Repository: cxf Updated Branches: refs/heads/master 30ac7940b -> e0bbfe4a0
Add the ability to set a custom claim type in the generated token Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/e0bbfe4a Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/e0bbfe4a Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/e0bbfe4a Branch: refs/heads/master Commit: e0bbfe4a0c8a17c2335d08aec558c98fdebbf07d Parents: 30ac794 Author: Colm O hEigeartaigh <[email protected]> Authored: Tue Jul 11 13:11:49 2017 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Tue Jul 11 13:12:44 2017 +0100 ---------------------------------------------------------------------- .../sts/rest/RESTSecurityTokenServiceImpl.java | 1 + .../provider/jwt/DefaultJWTClaimsProvider.java | 23 +++++- .../cxf/sts/token/provider/JWTClaimsTest.java | 75 ++++++++++++++++++++ .../cxf/systest/sts/rest/STSRESTTest.java | 7 +- .../cxf/systest/sts/rest/cxf-rest-sts.xml | 7 ++ 5 files changed, 108 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/e0bbfe4a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java index 16b715c..b9c0030 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java @@ -77,6 +77,7 @@ public class RESTSecurityTokenServiceImpl extends SecurityTokenServiceImpl imple DEFAULT_CLAIM_TYPE_MAP = new HashMap<>(); DEFAULT_CLAIM_TYPE_MAP.put("emailaddress", CLAIM_TYPE_NS + "/claims/emailaddress"); DEFAULT_CLAIM_TYPE_MAP.put("role", CLAIM_TYPE_NS + "/claims/role"); + DEFAULT_CLAIM_TYPE_MAP.put("roles", CLAIM_TYPE_NS + "/claims/role"); DEFAULT_CLAIM_TYPE_MAP.put("surname", CLAIM_TYPE_NS + "/claims/surname"); DEFAULT_CLAIM_TYPE_MAP.put("givenname", CLAIM_TYPE_NS + "/claims/givenname"); DEFAULT_CLAIM_TYPE_MAP.put("name", CLAIM_TYPE_NS + "/claims/name"); http://git-wip-us.apache.org/repos/asf/cxf/blob/e0bbfe4a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/jwt/DefaultJWTClaimsProvider.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/jwt/DefaultJWTClaimsProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/jwt/DefaultJWTClaimsProvider.java index 92c7b32b..09fa265 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/jwt/DefaultJWTClaimsProvider.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/jwt/DefaultJWTClaimsProvider.java @@ -26,6 +26,7 @@ import java.time.format.DateTimeParseException; import java.util.ArrayList; import java.util.Iterator; import java.util.List; +import java.util.Map; import java.util.UUID; import java.util.logging.Logger; @@ -61,6 +62,7 @@ public class DefaultJWTClaimsProvider implements JWTClaimsProvider { private boolean failLifetimeExceedance = true; private boolean acceptClientLifetime; private long futureTimeToLive = 60L; + private Map<String, String> claimTypeMap; /** * Get a JwtClaims object. @@ -159,7 +161,7 @@ public class DefaultJWTClaimsProvider implements JWTClaimsProvider { if (claim.getValues().size() == 1) { claimValues = claim.getValues().get(0); } - claims.setProperty(claim.getClaimType().toString(), claimValues); + claims.setProperty(translateClaim(claim.getClaimType().toString()), claimValues); } } } @@ -276,6 +278,13 @@ public class DefaultJWTClaimsProvider implements JWTClaimsProvider { } } + private String translateClaim(String claimType) { + if (claimTypeMap == null || !claimTypeMap.containsKey(claimType)) { + return claimType; + } + return claimTypeMap.get(claimType); + } + public boolean isUseX500CN() { return useX500CN; } @@ -365,4 +374,16 @@ public class DefaultJWTClaimsProvider implements JWTClaimsProvider { this.failLifetimeExceedance = failLifetimeExceedance; } + public Map<String, String> getClaimTypeMap() { + return claimTypeMap; + } + + /** + * Specify a way to map ClaimType URIs to custom ClaimTypes + * @param claimTypeMap + */ + public void setClaimTypeMap(Map<String, String> claimTypeMap) { + this.claimTypeMap = claimTypeMap; + } + } http://git-wip-us.apache.org/repos/asf/cxf/blob/e0bbfe4a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTClaimsTest.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTClaimsTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTClaimsTest.java index a758d4c..f11421a 100644 --- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTClaimsTest.java +++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTClaimsTest.java @@ -40,6 +40,7 @@ import org.apache.cxf.sts.common.PasswordCallbackHandler; import org.apache.cxf.sts.request.KeyRequirements; import org.apache.cxf.sts.request.TokenRequirements; import org.apache.cxf.sts.service.EncryptionProperties; +import org.apache.cxf.sts.token.provider.jwt.DefaultJWTClaimsProvider; import org.apache.cxf.sts.token.provider.jwt.JWTTokenProvider; import org.apache.wss4j.common.crypto.Crypto; import org.apache.wss4j.common.crypto.CryptoFactory; @@ -211,6 +212,80 @@ public class JWTClaimsTest extends org.junit.Assert { assertEquals(jwt.getClaim(CLAIM_STATIC_COMPANY.toString()), CLAIM_STATIC_COMPANY_VALUE); } + @org.junit.Test + public void testJWTRoleUsingURI() throws Exception { + TokenProvider tokenProvider = new JWTTokenProvider(); + TokenProviderParameters providerParameters = + createProviderParameters(JWTTokenProvider.JWT_TOKEN_TYPE, null); + + ClaimsManager claimsManager = new ClaimsManager(); + ClaimsHandler claimsHandler = new CustomClaimsHandler(); + claimsManager.setClaimHandlers(Collections.singletonList(claimsHandler)); + providerParameters.setClaimsManager(claimsManager); + + ClaimCollection claims = new ClaimCollection(); + + URI role = URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";); + + Claim claim = new Claim(); + claim.setClaimType(role); + claims.add(claim); + + providerParameters.setRequestedPrimaryClaims(claims); + + assertTrue(tokenProvider.canHandleToken(JWTTokenProvider.JWT_TOKEN_TYPE)); + TokenProviderResponse providerResponse = tokenProvider.createToken(providerParameters); + assertTrue(providerResponse != null); + assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null); + + String token = (String)providerResponse.getToken(); + assertNotNull(token); + + JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token); + JwtToken jwt = jwtConsumer.getJwtToken(); + assertEquals(jwt.getClaim(role.toString()), "DUMMY"); + } + + @org.junit.Test + public void testJWTRoleUsingCustomReturnType() throws Exception { + TokenProvider tokenProvider = new JWTTokenProvider(); + TokenProviderParameters providerParameters = + createProviderParameters(JWTTokenProvider.JWT_TOKEN_TYPE, null); + + ClaimsManager claimsManager = new ClaimsManager(); + ClaimsHandler claimsHandler = new CustomClaimsHandler(); + claimsManager.setClaimHandlers(Collections.singletonList(claimsHandler)); + providerParameters.setClaimsManager(claimsManager); + + ClaimCollection claims = new ClaimCollection(); + + URI role = URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";); + + Claim claim = new Claim(); + claim.setClaimType(role); + claims.add(claim); + + providerParameters.setRequestedPrimaryClaims(claims); + + Map<String, String> claimTypeMap = new HashMap<>(); + claimTypeMap.put(role.toString(), "roles"); + DefaultJWTClaimsProvider claimsProvider = new DefaultJWTClaimsProvider(); + claimsProvider.setClaimTypeMap(claimTypeMap); + ((JWTTokenProvider)tokenProvider).setJwtClaimsProvider(claimsProvider); + + assertTrue(tokenProvider.canHandleToken(JWTTokenProvider.JWT_TOKEN_TYPE)); + TokenProviderResponse providerResponse = tokenProvider.createToken(providerParameters); + assertTrue(providerResponse != null); + assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null); + + String token = (String)providerResponse.getToken(); + assertNotNull(token); + + JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token); + JwtToken jwt = jwtConsumer.getJwtToken(); + assertEquals(jwt.getClaim("roles"), "DUMMY"); + } + private TokenProviderParameters createProviderParameters( String tokenType, String appliesTo ) throws WSSecurityException { http://git-wip-us.apache.org/repos/asf/cxf/blob/e0bbfe4a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/STSRESTTest.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/STSRESTTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/STSRESTTest.java index cb04f82..b7d3177 100644 --- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/STSRESTTest.java +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/STSRESTTest.java @@ -937,11 +937,10 @@ public class STSRESTTest extends AbstractBusClientServerTestBase { JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token); JwtToken jwt = jwtConsumer.getJwtToken(); - String role = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";; - assertTrue(jwt.getClaim(role) == null); + assertTrue(jwt.getClaim("roles") == null); // Now get another token specifying the role - client.query("claim", role); + client.query("claim", "roles"); response = client.get(); token = response.readEntity(String.class); @@ -952,7 +951,7 @@ public class STSRESTTest extends AbstractBusClientServerTestBase { jwtConsumer = new JwsJwtCompactConsumer(token); jwt = jwtConsumer.getJwtToken(); - assertEquals("ordinary-user", jwt.getClaim(role)); + assertEquals("ordinary-user", jwt.getClaim("roles")); bus.shutdown(true); } http://git-wip-us.apache.org/repos/asf/cxf/blob/e0bbfe4a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml index c9b17ae..9885866 100644 --- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml +++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml @@ -77,7 +77,14 @@ </bean> <bean id="transportSamlTokenProvider" class="org.apache.cxf.sts.token.provider.SAMLTokenProvider"> </bean> + <util:map id="claimTypes"> + <entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"; value="roles"/> + </util:map> + <bean id="customJWTClaimsProvider" class="org.apache.cxf.sts.token.provider.jwt.DefaultJWTClaimsProvider"> + <property name="claimTypeMap" ref="claimTypes"/> + </bean> <bean id="transportJWTTokenProvider" class="org.apache.cxf.sts.token.provider.jwt.JWTTokenProvider"> + <property name="jwtClaimsProvider" ref="customJWTClaimsProvider" /> </bean> <bean id="transportJWTTokenValidator" class="org.apache.cxf.sts.token.validator.jwt.JWTTokenValidator"> </bean>
