cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [6/6] cxf git commit: Fix JWT + add systests
Date Wed, 10 Feb 2016 17:24:16 GMT
Fix JWT + add systests


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a245aade
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a245aade
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a245aade

Branch: refs/heads/master
Commit: a245aadeb595ddca6f919dce26a21f5a1465a1d9
Parents: 064fc77
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Feb 10 16:14:11 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Feb 10 17:22:03 2016 +0000

----------------------------------------------------------------------
 .../sts/rest/RESTSecurityTokenServiceImpl.java  |   7 +-
 .../cxf/systest/sts/rest/RESTUnitTest.java      | 114 ++++++++++++++++++-
 2 files changed, 117 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/a245aade/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java
index deb05da..2ce24bc 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java
@@ -98,7 +98,12 @@ public class RESTSecurityTokenServiceImpl extends SecurityTokenServiceImpl
imple
             issueToken(tokenType, keyType, requestedClaims, appliesTo);
         RequestedSecurityTokenType requestedToken = getRequestedSecurityToken(response);
         
-        return Response.ok(requestedToken.getAny()).build();
+        if ("jwt".equals(tokenType)) {
+            // Discard the wrapper here
+            return Response.ok(((Element)requestedToken.getAny()).getTextContent()).build();
+        } else {
+            return Response.ok(requestedToken.getAny()).build();
+        }
     }
     
     @Override

http://git-wip-us.apache.org/repos/asf/cxf/blob/a245aade/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java
b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java
index 946809f..a5ff4c0 100644
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java
@@ -18,7 +18,14 @@
  */
 package org.apache.cxf.systest.sts.rest;
 
+import java.io.IOException;
 import java.net.URL;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
 import java.util.List;
 
 import javax.security.auth.callback.CallbackHandler;
@@ -32,6 +39,10 @@ import org.w3c.dom.Element;
 import org.apache.cxf.Bus;
 import org.apache.cxf.bus.spring.SpringBusFactory;
 import org.apache.cxf.jaxrs.client.WebClient;
+import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
+import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
+import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
+import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rt.security.claims.Claim;
 import org.apache.cxf.rt.security.claims.ClaimCollection;
 import org.apache.cxf.rt.security.saml.utils.SAMLUtils;
@@ -48,11 +59,13 @@ import org.apache.wss4j.common.crypto.CryptoFactory;
 import org.apache.wss4j.common.saml.OpenSAMLUtil;
 import org.apache.wss4j.common.saml.SAMLKeyInfo;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.common.util.Loader;
 import org.apache.wss4j.dom.WSDocInfo;
 import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
 import org.apache.wss4j.dom.handler.RequestData;
 import org.apache.wss4j.dom.processor.Processor;
 import org.apache.wss4j.dom.processor.SAMLTokenProcessor;
+import org.junit.Assert;
 import org.junit.BeforeClass;
 
 /**
@@ -688,7 +701,6 @@ public class RESTUnitTest extends AbstractBusClientServerTestBase {
     }
     
     @org.junit.Test
-    @org.junit.Ignore
     public void testIssueJWTToken() throws Exception {
         SpringBusFactory bf = new SpringBusFactory();
         URL busFile = RESTUnitTest.class.getResource("cxf-client.xml");
@@ -698,12 +710,83 @@ public class RESTUnitTest extends AbstractBusClientServerTestBase {
         SpringBusFactory.setThreadDefaultBus(bus);
         
         String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
-        WebClient client = WebClient.create(address, "alice", "clarinet", busFile.toString());
+        WebClient client = WebClient.create(address, busFile.toString());
+
+        client.type("application/json").accept("application/json");
+        client.path("jwt");
+        
+        Response response = client.get();
+        String token = response.readEntity(String.class);
+        assertNotNull(token);
+        
+        validateJWTToken(token, null);
+    }
+    
+    @org.junit.Test
+    public void testIssueJWTTokenAppliesTo() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = RESTUnitTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
+        WebClient client = WebClient.create(address, busFile.toString());
 
         client.type("application/json").accept("application/json");
         client.path("jwt");
+        client.query("appliesTo", DEFAULT_ADDRESS);
+        
+        Response response = client.get();
+        String token = response.readEntity(String.class);
+        assertNotNull(token);
         
-        client.get();
+        validateJWTToken(token, DEFAULT_ADDRESS);
+    }
+    
+    @org.junit.Test
+    public void testIssueJWTTokenClaims() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = RESTUnitTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
+        WebClient client = WebClient.create(address, busFile.toString());
+
+        client.type("application/json").accept("application/json");
+        client.path("jwt");
+        
+        // First check that the role isn't usually in the generated token
+        
+        Response response = client.get();
+        String token = response.readEntity(String.class);
+        assertNotNull(token);
+        
+        JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token);
+        JwtToken jwt = jwtConsumer.getJwtToken();
+        
+        String role = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
+        assertTrue(jwt.getClaim(role) == null);
+        
+        // Now get another token specifying the role
+        client.query("claim", role);
+        
+        response = client.get();
+        token = response.readEntity(String.class);
+        assertNotNull(token);
+        
+        // Process the token
+        validateJWTToken(token, null);
+        
+        jwtConsumer = new JwsJwtCompactConsumer(token);
+        jwt = jwtConsumer.getJwtToken();
+        assertEquals("ordinary-user", jwt.getClaim(role));
+        
+        bus.shutdown(true);
     }
     
     private Element validateSAMLSecurityTokenResponse(
@@ -755,4 +838,29 @@ public class RESTUnitTest extends AbstractBusClientServerTestBase {
         );
     }
     
+    private void validateJWTToken(String token, String audience) 
+        throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException
{
+        JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token);
+        JwtToken jwt = jwtConsumer.getJwtToken();
+        
+        // Validate claims
+        Assert.assertEquals("DoubleItSTSIssuer", jwt.getClaim(JwtConstants.CLAIM_ISSUER));
+        if (audience != null) {
+            @SuppressWarnings("unchecked")
+            List<String> audiences = (List<String>)jwt.getClaim(JwtConstants.CLAIM_AUDIENCE);
+            assertEquals(1, audiences.size());
+            Assert.assertEquals(audience, audiences.get(0));
+        }
+        Assert.assertNotNull(jwt.getClaim(JwtConstants.CLAIM_EXPIRY));
+        Assert.assertNotNull(jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT));
+
+        KeyStore keystore = KeyStore.getInstance("JKS");
+        keystore.load(Loader.getResource("servicestore.jks").openStream(), "sspass".toCharArray());
+        Certificate cert = keystore.getCertificate("mystskey");
+        Assert.assertNotNull(cert);
+        
+        Assert.assertTrue(jwtConsumer.verifySignatureWith((X509Certificate)cert, 
+                                                          SignatureAlgorithm.RS256));
+    }
+    
 }


Mime
View raw message