Author: coheigea
Date: Wed Jun 5 15:51:40 2013
New Revision: 1489929
URL: http://svn.apache.org/r1489929
Log:
[FEDIZ-4] - Added support + a testcase for holder-of-key assertions
- Updated systest keys so that the client at least uses a different keystore
Added:
cxf/fediz/trunk/systests/jetty8/src/test/resources/client.jks (with props)
cxf/fediz/trunk/systests/spring/src/test/resources/client.jks (with props)
cxf/fediz/trunk/systests/tomcat7/src/test/resources/client.jks (with
props)
Modified:
cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
cxf/fediz/trunk/systests/jetty8/src/test/resources/server.jks
cxf/fediz/trunk/systests/spring/src/test/resources/server.jks
cxf/fediz/trunk/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
cxf/fediz/trunk/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/TomcatTest.java
cxf/fediz/trunk/systests/tomcat7/src/test/resources/server.jks
Modified:
cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
URL:
http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java?rev=1489929&r1=1489928&r2=1489929&view=diff
==============================================================================
---
cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
(original)
+++
cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
Wed Jun 5 15:51:40 2013
@@ -93,7 +93,7 @@ public class STSClientAction {
private boolean isPortSet;
- private String keyType =
HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER;
+ private String keyType =
HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_PUBLICKEY;
public String getWsdlLocation() {
return wsdlLocation;
@@ -176,8 +176,7 @@ public class STSClientAction {
(X509Certificate[])servletRequest.getAttribute("javax.servlet.request.X509Certificate");
if (certs != null && certs.length > 0) {
sts.setUseCertificateForConfirmationKeyInfo(true);
- // TODO uncomment once we pick up CXF 2.7.5.
- // sts.setUseKeyCertificate(certs[0]);
+ sts.setUseKeyCertificate(certs[0]);
} else {
LOG.info("Can't send a PublicKey KeyType as no client
certs are available");
sts.setKeyType(HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER);
Added: cxf/fediz/trunk/systests/jetty8/src/test/resources/client.jks
URL:
http://svn.apache.org/viewvc/cxf/fediz/trunk/systests/jetty8/src/test/resources/client.jks?rev=1489929&view=auto
==============================================================================
Binary file - no diff available.
Propchange: cxf/fediz/trunk/systests/jetty8/src/test/resources/client.jks
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Modified: cxf/fediz/trunk/systests/jetty8/src/test/resources/server.jks
URL:
http://svn.apache.org/viewvc/cxf/fediz/trunk/systests/jetty8/src/test/resources/server.jks?rev=1489929&r1=1489928&r2=1489929&view=diff
==============================================================================
Files cxf/fediz/trunk/systests/jetty8/src/test/resources/server.jks (original)
and cxf/fediz/trunk/systests/jetty8/src/test/resources/server.jks Wed Jun 5
15:51:40 2013 differ
Added: cxf/fediz/trunk/systests/spring/src/test/resources/client.jks
URL:
http://svn.apache.org/viewvc/cxf/fediz/trunk/systests/spring/src/test/resources/client.jks?rev=1489929&view=auto
==============================================================================
Binary file - no diff available.
Propchange: cxf/fediz/trunk/systests/spring/src/test/resources/client.jks
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Modified: cxf/fediz/trunk/systests/spring/src/test/resources/server.jks
URL:
http://svn.apache.org/viewvc/cxf/fediz/trunk/systests/spring/src/test/resources/server.jks?rev=1489929&r1=1489928&r2=1489929&view=diff
==============================================================================
Files cxf/fediz/trunk/systests/spring/src/test/resources/server.jks (original)
and cxf/fediz/trunk/systests/spring/src/test/resources/server.jks Wed Jun 5
15:51:40 2013 differ
Modified:
cxf/fediz/trunk/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
URL:
http://svn.apache.org/viewvc/cxf/fediz/trunk/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java?rev=1489929&r1=1489928&r2=1489929&view=diff
==============================================================================
---
cxf/fediz/trunk/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
(original)
+++
cxf/fediz/trunk/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
Wed Jun 5 15:51:40 2013
@@ -170,9 +170,9 @@ public abstract class AbstractTests {
new UsernamePasswordCredentials(user, password));
KeyStore trustStore =
KeyStore.getInstance(KeyStore.getDefaultType());
- FileInputStream instream = new FileInputStream(new
File("./target/test-classes/server.jks"));
+ FileInputStream instream = new FileInputStream(new
File("./target/test-classes/client.jks"));
try {
- trustStore.load(instream, "tompass".toCharArray());
+ trustStore.load(instream, "clientpass".toCharArray());
} finally {
try {
instream.close();
Modified:
cxf/fediz/trunk/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/TomcatTest.java
URL:
http://svn.apache.org/viewvc/cxf/fediz/trunk/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/TomcatTest.java?rev=1489929&r1=1489928&r2=1489929&view=diff
==============================================================================
---
cxf/fediz/trunk/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/TomcatTest.java
(original)
+++
cxf/fediz/trunk/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/TomcatTest.java
Wed Jun 5 15:51:40 2013
@@ -21,12 +21,38 @@ package org.apache.cxf.fediz.integration
import java.io.File;
+import java.io.FileInputStream;
+import java.security.KeyStore;
+import java.util.ArrayList;
+import java.util.List;
+
+import net.htmlparser.jericho.Element;
+import net.htmlparser.jericho.FormField;
+import net.htmlparser.jericho.FormFields;
+import net.htmlparser.jericho.HTMLElementName;
+import net.htmlparser.jericho.Source;
import org.apache.catalina.Context;
import org.apache.catalina.LifecycleState;
import org.apache.catalina.connector.Connector;
import org.apache.catalina.startup.Tomcat;
+import org.apache.cxf.fediz.core.ClaimTypes;
import org.apache.cxf.fediz.tomcat.FederationAuthenticator;
+import org.apache.http.Consts;
+import org.apache.http.HttpEntity;
+import org.apache.http.HttpResponse;
+import org.apache.http.NameValuePair;
+import org.apache.http.auth.AuthScope;
+import org.apache.http.auth.UsernamePasswordCredentials;
+import org.apache.http.client.entity.UrlEncodedFormEntity;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.conn.scheme.Scheme;
+import org.apache.http.conn.ssl.SSLSocketFactory;
+import org.apache.http.impl.client.DefaultHttpClient;
+import org.apache.http.impl.client.LaxRedirectStrategy;
+import org.apache.http.message.BasicNameValuePair;
+import org.apache.http.util.EntityUtils;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
@@ -77,7 +103,10 @@ public class TomcatTest extends Abstract
//httpsConnector.setAttribute("keyAlias", keyAlias);
httpsConnector.setAttribute("keystorePass", "tompass");
httpsConnector.setAttribute("keystoreFile",
"test-classes/server.jks");
- httpsConnector.setAttribute("clientAuth", "false");
+ httpsConnector.setAttribute("truststorePass", "tompass");
+ httpsConnector.setAttribute("truststoreFile",
"test-classes/server.jks");
+ httpsConnector.setAttribute("clientAuth", "want");
+ // httpsConnector.setAttribute("clientAuth", "false");
httpsConnector.setAttribute("sslProtocol", "TLS");
httpsConnector.setAttribute("SSLEnabled", true);
@@ -110,7 +139,10 @@ public class TomcatTest extends Abstract
//httpsConnector.setAttribute("keyAlias", keyAlias);
httpsConnector.setAttribute("keystorePass", "tompass");
httpsConnector.setAttribute("keystoreFile",
"test-classes/server.jks");
- httpsConnector.setAttribute("clientAuth", "false");
+ httpsConnector.setAttribute("truststorePass", "tompass");
+ httpsConnector.setAttribute("truststoreFile",
"test-classes/server.jks");
+ // httpsConnector.setAttribute("clientAuth", "false");
+ httpsConnector.setAttribute("clientAuth", "want");
httpsConnector.setAttribute("sslProtocol", "TLS");
httpsConnector.setAttribute("SSLEnabled", true);
@@ -172,4 +204,121 @@ public class TomcatTest extends Abstract
return "fedizhelloworld";
}
+ @org.junit.Test
+ public void testUserAliceClientAuth() throws Exception {
+ String url = "https://localhost:"; + getRpHttpsPort() +
"/fedizhelloworld/secure/fedservlet";
+ String user = "alice";
+ String password = "ecila";
+ String response = sendHttpGetClientAuth(url, user, password, 200, 200);
+
+ Assert.assertTrue("Principal not " + user,
response.indexOf("userPrincipal=" + user) > 0);
+ Assert.assertTrue("User " + user + " does not have role Admin",
response.indexOf("role:Admin=false") > 0);
+ Assert.assertTrue("User " + user + " does not have role Manager",
response.indexOf("role:Manager=false") > 0);
+ Assert.assertTrue("User " + user + " must have role User",
response.indexOf("role:User=true") > 0);
+
+ String claim = ClaimTypes.FIRSTNAME.toString();
+ Assert.assertTrue("User " + user + " claim " + claim + " is not
'Alice'",
+ response.indexOf(claim + "=Alice") > 0);
+ claim = ClaimTypes.LASTNAME.toString();
+ Assert.assertTrue("User " + user + " claim " + claim + " is not
'Smith'",
+ response.indexOf(claim + "=Smith") > 0);
+ claim = ClaimTypes.EMAILADDRESS.toString();
+ Assert.assertTrue("User " + user + " claim " + claim + " is not
'[email protected]'",
+ response.indexOf(claim + "[email protected]") >
0);
+
+ }
+
+ private String sendHttpGetClientAuth(String url, String user, String
password, int returnCodeIDP, int returnCodeRP)
+ throws Exception {
+ DefaultHttpClient httpclient = new DefaultHttpClient();
+ try {
+ httpclient.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost",
Integer.parseInt(getIdpHttpsPort())),
+ new UsernamePasswordCredentials(user, password));
+
+ KeyStore trustStore =
KeyStore.getInstance(KeyStore.getDefaultType());
+ FileInputStream instream = new FileInputStream(new
File("./target/test-classes/client.jks"));
+ try {
+ trustStore.load(instream, "clientpass".toCharArray());
+ } finally {
+ try {
+ instream.close();
+ } catch (Exception ex) {
+ ex.printStackTrace();
+ }
+ }
+
+ SSLSocketFactory socketFactory = new SSLSocketFactory(trustStore,
"clientpass", trustStore);
+ Scheme schIdp = new Scheme("https",
Integer.parseInt(getIdpHttpsPort()), socketFactory);
+
httpclient.getConnectionManager().getSchemeRegistry().register(schIdp);
+ Scheme schRp = new Scheme("https",
Integer.parseInt(getRpHttpsPort()), socketFactory);
+
httpclient.getConnectionManager().getSchemeRegistry().register(schRp);
+
+ HttpGet httpget = new HttpGet(url);
+
+ HttpResponse response = httpclient.execute(httpget);
+ HttpEntity entity = response.getEntity();
+
+ System.out.println(response.getStatusLine());
+ if (entity != null) {
+ System.out.println("Response content length: " +
entity.getContentLength());
+ }
+ Assert.assertTrue("IDP HTTP Response code: " +
response.getStatusLine().getStatusCode()
+ + " [Expected: " + returnCodeIDP + "]",
+ returnCodeIDP ==
response.getStatusLine().getStatusCode());
+
+ if (response.getStatusLine().getStatusCode() != 200) {
+ return null;
+ }
+
+ // Redirect to a POST is not supported without user
interaction
+ // http://www.ietf.org/rfc/rfc2616.txt
+ // If the 301 status code is received in response to a
request other
+ // than GET or HEAD, the user agent MUST NOT
automatically redirect the
+ // request unless it can be confirmed by the user,
since this might
+ // change the conditions under which the request was
issued.
+
+ httpclient.setRedirectStrategy(new LaxRedirectStrategy());
+
+ Source source = new Source(EntityUtils.toString(entity));
+ List <NameValuePair> nvps = new ArrayList <NameValuePair>();
+ FormFields formFields = source.getFormFields();
+
+ List<Element> forms = source.getAllElements(HTMLElementName.FORM);
+ Assert.assertEquals("Only one form expected but got " +
forms.size(), 1, forms.size());
+ String postUrl = forms.get(0).getAttributeValue("action");
+
+ Assert.assertNotNull("Form field 'wa' not found",
formFields.get("wa"));
+ Assert.assertNotNull("Form field 'wresult' not found",
formFields.get("wresult"));
+
+ for (FormField formField : formFields) {
+ if (formField.getUserValueCount() != 0) {
+ nvps.add(new BasicNameValuePair(formField.getName(),
+ formField.getValues().get(0)));
+ }
+ }
+ HttpPost httppost = new HttpPost(postUrl);
+ httppost.setEntity(new UrlEncodedFormEntity(nvps, Consts.UTF_8));
+
+ response = httpclient.execute(httppost);
+
+ entity = response.getEntity();
+ System.out.println(response.getStatusLine());
+ Assert.assertTrue("RP HTTP Response code: " +
response.getStatusLine().getStatusCode()
+ + " [Expected: " + returnCodeRP + "]",
+ returnCodeRP ==
response.getStatusLine().getStatusCode());
+
+ if (entity != null) {
+ System.out.println("Response content length: " +
entity.getContentLength());
+ }
+
+ return EntityUtils.toString(entity);
+ } finally {
+ // When HttpClient instance is no longer needed,
+ // shut down the connection manager to ensure
+ // immediate deallocation of all system resources
+ httpclient.getConnectionManager().shutdown();
+ }
+
+ }
}
Added: cxf/fediz/trunk/systests/tomcat7/src/test/resources/client.jks
URL:
http://svn.apache.org/viewvc/cxf/fediz/trunk/systests/tomcat7/src/test/resources/client.jks?rev=1489929&view=auto
==============================================================================
Binary file - no diff available.
Propchange: cxf/fediz/trunk/systests/tomcat7/src/test/resources/client.jks
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Modified: cxf/fediz/trunk/systests/tomcat7/src/test/resources/server.jks
URL:
http://svn.apache.org/viewvc/cxf/fediz/trunk/systests/tomcat7/src/test/resources/server.jks?rev=1489929&r1=1489928&r2=1489929&view=diff
==============================================================================
Files cxf/fediz/trunk/systests/tomcat7/src/test/resources/server.jks (original)
and cxf/fediz/trunk/systests/tomcat7/src/test/resources/server.jks Wed Jun 5
15:51:40 2013 differ
