkey.properties
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/smallkey.properties b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/smallkey.properties
new file mode 100644
index 0000000..f34925e
--- /dev/null
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/smallkey.properties
@@ -0,0 +1,21 @@
+#    Licensed to the Apache Software Foundation (ASF) under one
+#    or more contributor license agreements. See the NOTICE file
+#    distributed with this work for additional information
+#    regarding copyright ownership. The ASF licenses this file
+#    to you under the Apache License, Version 2.0 (the
+#    "License"); you may not use this file except in compliance
+#    with the License. You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing,
+#    software distributed under the License is distributed on an
+#    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#    KIND, either express or implied. See the License for the
+#    specific language governing permissions and limitations
+#    under the License.
+org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=jks
+org.apache.ws.security.crypto.merlin.keystore.password=security
+org.apache.ws.security.crypto.merlin.keystore.alias=smallkey
+org.apache.ws.security.crypto.merlin.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/smallkeysize.jks