Repository: cxf Updated Branches: refs/heads/3.1.x-fixes b4e7dffba -> cc0eb7f8e
Make it possible to use short KeyTypes with the REST STS rather than the full WS-Trust URIs Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/cc0eb7f8 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/cc0eb7f8 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/cc0eb7f8 Branch: refs/heads/3.1.x-fixes Commit: cc0eb7f8e1ac8bb9e62f757bba7aca3d10ceb7da Parents: b4e7dff Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Fri Jun 17 10:23:07 2016 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Fri Jun 17 10:27:20 2016 +0100 ---------------------------------------------------------------------- .../sts/rest/RESTSecurityTokenServiceImpl.java | 23 +++- .../cxf/systest/sts/rest/STSRESTTest.java | 124 +++++++++++++++++++ 2 files changed, 141 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/cc0eb7f8/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java index cdeffcb..bcc31a4 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java @@ -65,8 +65,9 @@ import org.apache.xml.security.keys.content.X509Data; public class RESTSecurityTokenServiceImpl extends SecurityTokenServiceImpl implements RESTSecurityTokenService { public static final Map<String, String> DEFAULT_CLAIM_TYPE_MAP; - public static final Map<String, String> DEFAULT_TOKEN_TYPE_MAP; + + private static final Map<String, String> DEFAULT_KEY_TYPE_MAP = new HashMap<String, String>(); private static final String CLAIM_TYPE = "ClaimType"; private static final String CLAIM_TYPE_NS = "http://schemas.xmlsoap.org/ws/2005/05/identity"; @@ -88,6 +89,10 @@ public class RESTSecurityTokenServiceImpl extends SecurityTokenServiceImpl imple DEFAULT_TOKEN_TYPE_MAP.put("saml1.1", WSConstants.WSS_SAML_TOKEN_TYPE); DEFAULT_TOKEN_TYPE_MAP.put("jwt", JWTTokenProvider.JWT_TOKEN_TYPE); DEFAULT_TOKEN_TYPE_MAP.put("sct", STSUtils.TOKEN_TYPE_SCT_05_12); + + DEFAULT_KEY_TYPE_MAP.put("SymmetricKey", STSConstants.SYMMETRIC_KEY_KEYTYPE); + DEFAULT_KEY_TYPE_MAP.put("PublicKey", STSConstants.PUBLIC_KEY_KEYTYPE); + DEFAULT_KEY_TYPE_MAP.put("Bearer", STSConstants.BEARER_KEY_KEYTYPE); } @Context @@ -97,7 +102,6 @@ public class RESTSecurityTokenServiceImpl extends SecurityTokenServiceImpl imple private javax.ws.rs.core.SecurityContext securityContext; private Map<String, String> claimTypeMap = DEFAULT_CLAIM_TYPE_MAP; - private Map<String, String> tokenTypeMap = DEFAULT_TOKEN_TYPE_MAP; private String defaultKeyType = STSConstants.BEARER_KEY_KEYTYPE; @@ -183,17 +187,24 @@ public class RESTSecurityTokenServiceImpl extends SecurityTokenServiceImpl imple List<String> requestedClaims, String appliesTo ) { - if (tokenTypeMap != null && tokenTypeMap.containsKey(tokenType)) { - tokenType = tokenTypeMap.get(tokenType); + String tokenTypeToUse = tokenType; + if (tokenTypeMap != null && tokenTypeMap.containsKey(tokenTypeToUse)) { + tokenTypeToUse = tokenTypeMap.get(tokenTypeToUse); } + + String keyTypeToUse = keyType; + if (DEFAULT_KEY_TYPE_MAP.containsKey(keyTypeToUse)) { + keyTypeToUse = DEFAULT_KEY_TYPE_MAP.get(keyTypeToUse); + } + ObjectFactory of = new ObjectFactory(); RequestSecurityTokenType request = of.createRequestSecurityTokenType(); - request.getAny().add(of.createTokenType(tokenType)); + request.getAny().add(of.createTokenType(tokenTypeToUse)); request.getAny().add(of.createRequestType("http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue")); - String desiredKeyType = keyType != null ? keyType : defaultKeyType; + String desiredKeyType = keyTypeToUse != null ? keyTypeToUse : defaultKeyType; request.getAny().add(of.createKeyType(desiredKeyType)); // Add the TLS client Certificate as the UseKey Element if the KeyType is PublicKey http://git-wip-us.apache.org/repos/asf/cxf/blob/cc0eb7f8/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/STSRESTTest.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/STSRESTTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/STSRESTTest.java index 2b96420..4cc6b66 100644 --- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/STSRESTTest.java +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/STSRESTTest.java @@ -217,6 +217,48 @@ public class STSRESTTest extends AbstractBusClientServerTestBase { } @org.junit.Test + public void testIssueSymmetricKeySaml1ShortKeyType() throws Exception { + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = STSRESTTest.class.getResource("cxf-client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token"; + WebClient client = WebClient.create(address, busFile.toString()); + + client.accept("application/xml"); + client.path("saml1.1"); + client.query("keyType", "SymmetricKey"); + + Response response = client.get(); + Document assertionDoc = response.readEntity(Document.class); + assertNotNull(assertionDoc); + + // Process the token + List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement()); + + assertTrue(results != null && results.size() == 1); + SamlAssertionWrapper assertion = + (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION); + assertTrue(assertion != null); + assertTrue(assertion.getSaml2() == null && assertion.getSaml1() != null); + assertTrue(assertion.isSigned()); + + List<String> methods = assertion.getConfirmationMethods(); + String confirmMethod = null; + if (methods != null && methods.size() > 0) { + confirmMethod = methods.get(0); + } + assertTrue(OpenSAMLUtil.isMethodHolderOfKey(confirmMethod)); + SAMLKeyInfo subjectKeyInfo = assertion.getSubjectKeyInfo(); + assertTrue(subjectKeyInfo.getSecret() != null); + + bus.shutdown(true); + } + + @org.junit.Test public void testIssuePublicKeySAML2Token() throws Exception { SpringBusFactory bf = new SpringBusFactory(); URL busFile = STSRESTTest.class.getResource("cxf-client.xml"); @@ -259,6 +301,48 @@ public class STSRESTTest extends AbstractBusClientServerTestBase { } @org.junit.Test + public void testIssuePublicKeySAML2TokenShortKeyType() throws Exception { + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = STSRESTTest.class.getResource("cxf-client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token"; + WebClient client = WebClient.create(address, busFile.toString()); + + client.accept("application/xml"); + client.path("saml2.0"); + client.query("keyType", "PublicKey"); + + Response response = client.get(); + Document assertionDoc = response.readEntity(Document.class); + assertNotNull(assertionDoc); + + // Process the token + List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement()); + + assertTrue(results != null && results.size() == 1); + SamlAssertionWrapper assertion = + (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION); + assertTrue(assertion != null); + assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null); + assertTrue(assertion.isSigned()); + + List<String> methods = assertion.getConfirmationMethods(); + String confirmMethod = null; + if (methods != null && methods.size() > 0) { + confirmMethod = methods.get(0); + } + assertTrue(OpenSAMLUtil.isMethodHolderOfKey(confirmMethod)); + SAMLKeyInfo subjectKeyInfo = assertion.getSubjectKeyInfo(); + assertTrue(subjectKeyInfo.getCerts() != null); + + bus.shutdown(true); + } + + @org.junit.Test public void testIssueBearerSAML1Token() throws Exception { SpringBusFactory bf = new SpringBusFactory(); URL busFile = STSRESTTest.class.getResource("cxf-client.xml"); @@ -299,6 +383,46 @@ public class STSRESTTest extends AbstractBusClientServerTestBase { } @org.junit.Test + public void testIssueBearerSAML1TokenShorKeyType() throws Exception { + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = STSRESTTest.class.getResource("cxf-client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token"; + WebClient client = WebClient.create(address, busFile.toString()); + + client.accept("application/xml"); + client.path("saml1.1"); + client.query("keyType", "Bearer"); + + Response response = client.get(); + Document assertionDoc = response.readEntity(Document.class); + assertNotNull(assertionDoc); + + // Process the token + List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement()); + + assertTrue(results != null && results.size() == 1); + SamlAssertionWrapper assertion = + (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION); + assertTrue(assertion != null); + assertTrue(assertion.getSaml2() == null && assertion.getSaml1() != null); + assertTrue(assertion.isSigned()); + + List<String> methods = assertion.getConfirmationMethods(); + String confirmMethod = null; + if (methods != null && methods.size() > 0) { + confirmMethod = methods.get(0); + } + assertTrue(confirmMethod.contains("bearer")); + + bus.shutdown(true); + } + + @org.junit.Test public void testIssueSAML2TokenAppliesTo() throws Exception { SpringBusFactory bf = new SpringBusFactory(); URL busFile = STSRESTTest.class.getResource("cxf-client.xml");