Modified: cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/ValidateTokenTransformationUnitTest.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/ValidateTokenTransformationUnitTest.java?rev=1297588&r1=1297587&r2=1297588&view=diff ============================================================================== --- cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/ValidateTokenTransformationUnitTest.java (original) +++ cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/ValidateTokenTransformationUnitTest.java Tue Mar 6 17:33:04 2012 @@ -26,6 +26,7 @@ import java.util.List; import java.util.Map; import java.util.Properties; +import javax.security.auth.callback.CallbackHandler; import javax.xml.bind.JAXBElement; import javax.xml.namespace.QName; @@ -42,15 +43,29 @@ import org.apache.cxf.sts.STSConstants; import org.apache.cxf.sts.STSPropertiesMBean; import org.apache.cxf.sts.StaticSTSProperties; import org.apache.cxf.sts.claims.ClaimTypes; +import org.apache.cxf.sts.claims.ClaimsAttributeStatementProvider; import org.apache.cxf.sts.claims.ClaimsHandler; import org.apache.cxf.sts.claims.ClaimsManager; +import org.apache.cxf.sts.claims.ClaimsMapper; +import org.apache.cxf.sts.claims.RequestClaim; +import org.apache.cxf.sts.claims.RequestClaimCollection; import org.apache.cxf.sts.common.CustomAttributeProvider; import org.apache.cxf.sts.common.CustomClaimsHandler; import org.apache.cxf.sts.common.PasswordCallbackHandler; +import org.apache.cxf.sts.request.KeyRequirements; +import org.apache.cxf.sts.request.TokenRequirements; +import org.apache.cxf.sts.service.EncryptionProperties; +import org.apache.cxf.sts.service.ServiceMBean; +import org.apache.cxf.sts.service.StaticService; import org.apache.cxf.sts.token.provider.AttributeStatementProvider; import org.apache.cxf.sts.token.provider.SAMLTokenProvider; import org.apache.cxf.sts.token.provider.TokenProvider; +import org.apache.cxf.sts.token.provider.TokenProviderParameters; +import org.apache.cxf.sts.token.provider.TokenProviderResponse; +import org.apache.cxf.sts.token.realm.Relationship; import org.apache.cxf.sts.token.realm.SAMLRealm; +import org.apache.cxf.sts.token.validator.IssuerSAMLRealmCodec; +import org.apache.cxf.sts.token.validator.SAMLTokenValidator; import org.apache.cxf.sts.token.validator.TokenValidator; import org.apache.cxf.sts.token.validator.UsernameTokenValidator; import org.apache.cxf.ws.security.sts.provider.STSException; @@ -65,13 +80,14 @@ import org.apache.cxf.ws.security.sts.pr import org.apache.cxf.ws.security.sts.provider.model.secext.UsernameTokenType; import org.apache.ws.security.CustomTokenPrincipal; import org.apache.ws.security.WSConstants; +import org.apache.ws.security.WSSecurityException; import org.apache.ws.security.components.crypto.Crypto; import org.apache.ws.security.components.crypto.CryptoFactory; import org.apache.ws.security.saml.ext.builder.SAML2Constants; import org.apache.ws.security.util.DOM2Writer; /** - * In this test, a token (UsernameToken) is validated and transformed into a SAML Assertion. + * In this test, a token (UsernameToken or SAMLToken) is validated and transformed into a SAML Assertion. */ public class ValidateTokenTransformationUnitTest extends org.junit.Assert { @@ -231,7 +247,7 @@ public class ValidateTokenTransformation // expected } - samlTokenProvider.setRealmMap(getSamlRealms()); + samlTokenProvider.setRealmMap(createSamlRealms()); RequestSecurityTokenResponseType response = validateOperation.validate(request, webServiceContext); assertTrue(validateResponse(response)); @@ -272,6 +288,167 @@ public class ValidateTokenTransformation runUsernameTokenTransformationClaims(true); } + + /** + * Test to successfully validate a SAML 2 Token issued by realm "A" and + * transform it into a SAML 2 token (realm "B") + * The relationship type between realm A and B is: FederateIdentity + * IdentityMapper is configured globally in STSPropertiesMBean + */ + @org.junit.Test + public void testValidateSaml2TokenOnBehalfOfSaml2DifferentRealmFederateIdentityGlobalConfig() + throws Exception { + runValidateSaml2TokenOnBehalfOfSaml2DifferentRealmFederateIdentity(true); + } + + /** + * Test to successfully validate a SAML 2 Token issued by realm "A" and + * transform it into a SAML 2 token (realm "B") + * The relationship type between realm A and B is: FederateIdentity + * IdentityMapper is configured in the Relationship + */ + @org.junit.Test + //[TODO] should work after Relationship support in validateoperation + public void testValidateSaml2TokenOnBehalfOfSaml2DifferentRealmFederateIdentityRelationshipConfig() + throws Exception { + runValidateSaml2TokenOnBehalfOfSaml2DifferentRealmFederateIdentity(false); + } + + + + + /** + * Test to successfully validate a SAML 2 Token issued by realm "A" and + * transform it into a SAML 2 token (realm "B") + * The relationship type between realm A and B is: FederateClaims + */ + @org.junit.Test + public void testValidateSaml2TokenOnBehalfOfSaml2DifferentRealmFederateClaims() throws Exception { + TokenValidateOperation validateOperation = new TokenValidateOperation(); + + Map<String, SAMLRealm> realms = createSamlRealms(); + + // Add Token Provider + List<TokenProvider> providerList = new ArrayList<TokenProvider>(); + SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider(); + samlTokenProvider.setRealmMap(realms); + List<AttributeStatementProvider> customProviderList = + new ArrayList<AttributeStatementProvider>(); + customProviderList.add(new ClaimsAttributeStatementProvider()); + samlTokenProvider.setAttributeStatementProviders(customProviderList); + providerList.add(samlTokenProvider); + validateOperation.setTokenProviders(providerList); + + // Add Token Validator + List<TokenValidator> validatorList = new ArrayList<TokenValidator>(); + SAMLTokenValidator samlTokenValidator = new SAMLTokenValidator(); + samlTokenValidator.setSamlRealmCodec(new IssuerSAMLRealmCodec()); + validatorList.add(samlTokenValidator); + validateOperation.setTokenValidators(validatorList); + + // Add Service + ServiceMBean service = new StaticService(); + service.setEndpoints(Collections.singletonList("http://dummy-service.com/dummy";)); + validateOperation.setServices(Collections.singletonList(service)); + + // Add Relationship list + List<Relationship> relationshipList = new ArrayList<Relationship>(); + Relationship rs = createRelationship(); + relationshipList.add(rs); + + // Add STSProperties object + Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties()); + STSPropertiesMBean stsProperties = createSTSPropertiesMBean(crypto); + stsProperties.setRealmParser(new CustomRealmParser()); + stsProperties.setIdentityMapper(new CustomIdentityMapper()); + stsProperties.setRelationships(relationshipList); + validateOperation.setStsProperties(stsProperties); + + // Set the ClaimsManager + ClaimsManager claimsManager = new ClaimsManager(); + claimsManager.setClaimHandlers(Collections.singletonList((ClaimsHandler)new CustomClaimsHandler())); + validateOperation.setClaimsManager(claimsManager); + + // Mock up a request + RequestSecurityTokenType request = new RequestSecurityTokenType(); + JAXBElement<String> tokenType = + new JAXBElement<String>( + QNameConstants.TOKEN_TYPE, String.class, WSConstants.WSS_SAML2_TOKEN_TYPE + ); + request.getAny().add(tokenType); + + // Add a ClaimsType + ClaimsType claimsType = new ClaimsType(); + claimsType.setDialect(STSConstants.IDT_NS_05_05); + + Document doc = DOMUtils.createDocument(); + Element claimType = createClaimsType(doc); + claimsType.getAny().add(claimType); + + JAXBElement<ClaimsType> claimsTypeJaxb = + new JAXBElement<ClaimsType>( + QNameConstants.CLAIMS, ClaimsType.class, claimsType + ); + request.getAny().add(claimsTypeJaxb); + + //request.getAny().add(createAppliesToElement("http://dummy-service.com/dummy";)); + + // create a SAML Token via the SAMLTokenProvider which contains claims + CallbackHandler callbackHandler = new PasswordCallbackHandler(); + Element samlToken = + createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", + callbackHandler, realms); + Document docToken = samlToken.getOwnerDocument(); + samlToken = (Element)docToken.appendChild(samlToken); + String samlString = DOM2Writer.nodeToString(samlToken); + assertTrue(samlString.contains("AttributeStatement")); + assertTrue(samlString.contains("alice")); + assertTrue(samlString.contains("doe")); + assertTrue(samlString.contains(SAML2Constants.CONF_BEARER)); + + // Add SAML token as ValidateTarget element + ValidateTargetType validateTarget = new ValidateTargetType(); + validateTarget.setAny(samlToken); + JAXBElement<ValidateTargetType> validateTargetType = + new JAXBElement<ValidateTargetType>( + QNameConstants.VALIDATE_TARGET, ValidateTargetType.class, validateTarget + ); + request.getAny().add(validateTargetType); + + + // Mock up message context + MessageImpl msg = new MessageImpl(); + WrappedMessageContext msgCtx = new WrappedMessageContext(msg); + msgCtx.put("url", "https"); + WebServiceContextImpl webServiceContext = new WebServiceContextImpl(msgCtx); + + // run the test + RequestSecurityTokenResponseType response = + validateOperation.validate(request, webServiceContext); + assertTrue(validateResponse(response)); + + // Test the generated token. + Element assertion = null; + for (Object tokenObject : response.getAny()) { + if (tokenObject instanceof JAXBElement<?> + && REQUESTED_SECURITY_TOKEN.equals(((JAXBElement<?>)tokenObject).getName())) { + RequestedSecurityTokenType rstType = + (RequestedSecurityTokenType)((JAXBElement<?>)tokenObject).getValue(); + assertion = (Element)rstType.getAny(); + break; + } + } + + assertNotNull(assertion); + String tokenString = DOM2Writer.nodeToString(assertion); + assertTrue(tokenString.contains("AttributeStatement")); + assertTrue(tokenString.contains("alice")); //subject unchanged + assertTrue(tokenString.contains("DOE")); //claim changed (to uppercase) + assertTrue(tokenString.contains(SAML2Constants.CONF_BEARER)); + } + + + /** * Test to successfully validate a UsernameToken and transform it into a SAML Assertion with claims. */ @@ -339,7 +516,7 @@ public class ValidateTokenTransformation WrappedMessageContext msgCtx = new WrappedMessageContext(msg); msgCtx.put( SecurityContext.class.getName(), - createSecurityContext(new CustomTokenPrincipal("alice")) + createSecurityContext(new CustomTokenPrincipal("ted")) ); WebServiceContextImpl webServiceContext = new WebServiceContextImpl(msgCtx); @@ -365,9 +542,141 @@ public class ValidateTokenTransformation assertTrue(tokenString.contains("AttributeStatement")); assertTrue(tokenString.contains("alice")); assertTrue(tokenString.contains(SAML2Constants.CONF_BEARER)); - assertTrue(tokenString.contains(ClaimTypes.FIRSTNAME.toString())); + assertTrue(tokenString.contains(ClaimTypes.LASTNAME.toString())); } + + private void runValidateSaml2TokenOnBehalfOfSaml2DifferentRealmFederateIdentity( + boolean useGlobalIdentityMapper) throws WSSecurityException { + TokenValidateOperation validateOperation = new TokenValidateOperation(); + + Map<String, SAMLRealm> realms = createSamlRealms(); + + // Add Token Provider + List<TokenProvider> providerList = new ArrayList<TokenProvider>(); + SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider(); + samlTokenProvider.setRealmMap(realms); + List<AttributeStatementProvider> customProviderList = + new ArrayList<AttributeStatementProvider>(); + customProviderList.add(new ClaimsAttributeStatementProvider()); + samlTokenProvider.setAttributeStatementProviders(customProviderList); + providerList.add(samlTokenProvider); + validateOperation.setTokenProviders(providerList); + + // Add Token Validator + List<TokenValidator> validatorList = new ArrayList<TokenValidator>(); + SAMLTokenValidator samlTokenValidator = new SAMLTokenValidator(); + samlTokenValidator.setSamlRealmCodec(new IssuerSAMLRealmCodec()); + validatorList.add(samlTokenValidator); + validateOperation.setTokenValidators(validatorList); + + // Add Service + ServiceMBean service = new StaticService(); + service.setEndpoints(Collections.singletonList("http://dummy-service.com/dummy";)); + validateOperation.setServices(Collections.singletonList(service)); + + // Add Relationship list + List<Relationship> relationshipList = new ArrayList<Relationship>(); + Relationship rs = createRelationship(); + rs.setType(Relationship.FED_TYPE_IDENTITY); + rs.setIdentityMapper(new CustomIdentityMapper()); + relationshipList.add(rs); + + // Add STSProperties object + Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties()); + STSPropertiesMBean stsProperties = createSTSPropertiesMBean(crypto); + stsProperties.setRealmParser(new CustomRealmParser()); + if (useGlobalIdentityMapper) { + stsProperties.setIdentityMapper(new CustomIdentityMapper()); + } else { + stsProperties.setRelationships(relationshipList); + } + validateOperation.setStsProperties(stsProperties); + + // Set the ClaimsManager + ClaimsManager claimsManager = new ClaimsManager(); + claimsManager.setClaimHandlers(Collections.singletonList((ClaimsHandler)new CustomClaimsHandler())); + validateOperation.setClaimsManager(claimsManager); + + // Mock up a request + RequestSecurityTokenType request = new RequestSecurityTokenType(); + JAXBElement<String> tokenType = + new JAXBElement<String>( + QNameConstants.TOKEN_TYPE, String.class, WSConstants.WSS_SAML2_TOKEN_TYPE + ); + request.getAny().add(tokenType); + + // Add a ClaimsType + ClaimsType claimsType = new ClaimsType(); + claimsType.setDialect(STSConstants.IDT_NS_05_05); + + Document doc = DOMUtils.createDocument(); + Element claimType = createClaimsType(doc); + claimsType.getAny().add(claimType); + + JAXBElement<ClaimsType> claimsTypeJaxb = + new JAXBElement<ClaimsType>( + QNameConstants.CLAIMS, ClaimsType.class, claimsType + ); + request.getAny().add(claimsTypeJaxb); + + //request.getAny().add(createAppliesToElement("http://dummy-service.com/dummy";)); + + // create a SAML Token via the SAMLTokenProvider which contains claims + CallbackHandler callbackHandler = new PasswordCallbackHandler(); + Element samlToken = + createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", + callbackHandler, realms); + Document docToken = samlToken.getOwnerDocument(); + samlToken = (Element)docToken.appendChild(samlToken); + String samlString = DOM2Writer.nodeToString(samlToken); + assertTrue(samlString.contains("AttributeStatement")); + assertTrue(samlString.contains("alice")); + assertTrue(samlString.contains("doe")); + assertTrue(samlString.contains(SAML2Constants.CONF_BEARER)); + + // Add SAML token as ValidateTarget element + ValidateTargetType validateTarget = new ValidateTargetType(); + validateTarget.setAny(samlToken); + JAXBElement<ValidateTargetType> validateTargetType = + new JAXBElement<ValidateTargetType>( + QNameConstants.VALIDATE_TARGET, ValidateTargetType.class, validateTarget + ); + request.getAny().add(validateTargetType); + + + // Mock up message context + MessageImpl msg = new MessageImpl(); + WrappedMessageContext msgCtx = new WrappedMessageContext(msg); + msgCtx.put("url", "https"); + WebServiceContextImpl webServiceContext = new WebServiceContextImpl(msgCtx); + + // run the test + RequestSecurityTokenResponseType response = + validateOperation.validate(request, webServiceContext); + assertTrue(validateResponse(response)); + + // Test the generated token. + Element assertion = null; + for (Object tokenObject : response.getAny()) { + if (tokenObject instanceof JAXBElement<?> + && REQUESTED_SECURITY_TOKEN.equals(((JAXBElement<?>)tokenObject).getName())) { + RequestedSecurityTokenType rstType = + (RequestedSecurityTokenType)((JAXBElement<?>)tokenObject).getValue(); + assertion = (Element)rstType.getAny(); + break; + } + } + + assertNotNull(assertion); + String tokenString = DOM2Writer.nodeToString(assertion); + assertTrue(tokenString.contains("AttributeStatement")); + assertTrue(tokenString.contains("ALICE")); //subject changed (to uppercase) + assertTrue(tokenString.contains("doe")); //claim unchanged but requested + assertTrue(tokenString.contains(SAML2Constants.CONF_BEARER)); + } + + /* * Create a security context object */ @@ -382,7 +691,32 @@ public class ValidateTokenTransformation }; } - private Map<String, SAMLRealm> getSamlRealms() { + private Relationship createRelationship() { + Relationship rs = new Relationship(); + ClaimsMapper claimsMapper = new CustomClaimsMapper(); + rs.setClaimsMapper(claimsMapper); + rs.setSourceRealm("A"); + rs.setTargetRealm("B"); + rs.setType(Relationship.FED_TYPE_CLAIMS); + return rs; + } + + + /* + * Create STSPropertiesMBean object + */ + private STSPropertiesMBean createSTSPropertiesMBean(Crypto crypto) throws WSSecurityException { + STSPropertiesMBean stsProperties = new StaticSTSProperties(); + stsProperties.setEncryptionCrypto(crypto); + stsProperties.setSignatureCrypto(crypto); + stsProperties.setEncryptionUsername("myservicekey"); + stsProperties.setSignatureUsername("mystskey"); + stsProperties.setCallbackHandler(new PasswordCallbackHandler()); + stsProperties.setIssuer("STS"); + return stsProperties; + } + + private Map<String, SAMLRealm> createSamlRealms() { // Create Realms Map<String, SAMLRealm> samlRealms = new HashMap<String, SAMLRealm>(); SAMLRealm samlRealm = new SAMLRealm(); @@ -491,11 +825,91 @@ public class ValidateTokenTransformation private Element createClaimsType(Document doc) { Element claimType = doc.createElementNS(STSConstants.IDT_NS_05_05, "ClaimType"); claimType.setAttributeNS( - null, "Uri", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"; + null, "Uri", ClaimTypes.LASTNAME.toString() ); claimType.setAttributeNS(WSConstants.XMLNS_NS, "xmlns", STSConstants.IDT_NS_05_05); return claimType; } + /* + * Mock up an SAML assertion element + */ + private Element createSAMLAssertion( + String tokenType, Crypto crypto, String signatureUsername, CallbackHandler callbackHandler, + Map<String, SAMLRealm> realms + ) throws WSSecurityException { + + SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider(); + samlTokenProvider.setRealmMap(realms); + List<AttributeStatementProvider> customProviderList = + new ArrayList<AttributeStatementProvider>(); + customProviderList.add(new ClaimsAttributeStatementProvider()); + samlTokenProvider.setAttributeStatementProviders(customProviderList); + + TokenProviderParameters providerParameters = + createProviderParameters( + tokenType, STSConstants.BEARER_KEY_KEYTYPE, crypto, signatureUsername, callbackHandler + ); + if (realms != null) { + providerParameters.setRealm("A"); + } + + // Set the ClaimsManager + ClaimsManager claimsManager = new ClaimsManager(); + ClaimsHandler claimsHandler = new CustomClaimsHandler(); + claimsManager.setClaimHandlers(Collections.singletonList(claimsHandler)); + providerParameters.setClaimsManager(claimsManager); + + RequestClaimCollection requestedClaims = new RequestClaimCollection(); + RequestClaim requestClaim = new RequestClaim(); + requestClaim.setClaimType(ClaimTypes.LASTNAME); + requestClaim.setOptional(false); + requestedClaims.add(requestClaim); + providerParameters.setRequestedClaims(requestedClaims); + + TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters); + assertTrue(providerResponse != null); + assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null); + + return providerResponse.getToken(); + } + + private TokenProviderParameters createProviderParameters( + String tokenType, String keyType, Crypto crypto, + String signatureUsername, CallbackHandler callbackHandler + ) throws WSSecurityException { + TokenProviderParameters parameters = new TokenProviderParameters(); + + TokenRequirements tokenRequirements = new TokenRequirements(); + tokenRequirements.setTokenType(tokenType); + parameters.setTokenRequirements(tokenRequirements); + + KeyRequirements keyRequirements = new KeyRequirements(); + keyRequirements.setKeyType(keyType); + parameters.setKeyRequirements(keyRequirements); + + parameters.setPrincipal(new CustomTokenPrincipal("alice")); + // Mock up message context + MessageImpl msg = new MessageImpl(); + WrappedMessageContext msgCtx = new WrappedMessageContext(msg); + WebServiceContextImpl webServiceContext = new WebServiceContextImpl(msgCtx); + parameters.setWebServiceContext(webServiceContext); + + parameters.setAppliesToAddress("http://dummy-service.com/dummy";); + + // Add STSProperties object + StaticSTSProperties stsProperties = new StaticSTSProperties(); + stsProperties.setSignatureCrypto(crypto); + stsProperties.setSignatureUsername(signatureUsername); + stsProperties.setCallbackHandler(callbackHandler); + stsProperties.setIssuer("STS"); + parameters.setStsProperties(stsProperties); + + parameters.setEncryptionProperties(new EncryptionProperties()); + + return parameters; + } + + }
Modified: cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderOnBehalfOfTest.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderOnBehalfOfTest.java?rev=1297588&r1=1297587&r2=1297588&view=diff ============================================================================== --- cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderOnBehalfOfTest.java (original) +++ cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderOnBehalfOfTest.java Tue Mar 6 17:33:04 2012 @@ -36,6 +36,7 @@ import org.apache.cxf.sts.common.CustomA import org.apache.cxf.sts.common.PasswordCallbackHandler; import org.apache.cxf.sts.request.KeyRequirements; import org.apache.cxf.sts.request.ReceivedToken; +import org.apache.cxf.sts.request.ReceivedToken.STATE; import org.apache.cxf.sts.request.TokenRequirements; import org.apache.cxf.sts.service.EncryptionProperties; import org.apache.cxf.ws.security.sts.provider.model.secext.AttributedString; @@ -72,6 +73,10 @@ public class SAMLProviderOnBehalfOfTest createProviderParameters( WSConstants.WSS_SAML_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE, usernameTokenType ); + //Principal must be set in ReceivedToken/OnBehalfOf + providerParameters.getTokenRequirements().getOnBehalfOf().setPrincipal( + new CustomTokenPrincipal(username.getValue())); + assertTrue(samlTokenProvider.canHandleToken(WSConstants.WSS_SAML_TOKEN_TYPE)); TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters); assertTrue(providerResponse != null); @@ -92,12 +97,17 @@ public class SAMLProviderOnBehalfOfTest public void testDefaultSaml2OnBehalfOfAssertion() throws Exception { TokenProvider samlTokenProvider = new SAMLTokenProvider(); - Element saml1Assertion = getSAMLAssertion(); + String user = "alice"; + Element saml1Assertion = getSAMLAssertion(user); TokenProviderParameters providerParameters = createProviderParameters( WSConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE, saml1Assertion ); + //Principal must be set in ReceivedToken/OnBehalfOf + providerParameters.getTokenRequirements().getOnBehalfOf().setPrincipal( + new CustomTokenPrincipal(user)); + assertTrue(samlTokenProvider.canHandleToken(WSConstants.WSS_SAML2_TOKEN_TYPE)); TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters); assertTrue(providerResponse != null); @@ -107,6 +117,7 @@ public class SAMLProviderOnBehalfOfTest String tokenString = DOM2Writer.nodeToString(token); assertTrue(tokenString.contains(providerResponse.getTokenId())); assertTrue(tokenString.contains("AttributeStatement")); + assertTrue(tokenString.contains(user)); assertTrue(tokenString.contains("OnBehalfOf")); } @@ -131,6 +142,10 @@ public class SAMLProviderOnBehalfOfTest createProviderParameters( WSConstants.WSS_SAML_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE, usernameTokenType ); + //Principal must be set in ReceivedToken/OnBehalfOf + providerParameters.getTokenRequirements().getOnBehalfOf().setPrincipal( + new CustomTokenPrincipal(username.getValue())); + assertTrue(samlTokenProvider.canHandleToken(WSConstants.WSS_SAML_TOKEN_TYPE)); TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters); assertTrue(providerResponse != null); @@ -163,10 +178,11 @@ public class SAMLProviderOnBehalfOfTest } - private Element getSAMLAssertion() throws Exception { + private Element getSAMLAssertion(String user) throws Exception { TokenProvider samlTokenProvider = new SAMLTokenProvider(); TokenProviderParameters providerParameters = createProviderParameters(WSConstants.WSS_SAML_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE, null); + providerParameters.setPrincipal(new CustomTokenPrincipal(user)); assertTrue(samlTokenProvider.canHandleToken(WSConstants.WSS_SAML_TOKEN_TYPE)); TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters); assertTrue(providerResponse != null); @@ -186,7 +202,9 @@ public class SAMLProviderOnBehalfOfTest if (onBehalfOf != null) { ReceivedToken onBehalfOfToken = new ReceivedToken(onBehalfOf); + onBehalfOfToken.setValidationState(STATE.VALID); tokenRequirements.setOnBehalfOf(onBehalfOfToken); + } parameters.setTokenRequirements(tokenRequirements); Modified: cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/DoubleItPortTypeImpl.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/DoubleItPortTypeImpl.java?rev=1297588&r1=1297587&r2=1297588&view=diff ============================================================================== --- cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/DoubleItPortTypeImpl.java (original) +++ cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/DoubleItPortTypeImpl.java Tue Mar 6 17:33:04 2012 @@ -42,7 +42,6 @@ public class DoubleItPortTypeImpl implem Assert.assertNotNull("Principal must not be null", pr); Assert.assertNotNull("Principal.getName() must not return null", pr.getName()); - return numberToDouble * 2; } Modified: cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryCachingPortTypeImpl.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryCachingPortTypeImpl.java?rev=1297588&r1=1297587&r2=1297588&view=diff ============================================================================== --- cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryCachingPortTypeImpl.java (original) +++ cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryCachingPortTypeImpl.java Tue Mar 6 17:33:04 2012 @@ -87,6 +87,7 @@ public class IntermediaryCachingPortType Assert.assertNotNull("Principal must not be null", pr); Assert.assertNotNull("Principal.getName() must not return null", pr.getName()); + Assert.assertEquals("Princiapl must be alice", "alice", pr.getName()); // Disable the STSClient after the first invocation if (i > 0) { Added: cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_onbehalfof/UsernameTokenValidator.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_onbehalfof/UsernameTokenValidator.java?rev=1297588&view=auto ============================================================================== --- cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_onbehalfof/UsernameTokenValidator.java (added) +++ cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_onbehalfof/UsernameTokenValidator.java Tue Mar 6 17:33:04 2012 @@ -0,0 +1,69 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.systest.sts.username_onbehalfof; + +import org.apache.cxf.sts.request.ReceivedToken; +import org.apache.cxf.sts.request.TokenRequirements; +import org.apache.cxf.sts.token.validator.TokenValidator; +import org.apache.cxf.sts.token.validator.TokenValidatorParameters; +import org.apache.cxf.sts.token.validator.TokenValidatorResponse; +import org.apache.cxf.ws.security.sts.provider.model.secext.UsernameTokenType; +import org.apache.ws.security.CustomTokenPrincipal; + +public class UsernameTokenValidator implements TokenValidator { + + /** + * Return true if this TokenValidator implementation is capable of validating the + * ReceivedToken argument. + */ + public boolean canHandleToken(ReceivedToken validateTarget) { + return canHandleToken(validateTarget, null); + } + + /** + * Return true if this TokenValidator implementation is capable of validating the + * ReceivedToken argument. The realm is ignored in this token Validator. + */ + public boolean canHandleToken(ReceivedToken validateTarget, String realm) { + if (validateTarget.getToken() instanceof UsernameTokenType) { + return true; + } + return false; + } + + /** + * Validate a Token using the given TokenValidatorParameters. + */ + public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParameters) { + TokenRequirements tokenRequirements = tokenParameters.getTokenRequirements(); + ReceivedToken validateTarget = tokenRequirements.getValidateTarget(); + + UsernameTokenType usernameTokenType = (UsernameTokenType)validateTarget.getToken(); + // Ignore the fact that no password is provided + // Some other requirements must be met to issue a token onbehalfof a subject + // whose authentication is not proofen + TokenValidatorResponse response = new TokenValidatorResponse(); + response.setValid(true); + response.setPrincipal(new CustomTokenPrincipal(usernameTokenType.getUsername().getValue())); + + return response; + } + +} + Modified: cxf/trunk/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-transport.xml URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-transport.xml?rev=1297588&r1=1297587&r2=1297588&view=diff ============================================================================== --- cxf/trunk/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-transport.xml (original) +++ cxf/trunk/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-transport.xml Tue Mar 6 17:33:04 2012 @@ -55,6 +55,7 @@ <bean id="transportIssueDelegate" class="org.apache.cxf.sts.operation.TokenIssueOperation"> <property name="tokenProviders" ref="transportTokenProviders" /> + <property name="tokenValidators" ref="transportTokenValidators" /> <property name="services" ref="transportService" /> <property name="stsProperties" ref="transportSTSProperties" /> </bean> Modified: cxf/trunk/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-x509.xml URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-x509.xml?rev=1297588&r1=1297587&r2=1297588&view=diff ============================================================================== --- cxf/trunk/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-x509.xml (original) +++ cxf/trunk/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-x509.xml Tue Mar 6 17:33:04 2012 @@ -49,6 +49,7 @@ <bean id="x509IssueDelegate" class="org.apache.cxf.sts.operation.TokenIssueOperation"> <property name="tokenProviders" ref="x509SamlTokenProvider" /> + <property name="tokenValidators" ref="x509TokenValidatorsOBO" /> <property name="services" ref="x509Service" /> <property name="stsProperties" ref="x509STSProperties" /> </bean> @@ -63,6 +64,11 @@ <bean id="x509SamlTokenValidator" class="org.apache.cxf.sts.token.validator.SAMLTokenValidator"> </bean> + + <util:list id="x509TokenValidatorsOBO"> + <ref bean="x509SamlTokenValidator" /> + <bean class="org.apache.cxf.systest.sts.username_onbehalfof.UsernameTokenValidator" /> + </util:list> <bean id="x509Service" class="org.apache.cxf.sts.service.StaticService"> <property name="endpoints" ref="x509Endpoints" />
