Author: coheigea
Date: Mon Apr 4 16:31:40 2011
New Revision: 1088679
URL: http://svn.apache.org/viewvc?rev=1088679&view=rev
Log:
[CXF-3432] - Support WS-SecurityPolicy SamlToken expressions (Part IV)
- Add support for creating self-signed assertions via configuration.
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?rev=1088679&r1=1088678&r2=1088679&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
Mon Apr 4 16:31:40 2011
@@ -82,6 +82,13 @@ public final class SecurityConstants {
public static final String TIMESTAMP_FUTURE_TTL =
"ws-security.timestamp.futureTimeToLive";
/**
+ * This configuration tag specifies whether to self-sign a SAML Assertion
or not. If this
+ * is set to true, then an enveloped signature will be generated when the
SAML Assertion is
+ * constructed. The default is false.
+ */
+ public static final String SELF_SIGN_SAML_ASSERTION =
"ws-security.self-sign-saml-assertion";
+
+ /**
* WCF's trust server sometimes will encrypt the token in the response IN
ADDITION TO
* the full security on the message. These properties control the way the
STS client
* will decrypt the EncryptedData elements in the response
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1088679&r1=1088678&r2=1088679&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Mon Apr 4 16:31:40 2011
@@ -60,7 +60,6 @@ import org.apache.cxf.ws.security.policy
import org.apache.cxf.ws.security.policy.model.AsymmetricBinding;
import org.apache.cxf.ws.security.policy.model.ContentEncryptedElements;
import org.apache.cxf.ws.security.policy.model.Header;
-import org.apache.cxf.ws.security.policy.model.IssuedToken;
import org.apache.cxf.ws.security.policy.model.RequiredElements;
import org.apache.cxf.ws.security.policy.model.RequiredParts;
import org.apache.cxf.ws.security.policy.model.SignedEncryptedElements;
@@ -280,7 +279,7 @@ public class PolicyBasedWSS4JInIntercept
for (AssertionInfo ai : ais) {
TransportBinding binding = (TransportBinding)ai.getAssertion();
TransportToken token = binding.getTransportToken();
- if (token != null && token.getToken() instanceof IssuedToken) {
+ if (token != null) {
action = addToAction(action, "Signature", true);
action = addToAction(action, "Encrypt", true);
Object s =
message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1088679&r1=1088678&r2=1088679&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
Mon Apr 4 16:31:40 2011
@@ -618,17 +618,23 @@ public abstract class AbstractBindingBui
part = new WSEncryptionPart(unt.getId());
part.setElement(unt.getUsernameTokenElement());
} else if (tempTok instanceof AssertionWrapper) {
- AssertionWrapper assertionWrapper = (AssertionWrapper)tempTok;
- part = new WSEncryptionPart(assertionWrapper.getId());
- part.setElement(assertionWrapper.getElement());
-
- // TODO We only support using a KeyIdentifier for the moment
- SecurityTokenReference secRef =
- createSTRForSamlAssertion(assertionWrapper, false);
- addSupportingElement(secRef.getElement());
- part = new WSEncryptionPart("STRTransform", null, "Element");
- part.setId(secRef.getID());
- part.setElement(secRef.getElement());
+ boolean selfSignAssertion =
+ MessageUtils.getContextualBoolean(
+ message, SecurityConstants.SELF_SIGN_SAML_ASSERTION,
false
+ );
+ if (!selfSignAssertion) {
+ AssertionWrapper assertionWrapper =
(AssertionWrapper)tempTok;
+ part = new WSEncryptionPart(assertionWrapper.getId());
+ part.setElement(assertionWrapper.getElement());
+
+ // TODO We only support using a KeyIdentifier for the
moment
+ SecurityTokenReference secRef =
+ createSTRForSamlAssertion(assertionWrapper, false);
+ addSupportingElement(secRef.getElement());
+ part = new WSEncryptionPart("STRTransform", null,
"Element");
+ part.setId(secRef.getID());
+ part.setElement(secRef.getElement());
+ }
} else {
policyNotAsserted(entry.getKey(),
"UnsupportedTokenInSupportingToken: " + tempTok);
}
@@ -771,7 +777,39 @@ public abstract class AbstractBindingBui
SAMLParms samlParms = new SAMLParms();
samlParms.setCallbackHandler(handler);
info.setAsserted(true);
- return new AssertionWrapper(samlParms);
+ AssertionWrapper assertion = new AssertionWrapper(samlParms);
+
+ boolean selfSignAssertion =
+ MessageUtils.getContextualBoolean(
+ message, SecurityConstants.SELF_SIGN_SAML_ASSERTION, false
+ );
+ if (selfSignAssertion) {
+ Crypto crypto = getSignatureCrypto(null);
+
+ String userNameKey = SecurityConstants.SIGNATURE_USERNAME;
+ String user = (String)message.getContextualProperty(userNameKey);
+ if (crypto != null && StringUtils.isEmpty(user)) {
+ try {
+ user = crypto.getDefaultX509Identifier();
+ } catch (WSSecurityException e1) {
+ throw new Fault(e1);
+ }
+ }
+ if (StringUtils.isEmpty(user)) {
+ policyNotAsserted(token, "No username found.");
+ return null;
+ }
+
+ String password = getPassword(user, token,
WSPasswordCallback.SIGNATURE);
+ if (password == null) {
+ password = "";
+ }
+
+ // TODO configure using a KeyValue here
+ assertion.signAssertion(user, password, crypto, false);
+ }
+
+ return assertion;
}
public String getPassword(String userName, Assertion info, int type) {
@@ -1224,11 +1262,13 @@ public abstract class AbstractBindingBui
properties = new Properties();
properties.load(ins);
ins.close();
- } else {
+ } else if (wrapper != null) {
policyNotAsserted(wrapper, "Could not find properties file
" + o);
}
} catch (IOException e) {
- policyNotAsserted(wrapper, e);
+ if (wrapper != null) {
+ policyNotAsserted(wrapper, e);
+ }
}
} else if (o instanceof URL) {
properties = new Properties();
@@ -1237,7 +1277,9 @@ public abstract class AbstractBindingBui
properties.load(ins);
ins.close();
} catch (IOException e) {
- policyNotAsserted(wrapper, e);
+ if (wrapper != null) {
+ policyNotAsserted(wrapper, e);
+ }
}
}
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java?rev=1088679&r1=1088678&r2=1088679&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
Mon Apr 4 16:31:40 2011
@@ -50,6 +50,7 @@ public class SamlTokenPolicyValidator {
if (!checkVersion(samlToken, assertionWrapper)) {
ai.setNotAsserted("Wrong SAML Version");
+ return;
}
/*
if (!checkIssuerName(samlToken, assertionWrapper)) {
Modified:
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java?rev=1088679&r1=1088678&r2=1088679&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
(original)
+++
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
Mon Apr 4 16:31:40 2011
@@ -158,6 +158,7 @@ public class SamlTokenTest extends Abstr
saml2Port.doubleIt(BigInteger.valueOf(25));
fail("Expected failure on an invocation with a SAML1 Assertion");
} catch (javax.xml.ws.soap.SOAPFaultException ex) {
+ ex.printStackTrace();
assert ex.getMessage().contains("Wrong SAML Version");
}
@@ -169,4 +170,26 @@ public class SamlTokenTest extends Abstr
assert result.equals(BigInteger.valueOf(50));
}
+ @org.junit.Test
+ public void testSaml1SelfSignedOverTransport() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = SamlTokenTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ DoubleItService service = new DoubleItService();
+
+ DoubleItPortType saml1Port =
service.getDoubleItSaml1SelfSignedTransportPort();
+
+ ((BindingProvider)saml1Port).getRequestContext().put(
+ "ws-security.saml-callback-handler",
+ new
org.apache.cxf.systest.ws.saml.client.SamlCallbackHandler(false)
+ );
+ BigInteger result = saml1Port.doubleIt(BigInteger.valueOf(25));
+ assert result.equals(BigInteger.valueOf(50));
+ }
+
}
Modified:
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml?rev=1088679&r1=1088678&r2=1088679&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
(original)
+++
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
Mon Apr 4 16:31:40 2011
@@ -39,7 +39,7 @@
</cxf:features>
</cxf:bus>
- <http:conduit name="https://localhost:9009/DoubleItSaml1Transport";>
+ <http:conduit name="https://localhost:9009/.*";>
<http:tlsClientParameters disableCNCheck="true">
<sec:keyManagers keyPassword="password">
<sec:keyStore type="jks" password="password"
resource="org/apache/cxf/systest/ws/security/Morpit.jks"/>
@@ -73,6 +73,18 @@
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
</jaxws:properties>
+ </jaxws:client>
+
+ <jaxws:client
name="{http://WSSec/saml}DoubleItSaml1SelfSignedTransportPort";
+ createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
+
value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.username" value="alice"/>
+ <entry key="ws-security.signature.properties"
+
value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ <entry key="ws-security.self-sign-saml-assertion" value="true"/>
+ </jaxws:properties>
</jaxws:client>
</beans>
Modified:
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml?rev=1088679&r1=1088678&r2=1088679&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
(original)
+++
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
Mon Apr 4 16:31:40 2011
@@ -126,4 +126,22 @@
</jaxws:endpoint>
+ <jaxws:endpoint
+ id="Saml1SelfSignedTokenOverTransport"
+ address="https://localhost:9009/DoubleItSaml1SelfSignedTransport";
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItSaml1SelfSignedTransportPort"
+ xmlns:s="http://WSSec/saml";
+ implementor="org.apache.cxf.systest.ws.saml.server.DoubleItImpl"
+ wsdlLocation="wsdl_systest_wssec/saml/DoubleItSaml.wsdl">
+
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
+
value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ <entry key="ws-security.encryption.properties"
+
value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ </jaxws:properties>
+
+ </jaxws:endpoint>
+
</beans>
Modified:
cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl?rev=1088679&r1=1088678&r2=1088679&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl
(original)
+++
cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl
Mon Apr 4 16:31:40 2011
@@ -87,6 +87,25 @@
</wsdl:fault>
</wsdl:operation>
</wsdl:binding>
+ <wsdl:binding name="DoubleItSaml1SelfSignedTransportBinding"
type="tns:DoubleItPortType">
+ <wsp:PolicyReference
URI="#DoubleItSaml1SelfSignedTransportPolicy" />
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http"; />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction="" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ <wsp:PolicyReference
URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ <wsp:PolicyReference
URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+ </wsdl:output>
+ <wsdl:fault name="DoubleItFault">
+ <soap:body use="literal" name="DoubleItFault" />
+ </wsdl:fault>
+ </wsdl:operation>
+ </wsdl:binding>
<wsdl:binding name="DoubleItSaml2SymmetricBinding"
type="tns:DoubleItPortType">
<wsp:PolicyReference URI="#DoubleItSaml2SymmetricPolicy" />
<soap:binding style="document"
@@ -136,6 +155,10 @@
<wsdl:port name="DoubleItSaml2AsymmetricPort"
binding="tns:DoubleItSaml2AsymmetricBinding">
<soap:address
location="http://localhost:9001/DoubleItSaml2Asymmetric"; />
</wsdl:port>
+ <wsdl:port name="DoubleItSaml1SelfSignedTransportPort"
+
binding="tns:DoubleItSaml1SelfSignedTransportBinding">
+ <soap:address
location="https://localhost:9009/DoubleItSaml1SelfSignedTransport"; />
+ </wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="DoubleItSaml1TransportPolicy">
@@ -174,6 +197,42 @@
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItSaml1SelfSignedTransportPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:TransportBinding>
+ <wsp:Policy>
+ <sp:TransportToken>
+ <wsp:Policy>
+ <sp:HttpsToken
RequireClientCertificate="false" />
+ </wsp:Policy>
+ </sp:TransportToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax />
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp />
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128 />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:TransportBinding>
+ <sp:SignedSupportingTokens>
+ <wsp:Policy>
+ <sp:SamlToken
+
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
+ <wsp:Policy>
+ <sp:WssSamlV11Token11/>
+ </wsp:Policy>
+ </sp:SamlToken>
+ </wsp:Policy>
+ </sp:SignedSupportingTokens>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
<wsp:Policy wsu:Id="DoubleItSaml2SymmetricPolicy">
<wsp:ExactlyOne>
<wsp:All>
