cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [1/2] cxf-fediz git commit: Adding initial test for passing custom RST parameter between the IdP + STS
Date Wed, 25 Jan 2017 15:32:22 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master 0bca89ba3 -> c38f6b781


Adding initial test for passing custom RST parameter between the IdP + STS


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/16f24957
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/16f24957
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/16f24957

Branch: refs/heads/master
Commit: 16f249576922a617c2d88cca7d53a7496eed3935
Parents: 0bca89b
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Jan 25 15:12:58 2017 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Jan 25 15:12:58 2017 +0000

----------------------------------------------------------------------
 .../service/idp/STSAuthenticationProvider.java  | 10 ++
 .../idp/STSUPAuthenticationProvider.java        | 13 +++
 systests/idp/pom.xml                            | 19 ++++
 .../apache/cxf/fediz/systests/idp/IdpTest.java  | 64 +++++++++++++
 .../resources/realma/security-up-config.xml     | 98 ++++++++++++++++++++
 5 files changed, 204 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/16f24957/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
index 9938b7d..4e8ed11 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
@@ -83,6 +83,8 @@ public abstract class STSAuthenticationProvider implements AuthenticationProvide
     
     protected Map<String, Object> properties = new HashMap<>();
     
+    private String customSTSParameter;
+    
     protected List<GrantedAuthority> createAuthorities(SecurityToken token) throws
WSSecurityException {
         List<GrantedAuthority> authorities = new ArrayList<>();
         //authorities.add(new SimpleGrantedAuthority("ROLE_AUTHENTICATED"));
@@ -285,6 +287,14 @@ public abstract class STSAuthenticationProvider implements AuthenticationProvide
         this.use200502Namespace = use200502Namespace;
     }
 
+    public String getCustomSTSParameter() {
+        return customSTSParameter;
+    }
+
+    public void setCustomSTSParameter(String customSTSParameter) {
+        this.customSTSParameter = customSTSParameter;
+    }
+
 //May be uncommented for debugging    
 //    private void setTimeout(Client client, Long timeout) {
 //        HTTPConduit conduit = (HTTPConduit) client.getConduit();

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/16f24957/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java
index d9be1b4..6e9130c 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java
@@ -20,6 +20,7 @@ package org.apache.cxf.fediz.service.idp;
 
 import java.util.List;
 
+import javax.servlet.http.HttpServletRequest;
 import javax.xml.namespace.QName;
 
 import org.apache.cxf.Bus;
@@ -32,6 +33,8 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
 
 /**
  * An authentication provider to authenticate a Username/Password to the STS
@@ -81,6 +84,16 @@ public class STSUPAuthenticationProvider extends STSAuthenticationProvider
{
         sts.getProperties().put(SecurityConstants.PASSWORD, (String)usernamePasswordToken.getCredentials());
         
         try {
+            
+            if (getCustomSTSParameter() != null) {
+                HttpServletRequest request = 
+                    ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
+                String authRealmParameter = request.getParameter(getCustomSTSParameter());
+                LOG.debug("Found {} custom STS parameter {}", getCustomSTSParameter(), authRealmParameter);
+                if (authRealmParameter != null) {
+                    sts.setCustomContent(authRealmParameter);
+                }
+            }
 
             // Line below may be uncommented for debugging    
             // setTimeout(sts.getClient(), 3600000L);

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/16f24957/systests/idp/pom.xml
----------------------------------------------------------------------
diff --git a/systests/idp/pom.xml b/systests/idp/pom.xml
index f9319cc..66eddcb 100644
--- a/systests/idp/pom.xml
+++ b/systests/idp/pom.xml
@@ -188,6 +188,25 @@
                             </resources>              
                         </configuration>            
                     </execution>
+                    <execution>
+                        <id>copy-customised-spring-sec-to-idp</id>
+                        <phase>generate-test-sources</phase>
+                        <goals>
+                            <goal>copy-resources</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp/WEB-INF/config</outputDirectory>
+                            <resources>          
+                                <resource>
+                                    <directory>${basedir}/src/test/resources/realma</directory>
+                                    <includes>
+                                        <include>security-up-config.xml</include>
+                                    </includes>
+                                    <filtering>false</filtering>
+                                </resource>
+                            </resources>              
+                        </configuration>            
+                    </execution>
                 </executions>
             </plugin>
             <plugin>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/16f24957/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
----------------------------------------------------------------------
diff --git a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
index b8c0e50..1e58d82 100644
--- a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
+++ b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
@@ -914,4 +914,68 @@ public class IdpTest {
 
         webClient.close();
     }
+    
+    // Test a custom parameter that gets passed through to the STS
+    @org.junit.Test
+    @org.junit.Ignore
+    public void testCustomParameter() throws Exception {
+        String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?";
+        url += "wa=wsignin1.0";
+        url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A";
+        url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld";
+        String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ "/secure/fedservlet";
+        url += "&wreply=" + wreply;
+
+        String user = "alice";
+        String password = "ecila";
+
+        // Successful test
+        WebClient webClient = new WebClient();
+        webClient.getOptions().setUseInsecureSSL(true);
+        webClient.getCredentialsProvider().setCredentials(
+            new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+            new UsernamePasswordCredentials(user, password));
+
+        webClient.getOptions().setJavaScriptEnabled(false);
+        
+        String authUrl = url + "&auth_realm=" 
+            + URLEncoder.encode("<realm xmlns=\"http://cxf.apache.org/custom\">custom-realm</realm>",
"UTF-8");
+        HtmlPage idpPage = webClient.getPage(authUrl);
+        webClient.getOptions().setJavaScriptEnabled(true);
+        Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+        // Parse the form to get the token (wresult)
+        DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
+
+        String wresult = null;
+        for (DomElement result : results) {
+            if ("wresult".equals(result.getAttributeNS(null, "name"))) {
+                wresult = result.getAttributeNS(null, "value");
+                break;
+            }
+        }
+
+        Assert.assertNotNull(wresult);
+        
+        webClient.close();
+        
+        // Unsuccessful test
+        webClient = new WebClient();
+        webClient.getOptions().setUseInsecureSSL(true);
+        webClient.getCredentialsProvider().setCredentials(
+            new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+            new UsernamePasswordCredentials(user, password));
+
+        webClient.getOptions().setJavaScriptEnabled(false);
+        authUrl = url + "&auth_realm=" 
+            + URLEncoder.encode("<realm xmlns=\"http://cxf.apache.org/custom\">unknown-realm</realm>",
"UTF-8");
+        try {
+            webClient.getPage(authUrl);
+            Assert.fail("Failure expected on a bad auth_realm value");
+        } catch (FailingHttpStatusCodeException ex) {
+            Assert.assertEquals(ex.getStatusCode(), 401);
+        }
+
+        webClient.close();
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/16f24957/systests/idp/src/test/resources/realma/security-up-config.xml
----------------------------------------------------------------------
diff --git a/systests/idp/src/test/resources/realma/security-up-config.xml b/systests/idp/src/test/resources/realma/security-up-config.xml
new file mode 100644
index 0000000..5227fd2
--- /dev/null
+++ b/systests/idp/src/test/resources/realma/security-up-config.xml
@@ -0,0 +1,98 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:security="http://www.springframework.org/schema/security"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:util="http://www.springframework.org/schema/util"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+        http://www.springframework.org/schema/context
+        http://www.springframework.org/schema/context/spring-context-4.3.xsd
+        http://www.springframework.org/schema/security
+        http://www.springframework.org/schema/security/spring-security-3.2.xsd
+        http://www.springframework.org/schema/util
+        http://www.springframework.org/schema/util/spring-util-4.3.xsd
+        ">
+
+    <!-- DISABLE in production as it might log confidential information about the user
-->
+    <!-- <security:debug /> -->
+    
+    <bean id="requestContextFilter" class="org.springframework.web.filter.RequestContextFilter"/>
+    
+    <!-- HTTP/BA entry point for WS-Federation -->
+    <security:http pattern="/federation/up/**" use-expressions="true">
+		<security:intercept-url requires-channel="https" pattern="/federation/up/login*" access="isAnonymous()
or isAuthenticated()" />
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
+        <security:custom-filter before="BASIC_AUTH_FILTER" ref="requestContextFilter"/>
+
+        <security:http-basic />
+	<!--security:form-login login-page='/federation/up/login'
+		login-processing-url="/federation/up/login.do"
+		authentication-failure-url="/federation/up/login?error" 
+		default-target-url="/"
+		username-parameter="username" 
+		password-parameter="password"
+	/-->
+	<security:logout logout-url="/federation/up/logout" 
+		logout-success-url="/federation/up/login?out" 
+		delete-cookies="FEDIZ_HOME_REALM,JSESSIONID" 
+		invalidate-session="true" 
+	/>
+    </security:http>
+    
+    <!-- HTTP/BA entry point for SAML SSO -->
+    <security:http pattern="/saml/up/**" use-expressions="true">
+		<security:intercept-url requires-channel="https" pattern="/saml/up/login*" access="isAnonymous()
or isAuthenticated()" />
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
+
+        <security:http-basic />
+	<!--security:form-login login-page='/federation/up/login'
+		login-processing-url="/federation/up/login.do"
+		authentication-failure-url="/federation/up/login?error" 
+		default-target-url="/"
+		username-parameter="username" 
+		password-parameter="password"
+	/-->
+	<security:logout logout-url="/saml/up/logout" 
+		logout-success-url="/saml/up/login?out" 
+		delete-cookies="FEDIZ_HOME_REALM,JSESSIONID" 
+		invalidate-session="true" 
+	/>
+    </security:http>
+    
+    <bean id="stsUPPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter">
+        <property name="authenticationProvider" ref="stsUPAuthProvider" />
+    </bean>
+    
+    <!-- U/P Authentication Provider -->
+    <bean id="stsUPAuthProvider" class="org.apache.cxf.fediz.service.idp.STSUPAuthenticationProvider">
+        <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"
/>
+        <property name="wsdlEndpoint" value="TransportUT_Port" />
+        <property name="wsdlService" value="SecurityTokenService" />
+        <property name="appliesTo" value="urn:fediz:idp" />
+        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
/>
+        <property name="customSTSParameter" value="auth_realm" />
+    </bean>
+    
+</beans>


Mime
View raw message