cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [3/6] cxf git commit: Adding some negative tests for trust verification for rs-security
Date Tue, 28 Mar 2017 14:38:15 GMT
Adding some negative tests for trust verification for rs-security

# Conflicts:
#	rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/7cee545a
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/7cee545a
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/7cee545a

Branch: refs/heads/3.0.x-fixes
Commit: 7cee545a760b2f0468a791db2c8c07ae9e75b86d
Parents: 8b13c36
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue Mar 28 13:04:16 2017 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Tue Mar 28 14:35:26 2017 +0100

----------------------------------------------------------------------
 .../security/xml/AbstractXmlSecInHandler.java   |  6 +-
 .../rs/security/xml/XmlSecInInterceptor.java    |  6 +-
 .../security/saml/KeystorePasswordCallback.java |  4 +
 .../jaxrs/security/xml/JAXRSXmlSecTest.java     | 90 ++++++++++++++++++++
 .../systest/jaxrs/security/bethal.properties    | 24 ++++++
 .../systest/jaxrs/security/morpit.properties    | 21 +++++
 .../jaxrs/security/morpittrust.properties       | 23 +++++
 .../cxf/systest/jaxrs/security/xml/server.xml   | 32 +++++++
 .../systest/jaxrs/security/xml/stax-server.xml  | 34 +++++++-
 9 files changed, 235 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/7cee545a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSecInHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSecInHandler.java
b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSecInHandler.java
index 035e54b..84c8150 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSecInHandler.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSecInHandler.java
@@ -80,7 +80,11 @@ public abstract class AbstractXmlSecInHandler {
     }
     
     protected void throwFault(String error, Exception ex) {
-        LOG.warning(error);
+        StringBuilder log = new StringBuilder(error);
+        if (ex != null) {
+            log = log.append(" - ").append(ex.getMessage());
+        }
+        LOG.warning(log.toString());
         Response response = JAXRSUtils.toResponseBuilder(400).entity(error).build();
         throw ExceptionUtils.toBadRequestException(null, response);
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/7cee545a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
index 07bc910..44da705 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
@@ -308,8 +308,8 @@ public class XmlSecInInterceptor extends AbstractPhaseInterceptor<Message>
imple
             try {
                 new TrustValidator().validateTrust(sigCrypto, cert, publicKey, subjectDNPatterns);
             } catch (WSSecurityException e) {
-                throw new XMLSecurityException("empty", new Object[] {"Error during Signature
Trust "
-                                               + "validation: " + e.getMessage()});
+                String error = "Signature validation failed";
+                throw new XMLSecurityException("empty", new Object[] {error});
             }
             
             if (persistSignature) {
@@ -400,7 +400,7 @@ public class XmlSecInInterceptor extends AbstractPhaseInterceptor<Message>
imple
         }
 
     }
-    
+
     /**
      * This interceptor handles parsing the StaX results (events) + checks to see whether
the 
      * required (if any) Actions (signature or encryption) were fulfilled.

http://git-wip-us.apache.org/repos/asf/cxf/blob/7cee545a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/KeystorePasswordCallback.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/KeystorePasswordCallback.java
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/KeystorePasswordCallback.java
index 3103aad..099bc4e 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/KeystorePasswordCallback.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/KeystorePasswordCallback.java
@@ -46,6 +46,10 @@ public class KeystorePasswordCallback implements CallbackHandler {
                 pc.setPassword("password");
             } else if ("bob".equals(pc.getIdentifier())) {
                 pc.setPassword("password");
+            } else if ("morpit".equals(pc.getIdentifier())) {
+                pc.setPassword("password");
+            } else if ("bethal".equals(pc.getIdentifier())) {
+                pc.setPassword("password");
             } else {
                 pc.setPassword("abcd!1234");
             }

http://git-wip-us.apache.org/repos/asf/cxf/blob/7cee545a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
index 02b743d..f4218ec 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
@@ -276,6 +276,96 @@ public class JAXRSXmlSecTest extends AbstractBusClientServerTestBase
{
     }
     
     @Test
+    public void testSignatureNegativeServer() throws Exception {
+        String address = "https://localhost:" + test.port + "/xmlsignegativeserver/bookstore/books";
+
+        JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
+        bean.setAddress(address);
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = JAXRSXmlSecTest.class.getResource("client.xml");
+        Bus springBus = bf.createBus(busFile.toString());
+        bean.setBus(springBus);
+
+        Map<String, Object> properties = new HashMap<>();
+        properties.put("security.callback-handler",
+                       "org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
+        properties.put("security.signature.username", "bethal");
+        properties.put("security.signature.properties",
+                       "org/apache/cxf/systest/jaxrs/security/bethal.properties");
+        bean.setProperties(properties);
+        if (test.streaming) {
+            XmlSecOutInterceptor sigOutInterceptor = new XmlSecOutInterceptor();
+            sigOutInterceptor.setSignRequest(true);
+            bean.getOutInterceptors().add(sigOutInterceptor);
+
+            XmlSecInInterceptor sigInInterceptor = new XmlSecInInterceptor();
+            sigInInterceptor.setRequireSignature(true);
+            bean.getInInterceptors().add(sigInInterceptor);
+        } else {
+            XmlSigOutInterceptor sigOutInterceptor = new XmlSigOutInterceptor();
+            bean.getOutInterceptors().add(sigOutInterceptor);
+
+            XmlSigInInterceptor sigInInterceptor = new XmlSigInInterceptor();
+            bean.getInInterceptors().add(sigInInterceptor);
+        }
+
+        WebClient wc = bean.createWebClient();
+        WebClient.getConfig(wc).getHttpConduit().getClient().setReceiveTimeout(10000000L);
+        try {
+            wc.post(new Book("CXF", 126L), Book.class);
+            fail("Failure expected on signature trust failure");
+        } catch (WebApplicationException ex) {
+            assertTrue(ex.getMessage().contains("400 Bad Request"));
+        }
+    }
+
+    @Test
+    public void testSignatureNegativeClient() throws Exception {
+        String address = "https://localhost:" + test.port + "/xmlsignegativeclient/bookstore/books";
+
+        JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
+        bean.setAddress(address);
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = JAXRSXmlSecTest.class.getResource("client.xml");
+        Bus springBus = bf.createBus(busFile.toString());
+        bean.setBus(springBus);
+
+        Map<String, Object> properties = new HashMap<>();
+        properties.put("security.callback-handler",
+                       "org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
+        properties.put("security.signature.username", "bethal");
+        properties.put("security.signature.properties",
+                       "org/apache/cxf/systest/jaxrs/security/bethal.properties");
+        bean.setProperties(properties);
+        if (test.streaming) {
+            XmlSecOutInterceptor sigOutInterceptor = new XmlSecOutInterceptor();
+            sigOutInterceptor.setSignRequest(true);
+            bean.getOutInterceptors().add(sigOutInterceptor);
+
+            XmlSecInInterceptor sigInInterceptor = new XmlSecInInterceptor();
+            sigInInterceptor.setRequireSignature(true);
+            bean.getInInterceptors().add(sigInInterceptor);
+        } else {
+            XmlSigOutInterceptor sigOutInterceptor = new XmlSigOutInterceptor();
+            bean.getOutInterceptors().add(sigOutInterceptor);
+
+            XmlSigInInterceptor sigInInterceptor = new XmlSigInInterceptor();
+            bean.getInInterceptors().add(sigInInterceptor);
+        }
+
+        WebClient wc = bean.createWebClient();
+        WebClient.getConfig(wc).getHttpConduit().getClient().setReceiveTimeout(10000000L);
+        try {
+            wc.post(new Book("CXF", 126L), Book.class);
+            fail("Failure expected on signature trust failure");
+        } catch (ProcessingException ex) {
+            assertTrue(ex.getCause() instanceof BadRequestException);
+        }
+    }
+
+    @Test
     public void testPostEncryptedBook() throws Exception {
         String address = "https://localhost:" + test.port + "/xmlenc/bookstore/books";
         Map<String, Object> properties = new HashMap<String, Object>();

http://git-wip-us.apache.org/repos/asf/cxf/blob/7cee545a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bethal.properties
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bethal.properties
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bethal.properties
new file mode 100644
index 0000000..7356fc5
--- /dev/null
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bethal.properties
@@ -0,0 +1,24 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+org.apache.wss4j.crypto.provider=org.apache.wss4j.common.crypto.Merlin
+org.apache.wss4j.crypto.merlin.keystore.type=jks
+org.apache.wss4j.crypto.merlin.keystore.password=password
+org.apache.wss4j.crypto.merlin.keystore.alias=bethal
+org.apache.wss4j.crypto.merlin.keystore.file=keys/Bethal.jks
+

http://git-wip-us.apache.org/repos/asf/cxf/blob/7cee545a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/morpit.properties
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/morpit.properties
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/morpit.properties
new file mode 100644
index 0000000..7cf81d6
--- /dev/null
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/morpit.properties
@@ -0,0 +1,21 @@
+#    Licensed to the Apache Software Foundation (ASF) under one
+#    or more contributor license agreements. See the NOTICE file
+#    distributed with this work for additional information
+#    regarding copyright ownership. The ASF licenses this file
+#    to you under the Apache License, Version 2.0 (the
+#    "License"); you may not use this file except in compliance
+#    with the License. You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing,
+#    software distributed under the License is distributed on an
+#    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#    KIND, either express or implied. See the License for the
+#    specific language governing permissions and limitations
+#    under the License.
+org.apache.wss4j.crypto.provider=org.apache.wss4j.common.crypto.Merlin
+org.apache.wss4j.crypto.merlin.keystore.type=jks
+org.apache.wss4j.crypto.merlin.keystore.password=password
+org.apache.wss4j.crypto.merlin.keystore.alias=morpit
+org.apache.wss4j.crypto.merlin.keystore.file=keys/Morpit.jks

http://git-wip-us.apache.org/repos/asf/cxf/blob/7cee545a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/morpittrust.properties
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/morpittrust.properties
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/morpittrust.properties
new file mode 100644
index 0000000..0056c7d
--- /dev/null
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/morpittrust.properties
@@ -0,0 +1,23 @@
+#    Licensed to the Apache Software Foundation (ASF) under one
+#    or more contributor license agreements. See the NOTICE file
+#    distributed with this work for additional information
+#    regarding copyright ownership. The ASF licenses this file
+#    to you under the Apache License, Version 2.0 (the
+#    "License"); you may not use this file except in compliance
+#    with the License. You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing,
+#    software distributed under the License is distributed on an
+#    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#    KIND, either express or implied. See the License for the
+#    specific language governing permissions and limitations
+#    under the License.
+org.apache.wss4j.crypto.provider=org.apache.wss4j.common.crypto.Merlin
+org.apache.wss4j.crypto.merlin.keystore.type=jks
+org.apache.wss4j.crypto.merlin.keystore.password=password
+org.apache.wss4j.crypto.merlin.keystore.alias=morpit
+org.apache.wss4j.crypto.merlin.keystore.file=keys/Morpit.jks
+org.apache.wss4j.crypto.merlin.truststore.password=password
+org.apache.wss4j.crypto.merlin.truststore.file=keys/Truststore.jks

http://git-wip-us.apache.org/repos/asf/cxf/blob/7cee545a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/server.xml
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/server.xml
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/server.xml
index 48ee949..02c4842 100644
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/server.xml
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/server.xml
@@ -96,6 +96,38 @@ under the License.
         </jaxrs:properties>
     </jaxrs:server>
     
+    <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec}/xmlsignegativeserver">
+        <jaxrs:serviceBeans>
+            <ref bean="serviceBean"/>
+        </jaxrs:serviceBeans>
+        <jaxrs:providers>
+            <ref bean="xmlSigInHandler"/>
+        </jaxrs:providers>
+        <jaxrs:outInterceptors>
+            <ref bean="xmlSigOutHandler"/>
+        </jaxrs:outInterceptors>
+        <jaxrs:properties>
+            <entry key="security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
+            <entry key="security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/morpit.properties"/>
+        </jaxrs:properties>
+    </jaxrs:server>
+    
+    <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec}/xmlsignegativeclient">
+        <jaxrs:serviceBeans>
+            <ref bean="serviceBean"/>
+        </jaxrs:serviceBeans>
+        <jaxrs:providers>
+            <ref bean="xmlSigInHandler"/>
+        </jaxrs:providers>
+        <jaxrs:outInterceptors>
+            <ref bean="xmlSigOutHandler"/>
+        </jaxrs:outInterceptors>
+        <jaxrs:properties>
+            <entry key="security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
+            <entry key="security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/morpittrust.properties"/>
+        </jaxrs:properties>
+    </jaxrs:server>
+    
     <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec}/xmlsigconstraints">
         <jaxrs:serviceBeans>
             <ref bean="serviceBean"/>

http://git-wip-us.apache.org/repos/asf/cxf/blob/7cee545a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml
index 0164e2d..120a329 100644
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml
@@ -116,7 +116,39 @@ under the License.
         </jaxrs:properties>
     </jaxrs:server>
     
-     <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec-stax}/xmlsigconstraints">
+    <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec-stax}/xmlsignegativeserver">
+        <jaxrs:serviceBeans>
+            <ref bean="serviceBean"/>
+        </jaxrs:serviceBeans>
+        <jaxrs:inInterceptors>
+            <ref bean="xmlSigInHandler"/>
+        </jaxrs:inInterceptors>
+        <jaxrs:outInterceptors>
+            <ref bean="xmlSigOutHandler"/>
+        </jaxrs:outInterceptors>
+        <jaxrs:properties>
+            <entry key="security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
+            <entry key="security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/morpit.properties"/>
+        </jaxrs:properties>
+    </jaxrs:server>
+    
+    <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec-stax}/xmlsignegativeclient">
+        <jaxrs:serviceBeans>
+            <ref bean="serviceBean"/>
+        </jaxrs:serviceBeans>
+        <jaxrs:inInterceptors>
+            <ref bean="xmlSigInHandler"/>
+        </jaxrs:inInterceptors>
+        <jaxrs:outInterceptors>
+            <ref bean="xmlSigOutHandler"/>
+        </jaxrs:outInterceptors>
+        <jaxrs:properties>
+            <entry key="security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
+            <entry key="security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/morpittrust.properties"/>
+        </jaxrs:properties>
+    </jaxrs:server>
+    
+    <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec-stax}/xmlsigconstraints">
         <jaxrs:serviceBeans>
             <ref bean="serviceBean"/>
         </jaxrs:serviceBeans>


Mime
View raw message