[CXF-6047] - Extend the STSTokenValidator to be able to call the issue binding
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/65b9eaad Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/65b9eaad Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/65b9eaad Branch: refs/heads/3.0.x-fixes Commit: 65b9eaad9a6845163c03f34faa67d758ceac7536 Parents: 72359ae Author: Colm O hEigeartaigh <[email protected]> Authored: Mon Oct 13 15:37:11 2014 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Mon Oct 13 15:39:49 2014 +0100 ---------------------------------------------------------------------- .../ws/security/trust/STSTokenValidator.java | 58 ++++++- .../custom_onbehalfof/CustomOnBehalfOfTest.java | 1 - .../sts/custom_onbehalfof/STSServer.java | 50 ++++++ .../sts/usernametoken/UsernameTokenTest.java | 72 ++++++++- .../systest/sts/custom_onbehalfof/cxf-sts.xml | 152 +++++++++++++++++++ .../cxf/systest/sts/deployment/cxf-sts.xml | 1 + .../cxf/systest/sts/usernametoken/DoubleIt.wsdl | 3 + .../sts/usernametoken/cxf-bad-client.xml | 6 + .../systest/sts/usernametoken/cxf-client.xml | 7 + .../systest/sts/usernametoken/cxf-service.xml | 44 ++++++ 10 files changed, 389 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/65b9eaad/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java index 88ae9d6..686933d 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java @@ -19,8 +19,14 @@ package org.apache.cxf.ws.security.trust; +import java.io.IOException; import java.util.Arrays; import java.util.List; + +import javax.security.auth.callback.Callback; +import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.callback.UnsupportedCallbackException; + import org.w3c.dom.Element; import org.apache.cxf.endpoint.Endpoint; @@ -30,6 +36,7 @@ import org.apache.cxf.ws.security.SecurityConstants; import org.apache.cxf.ws.security.tokenstore.SecurityToken; import org.apache.cxf.ws.security.tokenstore.TokenStore; import org.apache.cxf.ws.security.tokenstore.TokenStoreFactory; +import org.apache.cxf.ws.security.trust.delegation.DelegationCallback; import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.saml.SamlAssertionWrapper; import org.apache.wss4j.dom.handler.RequestData; @@ -37,11 +44,14 @@ import org.apache.wss4j.dom.validate.Credential; import org.apache.wss4j.dom.validate.Validator; /** - * + * A WSS4J-based Validator to validate a received WS-Security credential by dispatching + * it to a STS via WS-Trust. The default binding is "validate", but "issue" using "OnBehalfOf" + * is also possible by setting the "useIssueBinding" property. */ public class STSTokenValidator implements Validator { private STSSamlAssertionValidator samlValidator = new STSSamlAssertionValidator(); private boolean alwaysValidateToSts; + private boolean useIssueBinding; public STSTokenValidator() { } @@ -102,8 +112,19 @@ public class STSTokenValidator implements Validator { STSClient c = STSUtils.getClient(message, "sts"); synchronized (c) { System.setProperty("noprint", "true"); - List<SecurityToken> tokens = c.validateSecurityToken(token); - SecurityToken returnedToken = tokens.get(0); + + SecurityToken returnedToken = null; + + if (useIssueBinding) { + ElementCallbackHandler callbackHandler = new ElementCallbackHandler(tokenElement); + c.setOnBehalfOf(callbackHandler); + returnedToken = c.requestSecurityToken(); + c.setOnBehalfOf(null); + } else { + List<SecurityToken> tokens = c.validateSecurityToken(token); + returnedToken = tokens.get(0); + } + if (returnedToken != token) { SamlAssertionWrapper assertion = new SamlAssertionWrapper(returnedToken.getToken()); credential.setTransformedToken(assertion); @@ -169,4 +190,35 @@ public class STSTokenValidator implements Validator { } return null; } + + public boolean isUseIssueBinding() { + return useIssueBinding; + } + + public void setUseIssueBinding(boolean useIssueBinding) { + this.useIssueBinding = useIssueBinding; + } + + private static class ElementCallbackHandler implements CallbackHandler { + + private final Element tokenElement; + + public ElementCallbackHandler(Element tokenElement) { + this.tokenElement = tokenElement; + } + + public void handle(Callback[] callbacks) + throws IOException, UnsupportedCallbackException { + for (int i = 0; i < callbacks.length; i++) { + if (callbacks[i] instanceof DelegationCallback) { + DelegationCallback callback = (DelegationCallback) callbacks[i]; + + callback.setToken(tokenElement); + } else { + throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback"); + } + } + } + } + } http://git-wip-us.apache.org/repos/asf/cxf/blob/65b9eaad/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/custom_onbehalfof/CustomOnBehalfOfTest.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/custom_onbehalfof/CustomOnBehalfOfTest.java b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/custom_onbehalfof/CustomOnBehalfOfTest.java index 22a931d..7ec2c0d 100644 --- a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/custom_onbehalfof/CustomOnBehalfOfTest.java +++ b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/custom_onbehalfof/CustomOnBehalfOfTest.java @@ -27,7 +27,6 @@ import javax.xml.ws.Service; import org.apache.cxf.Bus; import org.apache.cxf.bus.spring.SpringBusFactory; import org.apache.cxf.systest.sts.common.SecurityTestUtil; -import org.apache.cxf.systest.sts.deployment.STSServer; import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase; import org.example.contract.doubleit.DoubleItPortType; http://git-wip-us.apache.org/repos/asf/cxf/blob/65b9eaad/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/custom_onbehalfof/STSServer.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/custom_onbehalfof/STSServer.java b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/custom_onbehalfof/STSServer.java new file mode 100644 index 0000000..c956b70 --- /dev/null +++ b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/custom_onbehalfof/STSServer.java @@ -0,0 +1,50 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.systest.sts.custom_onbehalfof; + +import java.net.URL; + +import org.apache.cxf.Bus; +import org.apache.cxf.BusFactory; +import org.apache.cxf.bus.spring.SpringBusFactory; +import org.apache.cxf.testutil.common.AbstractBusTestServerBase; + +public class STSServer extends AbstractBusTestServerBase { + + public STSServer() { + + } + + protected void run() { + URL busFile = STSServer.class.getResource("cxf-sts.xml"); + Bus busLocal = new SpringBusFactory().createBus(busFile); + BusFactory.setDefaultBus(busLocal); + setBus(busLocal); + + try { + new STSServer(); + } catch (Exception e) { + e.printStackTrace(); + } + } + + public static void main(String args[]) { + new STSServer().run(); + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/65b9eaad/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/usernametoken/UsernameTokenTest.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/usernametoken/UsernameTokenTest.java b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/usernametoken/UsernameTokenTest.java index 8c63cf2..02158ea 100644 --- a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/usernametoken/UsernameTokenTest.java +++ b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/usernametoken/UsernameTokenTest.java @@ -39,7 +39,10 @@ import org.junit.runners.Parameterized.Parameters; /** * In this test case, a CXF client sends a Username Token via (1-way) TLS to a CXF provider. - * The provider dispatches the Username Token to an STS for validation (via TLS). + * The provider dispatches the Username Token to an STS for validation (via TLS). It also + * includes a test where the service provider sends the token for validation using the + * WS-Trust "Issue" binding, and sending the token "OnBehalfOf". Roles are also requested, and + * access is only granted to the service if the "admin-user" role is in effect. */ @RunWith(value = org.junit.runners.Parameterized.class) public class UsernameTokenTest extends AbstractBusClientServerTestBase { @@ -164,6 +167,73 @@ public class UsernameTokenTest extends AbstractBusClientServerTestBase { ((java.io.Closeable)transportUTPort).close(); bus.shutdown(true); } + + @org.junit.Test + public void testUsernameTokenAuthorization() throws Exception { + // Token transformation is not supported for the streaming code + if (STAX_PORT.equals(test.getPort())) { + return; + } + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = UsernameTokenTest.class.getResource("cxf-client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = UsernameTokenTest.class.getResource("DoubleIt.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItTransportUTAuthorizationPort"); + DoubleItPortType transportUTPort = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(transportUTPort, test.getPort()); + + if (test.isStreaming()) { + SecurityTestUtil.enableStreaming(transportUTPort); + } + + doubleIt(transportUTPort, 25); + + ((java.io.Closeable)transportUTPort).close(); + bus.shutdown(true); + } + + @org.junit.Test + public void testUnauthorizedUsernameToken() throws Exception { + // Token transformation is not supported for the streaming code + if (STAX_PORT.equals(test.getPort())) { + return; + } + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = UsernameTokenTest.class.getResource("cxf-bad-client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = UsernameTokenTest.class.getResource("DoubleIt.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItTransportUTAuthorizationPort"); + DoubleItPortType transportUTPort = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(transportUTPort, test.getPort()); + + if (test.isStreaming()) { + SecurityTestUtil.enableStreaming(transportUTPort); + } + + try { + doubleIt(transportUTPort, 30); + fail("Expected failure on a bad password"); + } catch (javax.xml.ws.soap.SOAPFaultException fault) { + // expected + } + + ((java.io.Closeable)transportUTPort).close(); + bus.shutdown(true); + } private static void doubleIt(DoubleItPortType port, int numToDouble) { int resp = port.doubleIt(numToDouble); http://git-wip-us.apache.org/repos/asf/cxf/blob/65b9eaad/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/custom_onbehalfof/cxf-sts.xml ---------------------------------------------------------------------- diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/custom_onbehalfof/cxf-sts.xml b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/custom_onbehalfof/cxf-sts.xml new file mode 100644 index 0000000..3f237ab --- /dev/null +++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/custom_onbehalfof/cxf-sts.xml @@ -0,0 +1,152 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans"; xmlns:cxf="http://cxf.apache.org/core"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:sec="http://cxf.apache.org/configuration/security"; xmlns:http="http://cxf.apache.org/transports/http/configuration"; xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"; xmlns:jaxws="http://cxf.apache.org/jaxws"; xmlns:util="http://www.springframework.org/schema/util"; xsi:schemaLocation=" http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://cxf.apache.org/transports/http-jetty/configuration http://c xf.apache.org/schemas/configuration/http-jetty.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.0.xsd";> + <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/> + <cxf:bus> + <cxf:features> + <cxf:logging/> + </cxf:features> + </cxf:bus> + <bean id="transportSTSProviderBean" class="org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider"> + <property name="issueOperation" ref="transportIssueDelegate"/> + <property name="validateOperation" ref="transportValidateDelegate"/> + </bean> + <bean id="utDelegationHandler" class="org.apache.cxf.sts.token.delegation.UsernameTokenDelegationHandler"/> + <bean id="transportIssueDelegate" class="org.apache.cxf.sts.operation.TokenIssueOperation"> + <property name="tokenProviders" ref="transportTokenProviders"/> + <property name="services" ref="transportService"/> + <property name="stsProperties" ref="transportSTSProperties"/> + <property name="claimsManager" ref="claimsManager"/> + <property name="tokenStore" ref="defaultTokenStore"/> + <property name="delegationHandlers" ref="utDelegationHandler"/> + </bean> + <bean id="transportValidateDelegate" class="org.apache.cxf.sts.operation.TokenValidateOperation"> + <property name="tokenProviders" ref="transportTokenProviders"/> + <property name="tokenValidators" ref="transportTokenValidators"/> + <property name="stsProperties" ref="transportSTSProperties"/> + <property name="claimsManager" ref="claimsManager"/> + <property name="tokenStore" ref="defaultTokenStore"/> + </bean> + <bean id="defaultTokenStore" class="org.apache.cxf.sts.cache.DefaultInMemoryTokenStore"> + </bean> + <util:list id="transportTokenProviders"> + <ref bean="transportSamlTokenProvider"/> + <ref bean="transportCustomBSTTokenProvider"/> + </util:list> + <util:list id="transportTokenValidators"> + <ref bean="transportSamlTokenValidator"/> + <ref bean="transportX509TokenValidator"/> + <ref bean="transportUsernameTokenValidator"/> + <ref bean="transportCustomBSTTokenValidator"/> + </util:list> + <bean id="transportCustomBSTTokenProvider" class="org.apache.cxf.systest.sts.deployment.CustomBSTTokenProvider"> + </bean> + <bean id="transportSamlTokenProvider" class="org.apache.cxf.sts.token.provider.SAMLTokenProvider"> + <!-- <property name="attributeStatementProviders" ref="attributeStatementProvidersList" />--> + </bean> + <!-- + <util:list id="attributeStatementProvidersList"> + <ref bean="defaultAttributeProvider" /> + <ref bean="customAttributeProvider" /> + </util:list> + + <bean id="defaultAttributeProvider" + class="org.apache.cxf.sts.token.provider.DefaultAttributeStatementProvider"> + </bean> + + <bean id="customAttributeProvider" + class="org.apache.cxf.systest.sts.deployment.CustomAttributeStatementProvider"> + </bean> +--> + <bean id="claimsManager" class="org.apache.cxf.sts.claims.ClaimsManager"> + <property name="claimHandlers" ref="claimHandlerList"/> + <property name="claimParsers" ref="claimParserList"/> + </bean> + <util:list id="claimParserList"> + <ref bean="customClaimsParser"/> + <ref bean="identityClaimsParser"/> + </util:list> + <bean id="customClaimsParser" class="org.apache.cxf.systest.sts.deployment.CustomClaimsParser"> + </bean> + <bean id="identityClaimsParser" class="org.apache.cxf.sts.claims.IdentityClaimsParser"> + </bean> + <util:list id="claimHandlerList"> + <ref bean="customClaimsHandler"/> + </util:list> + <bean id="customClaimsHandler" class="org.apache.cxf.systest.sts.deployment.CustomClaimsHandler"> + </bean> + <bean id="transportCustomBSTTokenValidator" class="org.apache.cxf.systest.sts.deployment.CustomBSTTokenValidator"> + </bean> + <bean id="transportX509TokenValidator" class="org.apache.cxf.sts.token.validator.X509TokenValidator"> + </bean> + <bean id="transportUsernameTokenValidator" class="org.apache.cxf.sts.token.validator.UsernameTokenValidator"> + </bean> + <bean id="transportSamlTokenValidator" class="org.apache.cxf.sts.token.validator.SAMLTokenValidator"> + </bean> + <bean id="transportService" class="org.apache.cxf.sts.service.StaticService"> + <property name="endpoints" ref="transportEndpoints"/> + </bean> + <util:list id="transportEndpoints"> + <value>https://localhost:(\d)*/doubleit/services/doubleittransport.* + </value> + </util:list> + <bean id="transportSTSProperties" class="org.apache.cxf.sts.StaticSTSProperties"> + <property name="signaturePropertiesFile" value="stsKeystore.properties"/> + <property name="signatureUsername" value="mystskey"/> + <property name="callbackHandlerClass" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/> + <property name="encryptionPropertiesFile" value="stsKeystore.properties"/> + <property name="issuer" value="DoubleItSTSIssuer"/> + <property name="encryptionUsername" value="myservicekey"/> + </bean> + <jaxws:endpoint xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"; id="localSTS" implementor="#transportSTSProviderBean" address="https://localhost:${testutil.ports.STSServer}/SecurityTokenService/Transport"; wsdlLocation="src/test/resources/org/apache/cxf/systest/sts/deployment/ws-trust-1.4-service.wsdl" depends-on="ClientAuthHttpsSettings" serviceName="ns1:SecurityTokenService" endpointName="ns1:Transport_Port"> + </jaxws:endpoint> + <jaxws:endpoint xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"; id="localSoap12STS" implementor="#transportSTSProviderBean" address="https://localhost:${testutil.ports.STSServer}/SecurityTokenService/TransportSoap12"; wsdlLocation="src/test/resources/org/apache/cxf/systest/sts/deployment/ws-trust-1.4-service.wsdl" depends-on="ClientAuthHttpsSettings" serviceName="ns1:SecurityTokenService" endpointName="ns1:Transport_Soap12_Port"> + </jaxws:endpoint> + <bean id="kerberosValidator" class="org.apache.wss4j.dom.validate.KerberosTokenValidator"> + <property name="contextName" value="bob"/> + <property name="serviceName" value="[email protected]"/> + </bean> + <jaxws:endpoint xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"; id="localKerberosSTS" implementor="#transportSTSProviderBean" address="https://localhost:${testutil.ports.STSServer}/SecurityTokenService/Kerberos"; wsdlLocation="src/test/resources/org/apache/cxf/systest/sts/deployment/ws-trust-1.4-service.wsdl" depends-on="ClientAuthHttpsSettings" serviceName="ns1:SecurityTokenService" endpointName="ns1:Transport_Kerberos_Port"> + <jaxws:properties> + <entry key="ws-security.bst.validator" value-ref="kerberosValidator"/> + </jaxws:properties> + </jaxws:endpoint> + <httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf"> + <httpj:engine port="${testutil.ports.STSServer}"> + <httpj:tlsServerParameters> + <sec:trustManagers> + <sec:keyStore type="jks" password="stsspass" resource="stsstore.jks"/> + </sec:trustManagers> + <sec:keyManagers keyPassword="stskpass"> + <sec:keyStore type="jks" password="stsspass" resource="stsstore.jks"/> + </sec:keyManagers> + <sec:cipherSuitesFilter> + <sec:include>.*_EXPORT_.*</sec:include> + <sec:include>.*_EXPORT1024_.*</sec:include> + <sec:include>.*_WITH_DES_.*</sec:include> + <sec:include>.*_WITH_AES_.*</sec:include> + <sec:include>.*_WITH_NULL_.*</sec:include> + <sec:exclude>.*_DH_anon_.*</sec:exclude> + </sec:cipherSuitesFilter> + <sec:clientAuthentication want="true" required="true"/> + </httpj:tlsServerParameters> + </httpj:engine> + </httpj:engine-factory> +</beans> http://git-wip-us.apache.org/repos/asf/cxf/blob/65b9eaad/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-sts.xml ---------------------------------------------------------------------- diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-sts.xml b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-sts.xml index 3f237ab..32d480b 100644 --- a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-sts.xml +++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-sts.xml @@ -36,6 +36,7 @@ <property name="claimsManager" ref="claimsManager"/> <property name="tokenStore" ref="defaultTokenStore"/> <property name="delegationHandlers" ref="utDelegationHandler"/> + <property name="tokenValidators" ref="transportTokenValidators"/> </bean> <bean id="transportValidateDelegate" class="org.apache.cxf.sts.operation.TokenValidateOperation"> <property name="tokenProviders" ref="transportTokenProviders"/> http://git-wip-us.apache.org/repos/asf/cxf/blob/65b9eaad/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/DoubleIt.wsdl ---------------------------------------------------------------------- diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/DoubleIt.wsdl b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/DoubleIt.wsdl index 8fa9006..4fa6564 100644 --- a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/DoubleIt.wsdl +++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/DoubleIt.wsdl @@ -38,6 +38,9 @@ <wsdl:port name="DoubleItTransportUTPort" binding="tns:DoubleItTransportUTBinding"> <soap:address location="https://localhost:8081/doubleit/services/doubleittransportut"/> </wsdl:port> + <wsdl:port name="DoubleItTransportUTAuthorizationPort" binding="tns:DoubleItTransportUTBinding"> + <soap:address location="https://localhost:8081/doubleit/services/doubleittransportutauthorization"/> + </wsdl:port> </wsdl:service> <wsp:Policy wsu:Id="DoubleItBindingTransportUTPolicy"> <wsp:ExactlyOne> http://git-wip-us.apache.org/repos/asf/cxf/blob/65b9eaad/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/cxf-bad-client.xml ---------------------------------------------------------------------- diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/cxf-bad-client.xml b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/cxf-bad-client.xml index 8131a2f..211f76b 100644 --- a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/cxf-bad-client.xml +++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/cxf-bad-client.xml @@ -29,6 +29,12 @@ <entry key="ws-security.password" value="trombone"/> </jaxws:properties> </jaxws:client> + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItTransportUTAuthorizationPort"; createdFromAPI="true"> + <jaxws:properties> + <entry key="ws-security.username" value="alice"/> + <entry key="ws-security.password" value="trombone"/> + </jaxws:properties> + </jaxws:client> <http:conduit name="https://localhost.*";> <http:tlsClientParameters disableCNCheck="true"> <sec:trustManagers> http://git-wip-us.apache.org/repos/asf/cxf/blob/65b9eaad/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/cxf-client.xml ---------------------------------------------------------------------- diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/cxf-client.xml b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/cxf-client.xml index 526538b..48ab701 100644 --- a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/cxf-client.xml +++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/cxf-client.xml @@ -29,6 +29,13 @@ <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/> </jaxws:properties> </jaxws:client> + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItTransportUTAuthorizationPort"; createdFromAPI="true"> + <jaxws:properties> + <entry key="ws-security.username" value="alice"/> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/> + </jaxws:properties> + </jaxws:client> + <http:conduit name="https://localhost.*";> <http:tlsClientParameters disableCNCheck="true"> <sec:trustManagers> http://git-wip-us.apache.org/repos/asf/cxf/blob/65b9eaad/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/cxf-service.xml ---------------------------------------------------------------------- diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/cxf-service.xml b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/cxf-service.xml index a77f570..960063d 100644 --- a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/cxf-service.xml +++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/cxf-service.xml @@ -46,6 +46,50 @@ </entry> </jaxws:properties> </jaxws:endpoint> + + <bean id="authorizationInterceptor" + class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor"> + <property name="methodRolesMap"> + <map> + <entry key="doubleIt" value="admin-user"/> + </map> + </property> + </bean> + + <bean id="claimsCallbackHandlerImpl" + class="org.apache.cxf.systest.sts.claims.ClaimsCallbackHandler"/> + + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt"; id="doubleittransportutauthorization" implementor="org.apache.cxf.systest.sts.common.DoubleItPortTypeImpl" endpointName="s:DoubleItTransportUTAuthorizationPort" serviceName="s:DoubleItService" depends-on="ClientAuthHttpsSettings" address="https://localhost:${testutil.ports.Server}/doubleit/services/doubleittransportutauthorization"; wsdlLocation="org/apache/cxf/systest/sts/usernametoken/DoubleIt.wsdl"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/> + <entry key="ws-security.ut.validator"> + <bean class="org.apache.cxf.ws.security.trust.STSTokenValidator"> + <property name="useIssueBinding" value="true"/> + </bean> + </entry> + <entry key="ws-security.sts.client"> + <bean class="org.apache.cxf.ws.security.trust.STSClient"> + <constructor-arg ref="cxf"/> + <property name="wsdlLocation" value="https://localhost:${testutil.ports.STSServer}/SecurityTokenService/Transport?wsdl"/> + <property name="serviceName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"/> + <property name="endpointName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port"/> + <property name="properties"> + <map> + <entry key="ws-security.username" value="bob"/> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/> + </map> + </property> + <property name="claimsCallbackHandler" ref="claimsCallbackHandlerImpl"/> + <property name="tokenType" + value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/> + </bean> + </entry> + </jaxws:properties> + <jaxws:inInterceptors> + <ref bean="authorizationInterceptor"/> + </jaxws:inInterceptors> + </jaxws:endpoint> + <httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf"> <httpj:engine port="${testutil.ports.Server}"> <httpj:tlsServerParameters>
