Repository: cxf-fediz Updated Branches: refs/heads/master bd0fc123e -> 9995c7b26
Moving client certificate tests into AbstractTests so to test other plugins Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/4ea42640 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/4ea42640 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/4ea42640 Branch: refs/heads/master Commit: 4ea42640550739da4410b4b41a6b3308ea5d0a24 Parents: bd0fc12 Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Thu Apr 23 16:08:06 2015 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Thu Apr 23 16:08:06 2015 +0100 ---------------------------------------------------------------------- .../sts/src/main/webapp/WEB-INF/passwords.xml | 1 + .../sts/src/main/webapp/WEB-INF/userClaims.xml | 1 + systests/clientcert/pom.xml | 288 ----------------- .../integrationtests/ClientCertificateTest.java | 313 ------------------- .../integrationtests/HOKCallbackHandler.java | 48 --- .../clientcert/src/test/resources/alice.cer | Bin 808 -> 0 bytes .../src/test/resources/alice_client.jks | Bin 1277 -> 0 bytes .../src/test/resources/fediz_config.xml | 45 --- .../clientcert/src/test/resources/server.jks | Bin 2701 -> 0 bytes .../src/test/resources/sts/passwords.xml | 42 --- .../src/test/resources/sts/ststrust.jks | Bin 4079 -> 0 bytes .../src/test/resources/sts/userClaims.xml | 139 -------- .../clientcert/src/test/resources/ststrust.jks | Bin 2561 -> 0 bytes .../AbstractClientCertTests.java | 176 +++++++++++ systests/tomcat7/pom.xml | 26 ++ .../integrationtests/ClientCertificateTest.java | 179 +++++++++++ systests/tomcat7/src/test/resources/alice.cer | Bin 0 -> 808 bytes .../tomcat7/src/test/resources/alice_client.jks | Bin 0 -> 1277 bytes .../test/resources/fediz_config_client_cert.xml | 45 +++ systests/tomcat7/src/test/resources/server.jks | Bin 1863 -> 2701 bytes .../tomcat7/src/test/resources/sts/ststrust.jks | Bin 0 -> 4079 bytes 21 files changed, 428 insertions(+), 875 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/services/sts/src/main/webapp/WEB-INF/passwords.xml ---------------------------------------------------------------------- diff --git a/services/sts/src/main/webapp/WEB-INF/passwords.xml b/services/sts/src/main/webapp/WEB-INF/passwords.xml index b28a217..3ad9e7c 100644 --- a/services/sts/src/main/webapp/WEB-INF/passwords.xml +++ b/services/sts/src/main/webapp/WEB-INF/passwords.xml @@ -30,6 +30,7 @@ <entry key="alice" value="ecila" /> <entry key="bob" value="bob" /> <entry key="ted" value="det" /> + <entry key="idp-user" value="idp-pass" /> </util:map> <util:map id="REALMB"> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/services/sts/src/main/webapp/WEB-INF/userClaims.xml ---------------------------------------------------------------------- diff --git a/services/sts/src/main/webapp/WEB-INF/userClaims.xml b/services/sts/src/main/webapp/WEB-INF/userClaims.xml index 38f60ea..1a2b12f 100644 --- a/services/sts/src/main/webapp/WEB-INF/userClaims.xml +++ b/services/sts/src/main/webapp/WEB-INF/userClaims.xml @@ -28,6 +28,7 @@ <util:map id="userClaimsREALMA"> <entry key="alice" value-ref="REALMA_aliceClaims" /> + <entry key="CN=alice,OU=Unknown,O=Apache,L=Dublin,ST=Unknown,C=IE" value-ref="REALMA_aliceClaims" /> <entry key="bob" value-ref="REALMA_bobClaims" /> <entry key="ted" value-ref="REALMA_tedClaims" /> </util:map> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/pom.xml ---------------------------------------------------------------------- diff --git a/systests/clientcert/pom.xml b/systests/clientcert/pom.xml deleted file mode 100644 index 8434e48..0000000 --- a/systests/clientcert/pom.xml +++ /dev/null @@ -1,288 +0,0 @@ -<?xml version="1.0"?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, - software distributed under the License is distributed on an - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - KIND, either express or implied. See the License for the - specific language governing permissions and limitations - under the License. ---> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.apache.cxf.fediz</groupId> - <artifactId>fediz-systests</artifactId> - <version>1.2.0-SNAPSHOT</version> - <relativePath>../pom.xml</relativePath> - </parent> - <groupId>org.apache.cxf.fediz.systests</groupId> - <artifactId>fediz-systests-clientcert</artifactId> - <name>Apache Fediz Client Certificate Systests using Tomcat 7</name> - <packaging>jar</packaging> - <properties> - <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> - <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding> - </properties> - <dependencies> - <dependency> - <groupId>org.apache.tomcat.embed</groupId> - <artifactId>tomcat-embed-core</artifactId> - <version>${tomcat.version}</version> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.apache.tomcat.embed</groupId> - <artifactId>tomcat-embed-logging-juli</artifactId> - <version>${tomcat.version}</version> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.eclipse.jdt.core.compiler</groupId> - <artifactId>ecj</artifactId> - <version>3.7.1</version> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.apache.tomcat.embed</groupId> - <artifactId>tomcat-embed-jasper</artifactId> - <version>${tomcat.version}</version> - <scope>test</scope> - </dependency> - <dependency> - <groupId>junit</groupId> - <artifactId>junit</artifactId> - <version>${junit.version}</version> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.apache.cxf.fediz</groupId> - <artifactId>fediz-tomcat7</artifactId> - <version>${project.version}</version> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.apache.cxf.fediz.systests</groupId> - <artifactId>fediz-systests-tests</artifactId> - <version>${project.version}</version> - <type>test-jar</type> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-api</artifactId> - <version>${slf4j.version}</version> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-jdk14</artifactId> - <version>${slf4j.version}</version> - <scope>test</scope> - </dependency> - <dependency> - <groupId>hsqldb</groupId> - <artifactId>hsqldb</artifactId> - <version>${hsqldb.version}</version> - <scope>test</scope> - </dependency> - </dependencies> - <build> - <testResources> - <testResource> - <directory>src/test/resources</directory> - <filtering>true</filtering> - <includes> - <include>**/fediz_config*.xml</include> - </includes> - </testResource> - <testResource> - <directory>src/test/resources</directory> - <filtering>false</filtering> - <excludes> - <exclude>**/fediz_config*.xml</exclude> - </excludes> - </testResource> - </testResources> - <plugins> - <plugin> - <groupId>org.codehaus.mojo</groupId> - <artifactId>build-helper-maven-plugin</artifactId> - <executions> - <execution> - <id>reserve-network-port</id> - <goals> - <goal>reserve-network-port</goal> - </goals> - <phase>initialize</phase> - <configuration> - <portNames> - <portName>idp.https.port</portName> - <portName>rp.https.port</portName> - </portNames> - </configuration> - </execution> - </executions> - </plugin> - <plugin> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-dependency-plugin</artifactId> - <executions> - <execution> - <id>copy-idp-sts</id> - <phase>generate-resources</phase> - <goals> - <goal>unpack</goal> - </goals> - <configuration> - <artifactItems> - <artifactItem> - <groupId>org.apache.cxf.fediz</groupId> - <artifactId>fediz-idp</artifactId> - <version>${project.version}</version> - <type>war</type> - <overWrite>true</overWrite> - <outputDirectory>target/tomcat/idp/webapps/fediz-idp</outputDirectory> - </artifactItem> - <artifactItem> - <groupId>org.apache.cxf.fediz</groupId> - <artifactId>fediz-idp-sts</artifactId> - <version>${project.version}</version> - <type>war</type> - <overWrite>true</overWrite> - <outputDirectory>target/tomcat/idp/webapps/fediz-idp-sts</outputDirectory> - </artifactItem> - <artifactItem> - <groupId>org.apache.cxf.fediz.systests.webapps</groupId> - <artifactId>fediz-systests-webapps-simple</artifactId> - <version>${project.version}</version> - <type>war</type> - <overWrite>true</overWrite> - <outputDirectory>target/tomcat/rp/webapps/simpleWebapp</outputDirectory> - </artifactItem> - </artifactItems> - <outputAbsoluteArtifactFilename>true</outputAbsoluteArtifactFilename> - <overWriteSnapshots>true</overWriteSnapshots> - <overWriteIfNewer>true</overWriteIfNewer> - <stripVersion>true</stripVersion> - </configuration> - </execution> - <execution> - <id>copy-xalan-to-idp</id> - <phase>generate-resources</phase> - <goals> - <goal>copy</goal> - </goals> - <configuration> - <artifactItems> - <artifactItem> - <groupId>xalan</groupId> - <artifactId>xalan</artifactId> - <version>${xalan.version}</version> - <outputDirectory>target/tomcat/idp/webapps/fediz-idp/WEB-INF/lib</outputDirectory> - </artifactItem> - </artifactItems> - </configuration> - </execution> - </executions> - </plugin> - <plugin> - <artifactId>maven-resources-plugin</artifactId> - <version>2.7</version> - <executions> - <execution> - <id>copy-entities-to-sts</id> - <phase>generate-test-sources</phase> - <goals> - <goal>copy-resources</goal> - </goals> - <configuration> - <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp-sts/WEB-INF</outputDirectory> - <resources> - <resource> - <directory>${basedir}/src/test/resources/sts</directory> - <includes> - <include>passwords.xml</include> - <include>userClaims.xml</include> - </includes> - <filtering>true</filtering> - </resource> - </resources> - </configuration> - </execution> - <execution> - <id>copy-entities-to-sts2</id> - <phase>generate-test-sources</phase> - <goals> - <goal>copy-resources</goal> - </goals> - <configuration> - <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp-sts/WEB-INF/classes</outputDirectory> - <overwrite>true</overwrite> - <resources> - <resource> - <directory>${basedir}/src/test/resources/sts</directory> - <includes> - <include>ststrust.jks</include> - </includes> - </resource> - </resources> - </configuration> - </execution> - </executions> - </plugin> - <plugin> - <artifactId>maven-failsafe-plugin</artifactId> - <inherited>true</inherited> - <executions> - <execution> - <id>integration-test</id> - <phase>integration-test</phase> - <goals> - <goal>integration-test</goal> - </goals> - <configuration> - <skip>false</skip> - <systemPropertyVariables> - <wt.headless>true</wt.headless> - <idp.https.port>${idp.https.port}</idp.https.port> - <rp.https.port>${rp.https.port}</rp.https.port> - </systemPropertyVariables> - <includes> - <include>**/integrationtests/**</include> - </includes> - <argLine>-Xms512m -Xmx1024m - -XX:MaxPermSize=256m</argLine> - </configuration> - </execution> - <execution> - <id>verify</id> - <phase>verify</phase> - <goals> - <goal>verify</goal> - </goals> - </execution> - </executions> - </plugin> - <plugin> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-surefire-plugin</artifactId> - <inherited>true</inherited> - <configuration> - <excludes> - <exclude>**/integrationtests/**</exclude> - </excludes> - </configuration> - </plugin> - </plugins> - </build> -</project> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java ---------------------------------------------------------------------- diff --git a/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java b/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java deleted file mode 100644 index 208153a..0000000 --- a/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java +++ /dev/null @@ -1,313 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.cxf.fediz.integrationtests; - -import java.io.File; -import java.net.URL; -import java.util.ArrayList; - -import com.gargoylesoftware.htmlunit.CookieManager; -import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException; -import com.gargoylesoftware.htmlunit.HttpMethod; -import com.gargoylesoftware.htmlunit.WebClient; -import com.gargoylesoftware.htmlunit.WebRequest; -import com.gargoylesoftware.htmlunit.html.DomElement; -import com.gargoylesoftware.htmlunit.html.DomNodeList; -import com.gargoylesoftware.htmlunit.html.HtmlForm; -import com.gargoylesoftware.htmlunit.html.HtmlPage; -import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput; -import com.gargoylesoftware.htmlunit.util.NameValuePair; - -import org.apache.catalina.Context; -import org.apache.catalina.LifecycleState; -import org.apache.catalina.connector.Connector; -import org.apache.catalina.startup.Tomcat; -import org.apache.cxf.fediz.core.ClaimTypes; -import org.apache.cxf.fediz.tomcat.FederationAuthenticator; -import org.junit.AfterClass; -import org.junit.Assert; -import org.junit.BeforeClass; - -/** - * In this test-case, the IdP is set up to require client authentication, rather than authenticating using a - * username + password, or via Kerberos. - */ -public class ClientCertificateTest { - - static String idpHttpsPort; - static String rpHttpsPort; - - private static Tomcat idpServer; - private static Tomcat rpServer; - - @BeforeClass - public static void init() { - System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog"); - System.setProperty("org.apache.commons.logging.simplelog.showdatetime", "true"); - System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "info"); - System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient", "info"); - System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow", "info"); - System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web", "info"); - System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz", "info"); - System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf", "info"); - - idpHttpsPort = System.getProperty("idp.https.port"); - Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort); - rpHttpsPort = System.getProperty("rp.https.port"); - Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort); - - initIdp(); - initRp(); - } - - private static void initIdp() { - try { - idpServer = new Tomcat(); - idpServer.setPort(0); - String currentDir = new File(".").getCanonicalPath(); - idpServer.setBaseDir(currentDir + File.separator + "target"); - - idpServer.getHost().setAppBase("tomcat/idp/webapps"); - idpServer.getHost().setAutoDeploy(true); - idpServer.getHost().setDeployOnStartup(true); - - Connector httpsConnector = new Connector(); - httpsConnector.setPort(Integer.parseInt(idpHttpsPort)); - httpsConnector.setSecure(true); - httpsConnector.setScheme("https"); - //httpsConnector.setAttribute("keyAlias", keyAlias); - httpsConnector.setAttribute("keystorePass", "tompass"); - httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks"); - httpsConnector.setAttribute("truststorePass", "tompass"); - httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks"); - httpsConnector.setAttribute("clientAuth", "true"); - httpsConnector.setAttribute("sslProtocol", "TLS"); - httpsConnector.setAttribute("SSLEnabled", true); - - idpServer.getService().addConnector(httpsConnector); - - idpServer.addWebapp("/fediz-idp-sts", "fediz-idp-sts"); - idpServer.addWebapp("/fediz-idp", "fediz-idp"); - - idpServer.start(); - } catch (Exception e) { - e.printStackTrace(); - } - } - - private static void initRp() { - try { - rpServer = new Tomcat(); - rpServer.setPort(0); - String currentDir = new File(".").getCanonicalPath(); - rpServer.setBaseDir(currentDir + File.separator + "target"); - - rpServer.getHost().setAppBase("tomcat/rp/webapps"); - rpServer.getHost().setAutoDeploy(true); - rpServer.getHost().setDeployOnStartup(true); - - Connector httpsConnector = new Connector(); - httpsConnector.setPort(Integer.parseInt(rpHttpsPort)); - httpsConnector.setSecure(true); - httpsConnector.setScheme("https"); - //httpsConnector.setAttribute("keyAlias", keyAlias); - httpsConnector.setAttribute("keystorePass", "tompass"); - httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks"); - httpsConnector.setAttribute("truststorePass", "tompass"); - httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks"); - httpsConnector.setAttribute("clientAuth", "true"); - httpsConnector.setAttribute("sslProtocol", "TLS"); - httpsConnector.setAttribute("SSLEnabled", true); - - rpServer.getService().addConnector(httpsConnector); - - //Context ctx = - Context cxt = rpServer.addWebapp("/fedizhelloworld", "simpleWebapp"); - FederationAuthenticator fa = new FederationAuthenticator(); - fa.setConfigFile(currentDir + File.separator + "target" + File.separator - + "test-classes" + File.separator + "fediz_config.xml"); - cxt.getPipeline().addValve(fa); - - - rpServer.start(); - } catch (Exception e) { - e.printStackTrace(); - } - } - - @AfterClass - public static void cleanup() { - try { - if (idpServer.getServer() != null - && idpServer.getServer().getState() != LifecycleState.DESTROYED) { - if (idpServer.getServer().getState() != LifecycleState.STOPPED) { - idpServer.stop(); - } - idpServer.destroy(); - } - } catch (Exception e) { - e.printStackTrace(); - } - - try { - if (rpServer.getServer() != null - && rpServer.getServer().getState() != LifecycleState.DESTROYED) { - if (rpServer.getServer().getState() != LifecycleState.STOPPED) { - rpServer.stop(); - } - rpServer.destroy(); - } - } catch (Exception e) { - e.printStackTrace(); - } - } - - public String getIdpHttpsPort() { - return idpHttpsPort; - } - - public String getRpHttpsPort() { - return rpHttpsPort; - } - - public String getServletContextName() { - return "fedizhelloworld"; - } - - @org.junit.Test - public void testClientAuthentication() throws Exception { - String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet"; - - final WebClient webClient = new WebClient(); - webClient.getOptions().setUseInsecureSSL(true); - webClient.getOptions().setSSLClientCertificate( - this.getClass().getClassLoader().getResource("alice_client.jks"), "storepass", "jks"); - - webClient.getOptions().setJavaScriptEnabled(false); - final HtmlPage idpPage = webClient.getPage(url); - webClient.getOptions().setJavaScriptEnabled(true); - Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText()); - - final HtmlForm form = idpPage.getFormByName("signinresponseform"); - final HtmlSubmitInput button = form.getInputByName("_eventId_submit"); - - // Test the Subject Confirmation method here - DomNodeList<DomElement> results = idpPage.getElementsByTagName("input"); - - String wresult = null; - for (DomElement result : results) { - if ("wresult".equals(result.getAttributeNS(null, "name"))) { - wresult = result.getAttributeNS(null, "value"); - break; - } - } - Assert.assertTrue(wresult != null - && wresult.contains("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key")); - - final HtmlPage rpPage = button.click(); - Assert.assertEquals("WS Federation Systests Examples", rpPage.getTitleText()); - - final String bodyTextContent = rpPage.getBody().getTextContent(); - String user = "alice"; - Assert.assertTrue("Principal not " + user, - bodyTextContent.contains("userPrincipal=" + user)); - Assert.assertTrue("User " + user + " does not have role Admin", - bodyTextContent.contains("role:Admin=false")); - Assert.assertTrue("User " + user + " does not have role Manager", - bodyTextContent.contains("role:Manager=false")); - Assert.assertTrue("User " + user + " must have role User", - bodyTextContent.contains("role:User=true")); - - String claim = ClaimTypes.FIRSTNAME.toString(); - Assert.assertTrue("User " + user + " claim " + claim + " is not 'Alice'", - bodyTextContent.contains(claim + "=Alice")); - claim = ClaimTypes.LASTNAME.toString(); - Assert.assertTrue("User " + user + " claim " + claim + " is not 'Smith'", - bodyTextContent.contains(claim + "=Smith")); - claim = ClaimTypes.EMAILADDRESS.toString(); - Assert.assertTrue("User " + user + " claim " + claim + " is not 'al...@realma.org'", - bodyTextContent.contains(claim + "=al...@realma.org")); - } - - @org.junit.Test - public void testDifferentClientCertificate() throws Exception { - // Get the initial wresult from the IdP - String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet"; - - CookieManager cookieManager = new CookieManager(); - final WebClient webClient = new WebClient(); - webClient.setCookieManager(cookieManager); - webClient.getOptions().setUseInsecureSSL(true); - webClient.getOptions().setSSLClientCertificate( - this.getClass().getClassLoader().getResource("alice_client.jks"), "storepass", "jks"); - - webClient.getOptions().setJavaScriptEnabled(false); - final HtmlPage idpPage = webClient.getPage(url); - webClient.getOptions().setJavaScriptEnabled(true); - Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText()); - - // Test the Subject Confirmation method here - DomNodeList<DomElement> results = idpPage.getElementsByTagName("input"); - - String wresult = null; - String wa = "wsignin1.0"; - String wctx = null; - String wtrealm = null; - for (DomElement result : results) { - if ("wresult".equals(result.getAttributeNS(null, "name"))) { - wresult = result.getAttributeNS(null, "value"); - } else if ("wctx".equals(result.getAttributeNS(null, "name"))) { - wctx = result.getAttributeNS(null, "value"); - } else if ("wtrealm".equals(result.getAttributeNS(null, "name"))) { - wtrealm = result.getAttributeNS(null, "value"); - } - } - Assert.assertTrue(wctx != null && wtrealm != null); - Assert.assertTrue(wresult != null - && wresult.contains("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key")); - - // Now invoke on the RP using the saved parameters above, but a different client cert! - final WebClient webClient2 = new WebClient(); - webClient2.setCookieManager(cookieManager); - webClient2.getOptions().setUseInsecureSSL(true); - webClient2.getOptions().setSSLClientCertificate( - this.getClass().getClassLoader().getResource("server.jks"), "tompass", "jks"); - - WebRequest request = new WebRequest(new URL(url), HttpMethod.POST); - - request.setRequestParameters(new ArrayList<NameValuePair>()); - request.getRequestParameters().add(new NameValuePair("wctx", wctx)); - request.getRequestParameters().add(new NameValuePair("wa", wa)); - request.getRequestParameters().add(new NameValuePair("wtrealm", wtrealm)); - request.getRequestParameters().add(new NameValuePair("wresult", wresult)); - - try { - webClient2.getPage(request); - Assert.fail("Exception expected"); - } catch (FailingHttpStatusCodeException ex) { - // expected - Assert.assertTrue(ex.getMessage().contains("401 Unauthorized") - || ex.getMessage().contains("401 Authentication Failed") - || ex.getMessage().contains("403 Forbidden")); - } - - } - -} http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java ---------------------------------------------------------------------- diff --git a/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java b/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java deleted file mode 100644 index e2f402c..0000000 --- a/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java +++ /dev/null @@ -1,48 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.cxf.fediz.integrationtests; - -import java.io.IOException; - -import javax.security.auth.callback.Callback; -import javax.security.auth.callback.CallbackHandler; -import javax.security.auth.callback.UnsupportedCallbackException; - -import org.apache.cxf.fediz.core.spi.WReqCallback; - -public class HOKCallbackHandler implements CallbackHandler { - - static final String HOK_WREQ = - "<RequestSecurityToken xmlns=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\">" - + "<KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</KeyType>" - + "</RequestSecurityToken>"; - - public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { - for (int i = 0; i < callbacks.length; i++) { - if (callbacks[i] instanceof WReqCallback) { - WReqCallback callback = (WReqCallback) callbacks[i]; - callback.setWreq(HOK_WREQ); - } else { - throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback"); - } - } - } - -} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/resources/alice.cer ---------------------------------------------------------------------- diff --git a/systests/clientcert/src/test/resources/alice.cer b/systests/clientcert/src/test/resources/alice.cer deleted file mode 100644 index 82ab5db..0000000 Binary files a/systests/clientcert/src/test/resources/alice.cer and /dev/null differ http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/resources/alice_client.jks ---------------------------------------------------------------------- diff --git a/systests/clientcert/src/test/resources/alice_client.jks b/systests/clientcert/src/test/resources/alice_client.jks deleted file mode 100644 index 5e1bdd2..0000000 Binary files a/systests/clientcert/src/test/resources/alice_client.jks and /dev/null differ http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/resources/fediz_config.xml ---------------------------------------------------------------------- diff --git a/systests/clientcert/src/test/resources/fediz_config.xml b/systests/clientcert/src/test/resources/fediz_config.xml deleted file mode 100644 index 8399dfc..0000000 --- a/systests/clientcert/src/test/resources/fediz_config.xml +++ /dev/null @@ -1,45 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="yes"?> -<!-- Place in Tomcat conf folder or other location as designated in this sample's webapp/META-INF/context.xml file. - Keystore referenced below must have IDP STS' public cert included in it. This example re-uses the Tomcat SSL - keystore (tomcat-rp.jks) for this task; alternatively you may wish to use a Fediz-specific keystore instead. ---> -<FedizConfig> - <contextConfig name="/fedizhelloworld"> - <audienceUris> - <audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld</audienceItem> - </audienceUris> - <certificateStores> - <trustManager> - <keyStore file="test-classes/ststrust.jks" - password="storepass" type="JKS" /> - </trustManager> - </certificateStores> - <trustedIssuers> - <issuer certificateValidation="PeerTrust" /> - </trustedIssuers> - <maximumClockSkew>1000</maximumClockSkew> - <signingKey keyAlias="mytomidpkey" keyPassword="tompass"> - <keyStore file="test-classes/server.jks" password="tompass" type="JKS" /> - </signingKey> - <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:type="federationProtocolType" version="1.0.0"> - <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm> - <issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer> - <roleDelimiter>,</roleDelimiter> - <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI> - <freshness>10</freshness> - <homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-A</homeRealm> - <claimTypesRequested> - <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" optional="false" /> - <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" optional="true" /> - <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" optional="true" /> - <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="true" /> - </claimTypesRequested> - <authenticationType>http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl</authenticationType> - <request type="Class">org.apache.cxf.fediz.integrationtests.HOKCallbackHandler</request> - </protocol> - <logoutURL>/secure/logout</logoutURL> - <logoutRedirectTo>/index.html</logoutRedirectTo> - </contextConfig> -</FedizConfig> - http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/resources/server.jks ---------------------------------------------------------------------- diff --git a/systests/clientcert/src/test/resources/server.jks b/systests/clientcert/src/test/resources/server.jks deleted file mode 100644 index a292ec9..0000000 Binary files a/systests/clientcert/src/test/resources/server.jks and /dev/null differ http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/resources/sts/passwords.xml ---------------------------------------------------------------------- diff --git a/systests/clientcert/src/test/resources/sts/passwords.xml b/systests/clientcert/src/test/resources/sts/passwords.xml deleted file mode 100644 index 3ad9e7c..0000000 --- a/systests/clientcert/src/test/resources/sts/passwords.xml +++ /dev/null @@ -1,42 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, - software distributed under the License is distributed on an - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - KIND, either express or implied. See the License for the - specific language governing permissions and limitations - under the License. ---> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xmlns:util="http://www.springframework.org/schema/util" - xsi:schemaLocation=" - http://www.springframework.org/schema/beans - http://www.springframework.org/schema/beans/spring-beans-2.0.xsd - http://www.springframework.org/schema/util - http://www.springframework.org/schema/util/spring-util-2.0.xsd"> - - <util:map id="REALMA"> - <entry key="alice" value="ecila" /> - <entry key="bob" value="bob" /> - <entry key="ted" value="det" /> - <entry key="idp-user" value="idp-pass" /> - </util:map> - - <util:map id="REALMB"> - <entry key="ALICE" value="ECILA" /> - <entry key="BOB" value="BOB" /> - <entry key="TED" value="DET" /> - </util:map> - -</beans> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/resources/sts/ststrust.jks ---------------------------------------------------------------------- diff --git a/systests/clientcert/src/test/resources/sts/ststrust.jks b/systests/clientcert/src/test/resources/sts/ststrust.jks deleted file mode 100644 index c4d1c1e..0000000 Binary files a/systests/clientcert/src/test/resources/sts/ststrust.jks and /dev/null differ http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/resources/sts/userClaims.xml ---------------------------------------------------------------------- diff --git a/systests/clientcert/src/test/resources/sts/userClaims.xml b/systests/clientcert/src/test/resources/sts/userClaims.xml deleted file mode 100644 index 1a2b12f..0000000 --- a/systests/clientcert/src/test/resources/sts/userClaims.xml +++ /dev/null @@ -1,139 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, - software distributed under the License is distributed on an - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - KIND, either express or implied. See the License for the - specific language governing permissions and limitations - under the License. ---> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xmlns:util="http://www.springframework.org/schema/util" - xsi:schemaLocation=" - http://www.springframework.org/schema/beans - http://www.springframework.org/schema/beans/spring-beans-2.0.xsd - http://www.springframework.org/schema/util - http://www.springframework.org/schema/util/spring-util-2.0.xsd"> - - <util:map id="userClaimsREALMA"> - <entry key="alice" value-ref="REALMA_aliceClaims" /> - <entry key="CN=alice,OU=Unknown,O=Apache,L=Dublin,ST=Unknown,C=IE" value-ref="REALMA_aliceClaims" /> - <entry key="bob" value-ref="REALMA_bobClaims" /> - <entry key="ted" value-ref="REALMA_tedClaims" /> - </util:map> - - <util:map id="REALMA_aliceClaims"> - <entry - key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" - value="Alice" /> - <entry - key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" - value="Smith" /> - <entry - key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" - value="al...@realma.org" /> - <entry - key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" - value="User" /> - </util:map> - - <util:map id="REALMA_bobClaims"> - <entry - key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" - value="Bob" /> - <entry - key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" - value="Windsor" /> - <entry - key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" - value="bobwind...@realma.org" /> - <entry - key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" - value="User,Manager,Admin" /> - </util:map> - - <util:map id="REALMA_tedClaims"> - <entry - key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" - value="Ted" /> - <entry - key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" - value="Cooper" /> - <entry - key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" - value="tcoo...@realma.org" /> - <entry - key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" - value="" /> - </util:map> - - <util:map id="userClaimsREALMB"> - <entry key="ALICE" value-ref="REALMB_aliceClaims" /> - <entry key="BOB" value-ref="REALMB_bobClaims" /> - <entry key="TED" value-ref="REALMB_tedClaims" /> - </util:map> - - <util:map id="REALMB_aliceClaims"> - <entry - key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" - value="Alice" /> - <entry - key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" - value="Smith" /> - <entry - key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" - value="al...@realmb.org" /> - <entry - key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" - value="USER" /> - </util:map> - - <util:map id="REALMB_bobClaims"> - <entry - key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" - value="Bob" /> - <entry - key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" - value="Windsor" /> - <entry - key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" - value="bobwind...@realmb.org" /> - <entry - key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" - value="USER,MANAGER,ADMIN" /> - </util:map> - - <util:map id="REALMB_tedClaims"> - <entry - key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" - value="Ted" /> - <entry - key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" - value="Cooper" /> - <entry - key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" - value="tcoo...@realmb.org" /> - <entry - key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" - value="" /> - </util:map> - - <util:list id="supportedClaims"> - <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname</value> - <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname</value> - <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress</value> - <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</value> - </util:list> - -</beans> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/resources/ststrust.jks ---------------------------------------------------------------------- diff --git a/systests/clientcert/src/test/resources/ststrust.jks b/systests/clientcert/src/test/resources/ststrust.jks deleted file mode 100644 index 911945c..0000000 Binary files a/systests/clientcert/src/test/resources/ststrust.jks and /dev/null differ http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractClientCertTests.java ---------------------------------------------------------------------- diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractClientCertTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractClientCertTests.java new file mode 100644 index 0000000..1a5fe6c --- /dev/null +++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractClientCertTests.java @@ -0,0 +1,176 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.fediz.integrationtests; + +import java.net.URL; +import java.util.ArrayList; + +import com.gargoylesoftware.htmlunit.CookieManager; +import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException; +import com.gargoylesoftware.htmlunit.HttpMethod; +import com.gargoylesoftware.htmlunit.WebClient; +import com.gargoylesoftware.htmlunit.WebRequest; +import com.gargoylesoftware.htmlunit.html.DomElement; +import com.gargoylesoftware.htmlunit.html.DomNodeList; +import com.gargoylesoftware.htmlunit.html.HtmlForm; +import com.gargoylesoftware.htmlunit.html.HtmlPage; +import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput; +import com.gargoylesoftware.htmlunit.util.NameValuePair; + +import org.apache.cxf.fediz.core.ClaimTypes; +import org.apache.wss4j.dom.WSSConfig; +import org.junit.Assert; + +public abstract class AbstractClientCertTests { + + static { + WSSConfig.init(); + } + + public AbstractClientCertTests() { + super(); + } + + public abstract String getServletContextName(); + + public abstract String getIdpHttpsPort(); + + public abstract String getRpHttpsPort(); + + @org.junit.Test + public void testClientAuthentication() throws Exception { + String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet"; + + final WebClient webClient = new WebClient(); + webClient.getOptions().setUseInsecureSSL(true); + webClient.getOptions().setSSLClientCertificate( + this.getClass().getClassLoader().getResource("alice_client.jks"), "storepass", "jks"); + + webClient.getOptions().setJavaScriptEnabled(false); + final HtmlPage idpPage = webClient.getPage(url); + webClient.getOptions().setJavaScriptEnabled(true); + Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText()); + + final HtmlForm form = idpPage.getFormByName("signinresponseform"); + final HtmlSubmitInput button = form.getInputByName("_eventId_submit"); + + // Test the Subject Confirmation method here + DomNodeList<DomElement> results = idpPage.getElementsByTagName("input"); + + String wresult = null; + for (DomElement result : results) { + if ("wresult".equals(result.getAttributeNS(null, "name"))) { + wresult = result.getAttributeNS(null, "value"); + break; + } + } + Assert.assertTrue(wresult != null + && wresult.contains("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key")); + + final HtmlPage rpPage = button.click(); + Assert.assertEquals("WS Federation Systests Examples", rpPage.getTitleText()); + + final String bodyTextContent = rpPage.getBody().getTextContent(); + String user = "alice"; + Assert.assertTrue("Principal not " + user, + bodyTextContent.contains("userPrincipal=" + user)); + Assert.assertTrue("User " + user + " does not have role Admin", + bodyTextContent.contains("role:Admin=false")); + Assert.assertTrue("User " + user + " does not have role Manager", + bodyTextContent.contains("role:Manager=false")); + Assert.assertTrue("User " + user + " must have role User", + bodyTextContent.contains("role:User=true")); + + String claim = ClaimTypes.FIRSTNAME.toString(); + Assert.assertTrue("User " + user + " claim " + claim + " is not 'Alice'", + bodyTextContent.contains(claim + "=Alice")); + claim = ClaimTypes.LASTNAME.toString(); + Assert.assertTrue("User " + user + " claim " + claim + " is not 'Smith'", + bodyTextContent.contains(claim + "=Smith")); + claim = ClaimTypes.EMAILADDRESS.toString(); + Assert.assertTrue("User " + user + " claim " + claim + " is not 'al...@realma.org'", + bodyTextContent.contains(claim + "=al...@realma.org")); + } + + @org.junit.Test + public void testDifferentClientCertificate() throws Exception { + // Get the initial wresult from the IdP + String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet"; + + CookieManager cookieManager = new CookieManager(); + final WebClient webClient = new WebClient(); + webClient.setCookieManager(cookieManager); + webClient.getOptions().setUseInsecureSSL(true); + webClient.getOptions().setSSLClientCertificate( + this.getClass().getClassLoader().getResource("alice_client.jks"), "storepass", "jks"); + + webClient.getOptions().setJavaScriptEnabled(false); + final HtmlPage idpPage = webClient.getPage(url); + webClient.getOptions().setJavaScriptEnabled(true); + Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText()); + + // Test the Subject Confirmation method here + DomNodeList<DomElement> results = idpPage.getElementsByTagName("input"); + + String wresult = null; + String wa = "wsignin1.0"; + String wctx = null; + String wtrealm = null; + for (DomElement result : results) { + if ("wresult".equals(result.getAttributeNS(null, "name"))) { + wresult = result.getAttributeNS(null, "value"); + } else if ("wctx".equals(result.getAttributeNS(null, "name"))) { + wctx = result.getAttributeNS(null, "value"); + } else if ("wtrealm".equals(result.getAttributeNS(null, "name"))) { + wtrealm = result.getAttributeNS(null, "value"); + } + } + Assert.assertTrue(wctx != null && wtrealm != null); + Assert.assertTrue(wresult != null + && wresult.contains("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key")); + + // Now invoke on the RP using the saved parameters above, but a different client cert! + final WebClient webClient2 = new WebClient(); + webClient2.setCookieManager(cookieManager); + webClient2.getOptions().setUseInsecureSSL(true); + webClient2.getOptions().setSSLClientCertificate( + this.getClass().getClassLoader().getResource("server.jks"), "tompass", "jks"); + + WebRequest request = new WebRequest(new URL(url), HttpMethod.POST); + + request.setRequestParameters(new ArrayList<NameValuePair>()); + request.getRequestParameters().add(new NameValuePair("wctx", wctx)); + request.getRequestParameters().add(new NameValuePair("wa", wa)); + request.getRequestParameters().add(new NameValuePair("wtrealm", wtrealm)); + request.getRequestParameters().add(new NameValuePair("wresult", wresult)); + + try { + webClient2.getPage(request); + Assert.fail("Exception expected"); + } catch (FailingHttpStatusCodeException ex) { + // expected + Assert.assertTrue(ex.getMessage().contains("401 Unauthorized") + || ex.getMessage().contains("401 Authentication Failed") + || ex.getMessage().contains("403 Forbidden")); + } + + } + +} http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/tomcat7/pom.xml ---------------------------------------------------------------------- diff --git a/systests/tomcat7/pom.xml b/systests/tomcat7/pom.xml index d214223..c2d8dea 100644 --- a/systests/tomcat7/pom.xml +++ b/systests/tomcat7/pom.xml @@ -195,6 +195,32 @@ </execution> </executions> </plugin> + <!-- Needed for ClientCertificateTests --> + <plugin> + <artifactId>maven-resources-plugin</artifactId> + <version>2.7</version> + <executions> + <execution> + <id>copy-entities-to-sts2</id> + <phase>generate-test-sources</phase> + <goals> + <goal>copy-resources</goal> + </goals> + <configuration> + <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp-sts/WEB-INF/classes</outputDirectory> + <overwrite>true</overwrite> + <resources> + <resource> + <directory>${basedir}/src/test/resources/sts</directory> + <includes> + <include>ststrust.jks</include> + </includes> + </resource> + </resources> + </configuration> + </execution> + </executions> + </plugin> <plugin> <artifactId>maven-failsafe-plugin</artifactId> <inherited>true</inherited> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java ---------------------------------------------------------------------- diff --git a/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java b/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java new file mode 100644 index 0000000..078e032 --- /dev/null +++ b/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java @@ -0,0 +1,179 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.fediz.integrationtests; + +import java.io.File; + +import org.apache.catalina.Context; +import org.apache.catalina.LifecycleState; +import org.apache.catalina.connector.Connector; +import org.apache.catalina.startup.Tomcat; +import org.apache.cxf.fediz.tomcat.FederationAuthenticator; +import org.junit.AfterClass; +import org.junit.Assert; +import org.junit.BeforeClass; + +/** + * In this test-case, the IdP is set up to require client authentication, rather than authenticating using a + * username + password, or via Kerberos. + */ +public class ClientCertificateTest extends AbstractClientCertTests { + + static String idpHttpsPort; + static String rpHttpsPort; + + private static Tomcat idpServer; + private static Tomcat rpServer; + + @BeforeClass + public static void init() { + System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog"); + System.setProperty("org.apache.commons.logging.simplelog.showdatetime", "true"); + System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf", "info"); + + idpHttpsPort = System.getProperty("idp.https.port"); + Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort); + rpHttpsPort = System.getProperty("rp.https.port"); + Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort); + + initIdp(); + initRp(); + } + + private static void initIdp() { + try { + idpServer = new Tomcat(); + idpServer.setPort(0); + String currentDir = new File(".").getCanonicalPath(); + idpServer.setBaseDir(currentDir + File.separator + "target"); + + idpServer.getHost().setAppBase("tomcat/idp/webapps"); + idpServer.getHost().setAutoDeploy(true); + idpServer.getHost().setDeployOnStartup(true); + + Connector httpsConnector = new Connector(); + httpsConnector.setPort(Integer.parseInt(idpHttpsPort)); + httpsConnector.setSecure(true); + httpsConnector.setScheme("https"); + //httpsConnector.setAttribute("keyAlias", keyAlias); + httpsConnector.setAttribute("keystorePass", "tompass"); + httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks"); + httpsConnector.setAttribute("truststorePass", "tompass"); + httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks"); + httpsConnector.setAttribute("clientAuth", "true"); + httpsConnector.setAttribute("sslProtocol", "TLS"); + httpsConnector.setAttribute("SSLEnabled", true); + + idpServer.getService().addConnector(httpsConnector); + + idpServer.addWebapp("/fediz-idp-sts", "fediz-idp-sts"); + idpServer.addWebapp("/fediz-idp", "fediz-idp"); + + idpServer.start(); + } catch (Exception e) { + e.printStackTrace(); + } + } + + private static void initRp() { + try { + rpServer = new Tomcat(); + rpServer.setPort(0); + String currentDir = new File(".").getCanonicalPath(); + rpServer.setBaseDir(currentDir + File.separator + "target"); + + rpServer.getHost().setAppBase("tomcat/rp/webapps"); + rpServer.getHost().setAutoDeploy(true); + rpServer.getHost().setDeployOnStartup(true); + + Connector httpsConnector = new Connector(); + httpsConnector.setPort(Integer.parseInt(rpHttpsPort)); + httpsConnector.setSecure(true); + httpsConnector.setScheme("https"); + //httpsConnector.setAttribute("keyAlias", keyAlias); + httpsConnector.setAttribute("keystorePass", "tompass"); + httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks"); + httpsConnector.setAttribute("truststorePass", "tompass"); + httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks"); + httpsConnector.setAttribute("clientAuth", "true"); + httpsConnector.setAttribute("sslProtocol", "TLS"); + httpsConnector.setAttribute("SSLEnabled", true); + + rpServer.getService().addConnector(httpsConnector); + + //Context ctx = + Context cxt = rpServer.addWebapp("/fedizhelloworld", "simpleWebapp"); + FederationAuthenticator fa = new FederationAuthenticator(); + fa.setConfigFile(currentDir + File.separator + "target" + File.separator + + "test-classes" + File.separator + "fediz_config_client_cert.xml"); + cxt.getPipeline().addValve(fa); + + + rpServer.start(); + } catch (Exception e) { + e.printStackTrace(); + } + } + + @AfterClass + public static void cleanup() { + try { + if (idpServer.getServer() != null + && idpServer.getServer().getState() != LifecycleState.DESTROYED) { + if (idpServer.getServer().getState() != LifecycleState.STOPPED) { + idpServer.stop(); + } + idpServer.destroy(); + } + } catch (Exception e) { + e.printStackTrace(); + } + + try { + if (rpServer.getServer() != null + && rpServer.getServer().getState() != LifecycleState.DESTROYED) { + if (rpServer.getServer().getState() != LifecycleState.STOPPED) { + rpServer.stop(); + } + rpServer.destroy(); + } + } catch (Exception e) { + e.printStackTrace(); + } + } + + public String getIdpHttpsPort() { + return idpHttpsPort; + } + + public String getRpHttpsPort() { + return rpHttpsPort; + } + + public String getServletContextName() { + return "fedizhelloworld"; + } + +} http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/tomcat7/src/test/resources/alice.cer ---------------------------------------------------------------------- diff --git a/systests/tomcat7/src/test/resources/alice.cer b/systests/tomcat7/src/test/resources/alice.cer new file mode 100644 index 0000000..82ab5db Binary files /dev/null and b/systests/tomcat7/src/test/resources/alice.cer differ http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/tomcat7/src/test/resources/alice_client.jks ---------------------------------------------------------------------- diff --git a/systests/tomcat7/src/test/resources/alice_client.jks b/systests/tomcat7/src/test/resources/alice_client.jks new file mode 100644 index 0000000..5e1bdd2 Binary files /dev/null and b/systests/tomcat7/src/test/resources/alice_client.jks differ http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/tomcat7/src/test/resources/fediz_config_client_cert.xml ---------------------------------------------------------------------- diff --git a/systests/tomcat7/src/test/resources/fediz_config_client_cert.xml b/systests/tomcat7/src/test/resources/fediz_config_client_cert.xml new file mode 100644 index 0000000..8399dfc --- /dev/null +++ b/systests/tomcat7/src/test/resources/fediz_config_client_cert.xml @@ -0,0 +1,45 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<!-- Place in Tomcat conf folder or other location as designated in this sample's webapp/META-INF/context.xml file. + Keystore referenced below must have IDP STS' public cert included in it. This example re-uses the Tomcat SSL + keystore (tomcat-rp.jks) for this task; alternatively you may wish to use a Fediz-specific keystore instead. +--> +<FedizConfig> + <contextConfig name="/fedizhelloworld"> + <audienceUris> + <audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld</audienceItem> + </audienceUris> + <certificateStores> + <trustManager> + <keyStore file="test-classes/ststrust.jks" + password="storepass" type="JKS" /> + </trustManager> + </certificateStores> + <trustedIssuers> + <issuer certificateValidation="PeerTrust" /> + </trustedIssuers> + <maximumClockSkew>1000</maximumClockSkew> + <signingKey keyAlias="mytomidpkey" keyPassword="tompass"> + <keyStore file="test-classes/server.jks" password="tompass" type="JKS" /> + </signingKey> + <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:type="federationProtocolType" version="1.0.0"> + <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm> + <issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer> + <roleDelimiter>,</roleDelimiter> + <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI> + <freshness>10</freshness> + <homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-A</homeRealm> + <claimTypesRequested> + <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" optional="false" /> + <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" optional="true" /> + <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" optional="true" /> + <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="true" /> + </claimTypesRequested> + <authenticationType>http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl</authenticationType> + <request type="Class">org.apache.cxf.fediz.integrationtests.HOKCallbackHandler</request> + </protocol> + <logoutURL>/secure/logout</logoutURL> + <logoutRedirectTo>/index.html</logoutRedirectTo> + </contextConfig> +</FedizConfig> + http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/tomcat7/src/test/resources/server.jks ---------------------------------------------------------------------- diff --git a/systests/tomcat7/src/test/resources/server.jks b/systests/tomcat7/src/test/resources/server.jks index 2f0fdf3..a292ec9 100644 Binary files a/systests/tomcat7/src/test/resources/server.jks and b/systests/tomcat7/src/test/resources/server.jks differ http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/tomcat7/src/test/resources/sts/ststrust.jks ---------------------------------------------------------------------- diff --git a/systests/tomcat7/src/test/resources/sts/ststrust.jks b/systests/tomcat7/src/test/resources/sts/ststrust.jks new file mode 100644 index 0000000..c4d1c1e Binary files /dev/null and b/systests/tomcat7/src/test/resources/sts/ststrust.jks differ