Author: coheigea
Date: Mon Apr 4 13:48:35 2011
New Revision: 1088625
URL: http://svn.apache.org/viewvc?rev=1088625&view=rev
Log:
[CXF-3432] - Added support for sending signed SAML Assertions via
WS-SecurityPolicy
- Added a symmetric and asymmetric binding tests to the systests.
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1088625&r1=1088624&r2=1088625&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
Mon Apr 4 13:48:35 2011
@@ -144,10 +144,10 @@ public abstract class AbstractBindingBui
protected Set<String> encryptedTokensIdList = new HashSet<String>();
- protected Map<Token, WSSecBase> endEncSuppTokMap;
- protected Map<Token, WSSecBase> endSuppTokMap;
- protected Map<Token, WSSecBase> sgndEndEncSuppTokMap;
- protected Map<Token, WSSecBase> sgndEndSuppTokMap;
+ protected Map<Token, Object> endEncSuppTokMap;
+ protected Map<Token, Object> endSuppTokMap;
+ protected Map<Token, Object> sgndEndEncSuppTokMap;
+ protected Map<Token, Object> sgndEndSuppTokMap;
protected List<byte[]> signatures = new ArrayList<byte[]>();
@@ -198,7 +198,7 @@ public abstract class AbstractBindingBui
lastEncryptedKeyElement = el;
}
- protected void addEncyptedKeyElement(Element el) {
+ protected void addEncryptedKeyElement(Element el) {
if (lastEncryptedKeyElement != null) {
insertAfter(el, lastEncryptedKeyElement);
} else if (lastDerivedKeyElement != null) {
@@ -435,11 +435,11 @@ public abstract class AbstractBindingBui
}
}
- protected Map<Token, WSSecBase> handleSupportingTokens(
+ protected Map<Token, Object> handleSupportingTokens(
Collection<Assertion> tokens,
boolean endorse
) throws WSSecurityException {
- Map<Token, WSSecBase> ret = new HashMap<Token, WSSecBase>();
+ Map<Token, Object> ret = new HashMap<Token, Object>();
if (tokens != null) {
for (Assertion pa : tokens) {
if (pa instanceof SupportingToken) {
@@ -450,17 +450,17 @@ public abstract class AbstractBindingBui
return ret;
}
- protected Map<Token, WSSecBase> handleSupportingTokens(
+ protected Map<Token, Object> handleSupportingTokens(
SupportingToken suppTokens,
boolean endorse
) throws WSSecurityException {
- return handleSupportingTokens(suppTokens, endorse, new HashMap<Token,
WSSecBase>());
+ return handleSupportingTokens(suppTokens, endorse, new HashMap<Token,
Object>());
}
- protected Map<Token, WSSecBase> handleSupportingTokens(
+ protected Map<Token, Object> handleSupportingTokens(
SupportingToken suppTokens,
boolean endorse,
- Map<Token, WSSecBase> ret
+ Map<Token, Object> ret
) throws WSSecurityException {
if (suppTokens == null) {
return ret;
@@ -560,7 +560,7 @@ public abstract class AbstractBindingBui
AssertionWrapper assertionWrapper =
addSamlToken((SamlToken)token);
if (assertionWrapper != null) {
addSupportingElement(assertionWrapper.toDOM(saaj.getSOAPPart()));
- // TODO ret.put(token, utBuilder);
+ ret.put(token, assertionWrapper);
}
}
}
@@ -583,10 +583,10 @@ public abstract class AbstractBindingBui
return st;
}
- protected void addSignatureParts(Map<Token, WSSecBase> tokenMap,
+ protected void addSignatureParts(Map<Token, Object> tokenMap,
List<WSEncryptionPart> sigParts) {
- for (Map.Entry<Token, WSSecBase> entry : tokenMap.entrySet()) {
+ for (Map.Entry<Token, Object> entry : tokenMap.entrySet()) {
Object tempTok = entry.getValue();
WSEncryptionPart part = null;
@@ -613,6 +613,18 @@ public abstract class AbstractBindingBui
WSSecUsernameToken unt = (WSSecUsernameToken)tempTok;
part = new WSEncryptionPart(unt.getId());
part.setElement(unt.getUsernameTokenElement());
+ } else if (tempTok instanceof AssertionWrapper) {
+ AssertionWrapper assertionWrapper = (AssertionWrapper)tempTok;
+ part = new WSEncryptionPart(assertionWrapper.getId());
+ part.setElement(assertionWrapper.getElement());
+
+ // TODO We only support using a KeyIdentifier for the moment
+ SecurityTokenReference secRef =
+ createSTRForSamlAssertion(assertionWrapper, false);
+ addSupportingElement(secRef.getElement());
+ part = new WSEncryptionPart("STRTransform", null, "Element");
+ part.setId(secRef.getID());
+ part.setElement(secRef.getElement());
} else {
policyNotAsserted(entry.getKey(),
"UnsupportedTokenInSupportingToken: " + tempTok);
}
@@ -621,6 +633,52 @@ public abstract class AbstractBindingBui
}
}
}
+
+ /**
+ * Create a SecurityTokenReference to point to a SAML Assertion
+ * @param assertion the SAML AssertionWrapper
+ * @param useDirectReferenceToAssertion whether to refer directly to the
assertion or not
+ * @return a SecurityTokenReference to a SAML Assertion
+ */
+ private SecurityTokenReference createSTRForSamlAssertion(
+ AssertionWrapper assertion,
+ boolean useDirectReferenceToAssertion
+ ) {
+ Document doc = assertion.getElement().getOwnerDocument();
+ SecurityTokenReference secRefSaml = new SecurityTokenReference(doc);
+ String secRefID =
wssConfig.getIdAllocator().createSecureId("STRSAMLId-", secRefSaml);
+ secRefSaml.setID(secRefID);
+
+ if (useDirectReferenceToAssertion) {
+ org.apache.ws.security.message.token.Reference ref =
+ new org.apache.ws.security.message.token.Reference(doc);
+ ref.setURI("#" + assertion.getId());
+ if (assertion.getSaml1() != null) {
+ ref.setValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
+ secRefSaml.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
+ } else if (assertion.getSaml2() != null) {
+ secRefSaml.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
+ }
+ secRefSaml.setReference(ref);
+ } else {
+ Element keyId = doc.createElementNS(WSConstants.WSSE_NS,
"wsse:KeyIdentifier");
+ String valueType = null;
+ if (assertion.getSaml1() != null) {
+ valueType = WSConstants.WSS_SAML_KI_VALUE_TYPE;
+ secRefSaml.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
+ } else if (assertion.getSaml2() != null) {
+ valueType = WSConstants.WSS_SAML2_KI_VALUE_TYPE;
+ secRefSaml.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
+ }
+ keyId.setAttributeNS(
+ null, "ValueType", valueType
+ );
+ keyId.appendChild(doc.createTextNode(assertion.getId()));
+ Element elem = secRefSaml.getElement();
+ elem.appendChild(keyId);
+ }
+ return secRefSaml;
+ }
protected WSSecUsernameToken addUsernameToken(UsernameToken token) {
AssertionInfo info = null;
@@ -1443,12 +1501,12 @@ public abstract class AbstractBindingBui
return sig;
}
- protected void doEndorsedSignatures(Map<Token, WSSecBase> tokenMap,
+ protected void doEndorsedSignatures(Map<Token, Object> tokenMap,
boolean isTokenProtection,
boolean isSigProtect) {
- for (Map.Entry<Token, WSSecBase> ent : tokenMap.entrySet()) {
- WSSecBase tempTok = ent.getValue();
+ for (Map.Entry<Token, Object> ent : tokenMap.entrySet()) {
+ WSSecBase tempTok = (WSSecBase)ent.getValue();
List<WSEncryptionPart> sigParts = new
ArrayList<WSEncryptionPart>();
WSEncryptionPart sigPart = new WSEncryptionPart(mainSigId);
@@ -1651,7 +1709,7 @@ public abstract class AbstractBindingBui
Collection<Assertion> sgndSuppTokens =
findAndAssertPolicy(SP12Constants.SIGNED_SUPPORTING_TOKENS);
- Map<Token, WSSecBase> sigSuppTokMap =
this.handleSupportingTokens(sgndSuppTokens, false);
+ Map<Token, Object> sigSuppTokMap =
this.handleSupportingTokens(sgndSuppTokens, false);
Collection<Assertion> endSuppTokens =
findAndAssertPolicy(SP12Constants.ENDORSING_SUPPORTING_TOKENS);
@@ -1664,7 +1722,7 @@ public abstract class AbstractBindingBui
Collection<Assertion> sgndEncryptedSuppTokens
=
findAndAssertPolicy(SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
- Map<Token, WSSecBase> sgndEncSuppTokMap
+ Map<Token, Object> sgndEncSuppTokMap
= this.handleSupportingTokens(sgndEncryptedSuppTokens, false);
Collection<Assertion> endorsingEncryptedSuppTokens
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=1088625&r1=1088624&r2=1088625&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
Mon Apr 4 13:48:35 2011
@@ -120,7 +120,7 @@ public class AsymmetricBindingHandler ex
== inclusion)) {
Element el = secToken.getToken();
- this.addEncyptedKeyElement(cloneElement(el));
+ this.addEncryptedKeyElement(cloneElement(el));
attached = true;
}
}
@@ -210,7 +210,7 @@ public class AsymmetricBindingHandler ex
== inclusion)) {
Element el = secToken.getToken();
- this.addEncyptedKeyElement(cloneElement(el));
+ this.addEncryptedKeyElement(cloneElement(el));
attached = true;
}
}
@@ -381,7 +381,7 @@ public class AsymmetricBindingHandler ex
// Add internal refs
encryptedKeyElement.appendChild(refList);
}
- this.addEncyptedKeyElement(encryptedKeyElement);
+ this.addEncryptedKeyElement(encryptedKeyElement);
return encr;
} catch (WSSecurityException e) {
policyNotAsserted(recToken, e.getMessage());
@@ -580,7 +580,7 @@ public class AsymmetricBindingHandler ex
}
// Add the EncryptedKey
- this.addEncyptedKeyElement(encrKey.getEncryptedKeyElement());
+ this.addEncryptedKeyElement(encrKey.getEncryptedKeyElement());
encryptedKeyValue = encrKey.getEphemeralKey();
encryptedKeyId = encrKey.getId();
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java?rev=1088625&r1=1088624&r2=1088625&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
Mon Apr 4 13:48:35 2011
@@ -185,11 +185,11 @@ public class SymmetricBindingHandler ext
== encryptionToken.getInclusion())) {
Element el = tok.getToken();
- this.addEncyptedKeyElement(cloneElement(el));
+ this.addEncryptedKeyElement(cloneElement(el));
attached = true;
} else if (encryptionToken instanceof X509Token &&
isRequestor()) {
Element el = tok.getToken();
- this.addEncyptedKeyElement(cloneElement(el));
+ this.addEncryptedKeyElement(cloneElement(el));
attached = true;
}
@@ -307,12 +307,12 @@ public class SymmetricBindingHandler ext
Element el = sigTok.getToken();
sigTokElem = cloneElement(el);
- this.addEncyptedKeyElement((Element)sigTokElem);
+ this.addEncryptedKeyElement((Element)sigTokElem);
} else if (isRequestor() && sigToken instanceof X509Token) {
Element el = sigTok.getToken();
sigTokElem =
(Element)secHeader.getSecurityHeader().getOwnerDocument()
.importNode(el, true);
- this.addEncyptedKeyElement((Element)sigTokElem);
+ this.addEncryptedKeyElement((Element)sigTokElem);
} else {
tokIncluded = false;
}
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java?rev=1088625&r1=1088624&r2=1088625&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
Mon Apr 4 13:48:35 2011
@@ -41,6 +41,7 @@ import org.apache.cxf.ws.security.policy
import org.apache.cxf.ws.security.policy.model.Header;
import org.apache.cxf.ws.security.policy.model.IssuedToken;
import org.apache.cxf.ws.security.policy.model.KeyValueToken;
+import org.apache.cxf.ws.security.policy.model.SamlToken;
import org.apache.cxf.ws.security.policy.model.SecureConversationToken;
import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
import org.apache.cxf.ws.security.policy.model.SupportingToken;
@@ -63,6 +64,7 @@ import org.apache.ws.security.message.WS
import org.apache.ws.security.message.WSSecSignature;
import org.apache.ws.security.message.WSSecTimestamp;
import org.apache.ws.security.message.WSSecUsernameToken;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
/**
*
@@ -80,11 +82,11 @@ public class TransportBindingHandler ext
this.tbinding = binding;
}
- private void addUsernameTokens(SupportingToken sgndSuppTokens) {
+ private void addSignedSupportingTokens(SupportingToken sgndSuppTokens)
+ throws Exception {
for (Token token : sgndSuppTokens.getTokens()) {
if (token instanceof UsernameToken) {
- WSSecUsernameToken utBuilder =
- addUsernameToken((UsernameToken)token);
+ WSSecUsernameToken utBuilder =
addUsernameToken((UsernameToken)token);
if (utBuilder != null) {
utBuilder.prepare(saaj.getSOAPPart());
utBuilder.appendToHeader(secHeader);
@@ -100,7 +102,12 @@ public class TransportBindingHandler ext
&& isRequestor())) {
//Add the token
- addEncyptedKeyElement(cloneElement(secTok.getToken()));
+ addEncryptedKeyElement(cloneElement(secTok.getToken()));
+ }
+ } else if (token instanceof SamlToken) {
+ AssertionWrapper assertionWrapper =
addSamlToken((SamlToken)token);
+ if (assertionWrapper != null) {
+
addSupportingElement(assertionWrapper.toDOM(saaj.getSOAPPart()));
}
} else {
//REVISIT - not supported for signed. Exception?
@@ -141,7 +148,7 @@ public class TransportBindingHandler ext
== inclusion)) {
Element el = secToken.getToken();
- addEncyptedKeyElement(cloneElement(el));
+ addEncryptedKeyElement(cloneElement(el));
}
}
}
@@ -150,14 +157,13 @@ public class TransportBindingHandler ext
ais = aim.get(SP12Constants.SIGNED_SUPPORTING_TOKENS);
if (ais != null) {
- SupportingToken sgndSuppTokens = null;
for (AssertionInfo ai : ais) {
- sgndSuppTokens = (SupportingToken)ai.getAssertion();
+ SupportingToken sgndSuppTokens =
(SupportingToken)ai.getAssertion();
+ if (sgndSuppTokens != null) {
+ addSignedSupportingTokens(sgndSuppTokens);
+ }
ai.setAsserted(true);
}
- if (sgndSuppTokens != null) {
- addUsernameTokens(sgndSuppTokens);
- }
}
ais =
aim.get(SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
if (ais != null) {
@@ -187,14 +193,13 @@ public class TransportBindingHandler ext
}
ais =
aim.get(SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
if (ais != null) {
- SupportingToken sgndSuppTokens = null;
for (AssertionInfo ai : ais) {
- sgndSuppTokens = (SupportingToken)ai.getAssertion();
+ SupportingToken sgndSuppTokens =
(SupportingToken)ai.getAssertion();
+ if (sgndSuppTokens != null) {
+ addSignedSupportingTokens(sgndSuppTokens);
+ }
ai.setAsserted(true);
}
- if (sgndSuppTokens != null) {
- addUsernameTokens(sgndSuppTokens);
- }
}
ais = aim.get(SP12Constants.ENDORSING_SUPPORTING_TOKENS);
@@ -225,15 +230,14 @@ public class TransportBindingHandler ext
}
ais = aim.get(SP12Constants.SUPPORTING_TOKENS);
if (ais != null) {
- SupportingToken suppTokens = null;
for (AssertionInfo ai : ais) {
- suppTokens = (SupportingToken)ai.getAssertion();
+ SupportingToken suppTokens =
(SupportingToken)ai.getAssertion();
+ if (suppTokens != null && suppTokens.getTokens() !=
null
+ && suppTokens.getTokens().size() > 0) {
+ handleSupportingTokens(suppTokens, false);
+ }
ai.setAsserted(true);
}
- if (suppTokens != null && suppTokens.getTokens() != null
- && suppTokens.getTokens().size() > 0) {
- handleSupportingTokens(suppTokens, false);
- }
}
} else {
@@ -354,7 +358,7 @@ public class TransportBindingHandler ext
//sigParts.add(new WSEncryptionPart(id));
}
- addEncyptedKeyElement(el);
+ addEncryptedKeyElement(el);
tokenIncluded = true;
}
Modified:
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java?rev=1088625&r1=1088624&r2=1088625&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
(original)
+++
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
Mon Apr 4 13:48:35 2011
@@ -88,6 +88,85 @@ public class SamlTokenTest extends Abstr
BigInteger result = saml1Port.doubleIt(BigInteger.valueOf(25));
assert result.equals(BigInteger.valueOf(50));
}
+
+ @org.junit.Test
+ public void testSaml2OverSymmetric() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = SamlTokenTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ DoubleItService service = new DoubleItService();
+
+ DoubleItPortType saml2Port = service.getDoubleItSaml2SymmetricPort();
+
+ try {
+ saml2Port.doubleIt(BigInteger.valueOf(25));
+ fail("Expected failure on an invocation with no SAML Assertion");
+ } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+ assert ex.getMessage().contains("No SAML CallbackHandler
available");
+ }
+
+ ((BindingProvider)saml2Port).getRequestContext().put(
+ "ws-security.saml-callback-handler",
+ new
org.apache.cxf.systest.ws.saml.client.SamlCallbackHandler(false)
+ );
+ try {
+ saml2Port.doubleIt(BigInteger.valueOf(25));
+ fail("Expected failure on an invocation with a SAML1 Assertion");
+ } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+ assert ex.getMessage().contains("Wrong SAML Version");
+ }
+
+ ((BindingProvider)saml2Port).getRequestContext().put(
+ "ws-security.saml-callback-handler",
+ new org.apache.cxf.systest.ws.saml.client.SamlCallbackHandler()
+ );
+ BigInteger result = saml2Port.doubleIt(BigInteger.valueOf(25));
+ assert result.equals(BigInteger.valueOf(50));
+ }
+ @org.junit.Test
+ public void testSaml2OverAsymmetric() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = SamlTokenTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ DoubleItService service = new DoubleItService();
+
+ DoubleItPortType saml2Port = service.getDoubleItSaml2AsymmetricPort();
+
+ try {
+ saml2Port.doubleIt(BigInteger.valueOf(25));
+ fail("Expected failure on an invocation with no SAML Assertion");
+ } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+ assert ex.getMessage().contains("No SAML CallbackHandler
available");
+ }
+
+ ((BindingProvider)saml2Port).getRequestContext().put(
+ "ws-security.saml-callback-handler",
+ new
org.apache.cxf.systest.ws.saml.client.SamlCallbackHandler(false)
+ );
+ try {
+ saml2Port.doubleIt(BigInteger.valueOf(25));
+ fail("Expected failure on an invocation with a SAML1 Assertion");
+ } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+ assert ex.getMessage().contains("Wrong SAML Version");
+ }
+
+ ((BindingProvider)saml2Port).getRequestContext().put(
+ "ws-security.saml-callback-handler",
+ new org.apache.cxf.systest.ws.saml.client.SamlCallbackHandler()
+ );
+ BigInteger result = saml2Port.doubleIt(BigInteger.valueOf(25));
+ assert result.equals(BigInteger.valueOf(50));
+ }
}
Modified:
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml?rev=1088625&r1=1088624&r2=1088625&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
(original)
+++
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
Mon Apr 4 13:48:35 2011
@@ -48,6 +48,31 @@
<sec:keyStore type="jks" password="password"
resource="org/apache/cxf/systest/ws/security/Truststore.jks"/>
</sec:trustManagers>
</http:tlsClientParameters>
- </http:conduit>
+ </http:conduit>
+
+ <jaxws:client name="{http://WSSec/saml}DoubleItSaml2SymmetricPort";
+ createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
+
value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ <entry key="ws-security.encryption.properties"
+
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.encryption.username" value="bob"/>
+ </jaxws:properties>
+ </jaxws:client>
+
+ <jaxws:client name="{http://WSSec/saml}DoubleItSaml2AsymmetricPort";
+ createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.encryption.username" value="alice"/>
+ <entry key="ws-security.callback-handler"
+
value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ <entry key="ws-security.encryption.properties"
+
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.encryption.username" value="bob"/>
+ <entry key="ws-security.signature.properties"
+
value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ </jaxws:properties>
+ </jaxws:client>
</beans>
Modified:
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml?rev=1088625&r1=1088624&r2=1088625&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
(original)
+++
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
Mon Apr 4 13:48:35 2011
@@ -86,4 +86,44 @@
</jaxws:endpoint>
+ <jaxws:endpoint
+ id="Saml2TokenOverSymmetric"
+ address="http://localhost:9001/DoubleItSaml2Symmetric";
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItSaml2SymmetricPort"
+ xmlns:s="http://WSSec/saml";
+ implementor="org.apache.cxf.systest.ws.saml.server.DoubleItImpl"
+ wsdlLocation="wsdl_systest_wssec/saml/DoubleItSaml.wsdl">
+
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
+
value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
+
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ </jaxws:properties>
+
+ </jaxws:endpoint>
+
+ <jaxws:endpoint
+ id="Saml2TokenOverAsymmetric"
+ address="http://localhost:9001/DoubleItSaml2Asymmetric";
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItSaml2AsymmetricPort"
+ xmlns:s="http://WSSec/saml";
+ implementor="org.apache.cxf.systest.ws.saml.server.DoubleItImpl"
+ wsdlLocation="wsdl_systest_wssec/saml/DoubleItSaml.wsdl">
+
+ <jaxws:properties>
+ <entry key="ws-security.username" value="bob"/>
+ <entry key="ws-security.callback-handler"
+
value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
+
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.encryption.properties"
+
value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ <entry key="ws-security.encryption.username" value="alice"/>
+ </jaxws:properties>
+
+ </jaxws:endpoint>
+
</beans>
Modified:
cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl?rev=1088625&r1=1088624&r2=1088625&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl
(original)
+++
cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl
Mon Apr 4 13:48:35 2011
@@ -16,10 +16,11 @@
<wsdl:definitions name="DoubleIt"
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/";
xmlns:tns="http://WSSec/saml";
- targetNamespace="http://WSSec/saml";
xmlns:wsp="http://www.w3.org/ns/ws-policy";
+ targetNamespace="http://WSSec/saml";
+ xmlns:wsp="http://www.w3.org/ns/ws-policy";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
- xmlns:wsaws="http://www.w3.org/2005/08/addressing";
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";
- xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy";>
+ xmlns:wsaws="http://www.w3.org/2005/08/addressing";
+ xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsdl:types>
<xsd:schema targetNamespace="http://WSSec/saml";>
<xsd:element name="DoubleIt">
@@ -75,9 +76,49 @@
<soap:operation soapAction="" />
<wsdl:input>
<soap:body use="literal" />
+ <wsp:PolicyReference
URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
</wsdl:input>
<wsdl:output>
<soap:body use="literal" />
+ <wsp:PolicyReference
URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+ </wsdl:output>
+ <wsdl:fault name="DoubleItFault">
+ <soap:body use="literal" name="DoubleItFault" />
+ </wsdl:fault>
+ </wsdl:operation>
+ </wsdl:binding>
+ <wsdl:binding name="DoubleItSaml2SymmetricBinding"
type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItSaml2SymmetricPolicy" />
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http"; />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction="" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ <wsp:PolicyReference
URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ <wsp:PolicyReference
URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+ </wsdl:output>
+ <wsdl:fault name="DoubleItFault">
+ <soap:body use="literal" name="DoubleItFault" />
+ </wsdl:fault>
+ </wsdl:operation>
+ </wsdl:binding>
+ <wsdl:binding name="DoubleItSaml2AsymmetricBinding"
type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItSaml2AsymmetricPolicy" />
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http"; />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction="" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ <wsp:PolicyReference
URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ <wsp:PolicyReference
URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
</wsdl:output>
<wsdl:fault name="DoubleItFault">
<soap:body use="literal" name="DoubleItFault" />
@@ -89,6 +130,12 @@
<wsdl:port name="DoubleItSaml1TransportPort"
binding="tns:DoubleItSaml1TransportBinding">
<soap:address
location="https://localhost:9009/DoubleItSaml1Transport"; />
</wsdl:port>
+ <wsdl:port name="DoubleItSaml2SymmetricPort"
binding="tns:DoubleItSaml2SymmetricBinding">
+ <soap:address
location="http://localhost:9001/DoubleItSaml2Symmetric"; />
+ </wsdl:port>
+ <wsdl:port name="DoubleItSaml2AsymmetricPort"
binding="tns:DoubleItSaml2AsymmetricBinding">
+ <soap:address
location="http://localhost:9001/DoubleItSaml2Asymmetric"; />
+ </wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="DoubleItSaml1TransportPolicy">
@@ -117,7 +164,7 @@
<sp:SupportingTokens>
<wsp:Policy>
<sp:SamlToken
-
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
+
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:WssSamlV11Token11/>
</wsp:Policy>
@@ -127,5 +174,141 @@
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItSaml2SymmetricPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:SymmetricBinding>
+ <wsp:Policy>
+ <sp:ProtectionToken>
+ <wsp:Policy>
+ <sp:X509Token
+
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ <sp:RequireThumbprintReference />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:ProtectionToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ <sp:OnlySignEntireHeadersAndBody/>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic256/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:SymmetricBinding>
+ <sp:Wss11>
+ <wsp:Policy>
+ <sp:MustSupportRefIssuerSerial/>
+ <sp:MustSupportRefThumbprint/>
+ <sp:MustSupportRefEncryptedKey/>
+ </wsp:Policy>
+ </sp:Wss11>
+ <sp:SignedSupportingTokens>
+ <wsp:Policy>
+ <sp:SamlToken
+
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
+ <wsp:Policy>
+ <sp:WssSamlV20Token11/>
+ </wsp:Policy>
+ </sp:SamlToken>
+ </wsp:Policy>
+ </sp:SignedSupportingTokens>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItSaml2AsymmetricPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:AsymmetricBinding>
+ <wsp:Policy>
+ <sp:InitiatorToken>
+ <wsp:Policy>
+ <sp:X509Token
+
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ <sp:RequireIssuerSerialReference />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:InitiatorToken>
+ <sp:RecipientToken>
+ <wsp:Policy>
+ <sp:X509Token
+
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ <sp:RequireIssuerSerialReference />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:RecipientToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ <sp:OnlySignEntireHeadersAndBody/>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic256/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:AsymmetricBinding>
+ <sp:Wss11>
+ <wsp:Policy>
+ <sp:MustSupportRefIssuerSerial/>
+ <sp:MustSupportRefThumbprint/>
+ <sp:MustSupportRefEncryptedKey/>
+ </wsp:Policy>
+ </sp:Wss11>
+ <sp:SignedSupportingTokens>
+ <wsp:Policy>
+ <sp:SamlToken
+
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
+ <wsp:Policy>
+ <sp:WssSamlV20Token11/>
+ </wsp:Policy>
+ </sp:SamlToken>
+ </wsp:Policy>
+ </sp:SignedSupportingTokens>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
+ <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:EncryptedParts>
+ <sp:Body/>
+ </sp:EncryptedParts>
+ <sp:SignedParts>
+ <sp:Body/>
+ </sp:SignedParts>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Output_Policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:EncryptedParts>
+ <sp:Body/>
+ </sp:EncryptedParts>
+ <sp:SignedParts>
+ <sp:Body/>
+ </sp:SignedParts>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
</wsdl:definitions>
