This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 3.1.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git

commit e8fbd046e6934f304c71a43a6ee6a72b78f9912a
Author: Colm O hEigeartaigh <cohei...@apache.org>
AuthorDate: Fri Mar 2 14:03:17 2018 +0000

    CXF-7665 - Provide an easy way to set the TLSClientParameters on the 
STSClient client object
    
    (cherry picked from commit e98c13a3d2be90061634a8dd6000918ec284f98b)
    
    # Conflicts:
    #   
rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
    #   
services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
---
 .../SecureConversationOutInterceptor.java          |  3 +-
 .../cxf/ws/security/trust/AbstractSTSClient.java   | 14 ++++
 .../sts/transport/TransportBindingTest.java        | 77 +++++++++++++++++++++-
 .../apache/cxf/systest/ws/wssc/WSSCUnitTest.java   | 54 +++++++++++++++
 4 files changed, 145 insertions(+), 3 deletions(-)

diff --git 
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java
 
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java
index f8ac847..c80b8f2 100644
--- 
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java
+++ 
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java
@@ -191,11 +191,10 @@ class SecureConversationOutInterceptor extends 
AbstractPhaseInterceptor<SoapMess
                 String s = SecureConversationTokenInterceptorProvider
                     .setupClient(client, message, aim, itok, false);
 
-                SecurityToken tok = null;
                 if (maps != null) {
                     client.setAddressingNamespace(maps.getNamespaceURI());
                 }
-                tok = client.requestSecurityToken(s);
+                SecurityToken tok = client.requestSecurityToken(s);
                 String tokenType = tok.getTokenType();
                 tok.setTokenType(tokenType);
                 if (tokenType == null || "".equals(tokenType)) {
diff --git 
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
 
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
index 6ac5a8b..bc7a55e 100755
--- 
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
+++ 
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
@@ -60,6 +60,7 @@ import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.ModCountCopyOnWriteArrayList;
 import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.configuration.Configurable;
+import org.apache.cxf.configuration.jsse.TLSClientParameters;
 import org.apache.cxf.databinding.source.SourceDataBinding;
 import org.apache.cxf.endpoint.Client;
 import org.apache.cxf.endpoint.ClientImpl;
@@ -86,6 +87,7 @@ import org.apache.cxf.service.model.ServiceInfo;
 import org.apache.cxf.staxutils.StaxUtils;
 import org.apache.cxf.staxutils.W3CDOMStreamWriter;
 import org.apache.cxf.transport.Conduit;
+import org.apache.cxf.transport.http.HTTPConduit;
 import org.apache.cxf.ws.addressing.EndpointReferenceType;
 import org.apache.cxf.ws.addressing.EndpointReferenceUtils;
 import org.apache.cxf.ws.addressing.VersionTransformer;
@@ -201,6 +203,8 @@ public abstract class AbstractSTSClient implements 
Configurable, InterceptorProv
     protected List<Interceptor<? extends Message>> inFault = new 
ModCountCopyOnWriteArrayList<>();
     protected List<Feature> features;
 
+    protected TLSClientParameters tlsClientParameters;
+
     public AbstractSTSClient(Bus b) {
         bus = b;
     }
@@ -237,6 +241,10 @@ public abstract class AbstractSTSClient implements 
Configurable, InterceptorProv
         this.sendRenewing = sendRenewing;
     }
     
+    public void setTlsClientParameters(TLSClientParameters 
tlsClientParameters) {
+        this.tlsClientParameters = tlsClientParameters;
+    }
+
     /**
      * Sets the WS-P policy that is applied to communications between this 
client and the remote server
      * if no value is supplied for {@link #setWsdlLocation(String)}.
@@ -677,6 +685,12 @@ public abstract class AbstractSTSClient implements 
Configurable, InterceptorProv
         client.getInInterceptors().addAll(in);
         client.getOutInterceptors().addAll(out);
         client.getOutFaultInterceptors().addAll(outFault);
+
+        if (tlsClientParameters != null) {
+            HTTPConduit http = (HTTPConduit) client.getConduit();
+            http.setTlsClientParameters(tlsClientParameters);
+        }
+
         in = null;
         out = null;
         inFault = null;
diff --git 
a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
 
b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
index 92a170e..b364004 100644
--- 
a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
+++ 
b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
@@ -18,12 +18,16 @@
  */
 package org.apache.cxf.systest.sts.transport;
 
+import java.io.InputStream;
 import java.net.URL;
+import java.security.KeyStore;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.HashMap;
 import java.util.Map;
 
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.TrustManagerFactory;
 import javax.xml.namespace.QName;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
@@ -38,7 +42,10 @@ import org.w3c.dom.Element;
 
 import org.apache.cxf.Bus;
 import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.common.classloader.ClassLoaderUtils;
+import org.apache.cxf.configuration.jsse.TLSClientParameters;
 import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.frontend.ClientProxy;
 import org.apache.cxf.jaxws.DispatchImpl;
 import org.apache.cxf.systest.sts.common.SecurityTestUtil;
 import org.apache.cxf.systest.sts.common.TestParam;
@@ -46,6 +53,7 @@ import org.apache.cxf.systest.sts.common.TokenTestUtils;
 import org.apache.cxf.systest.sts.deployment.STSServer;
 import org.apache.cxf.systest.sts.deployment.StaxSTSServer;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.cxf.transport.http.HTTPConduit;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.trust.STSClient;
 import org.apache.wss4j.dom.WSConstants;
@@ -180,7 +188,74 @@ public class TransportBindingTest extends 
AbstractBusClientServerTestBase {
         ((java.io.Closeable)transportSaml2Port).close();
         bus.shutdown(true);
     }
-    
+
+    @org.junit.Test
+    public void testSAML2ViaCode() throws Exception {
+
+        URL wsdl = TransportBindingTest.class.getResource("DoubleIt.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML2Port");
+        DoubleItPortType transportSaml2Port =
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(transportSaml2Port, test.getPort());
+
+        if (test.isStreaming()) {
+            SecurityTestUtil.enableStreaming(transportSaml2Port);
+        }
+
+        // TLS configuration
+        TrustManagerFactory tmf =
+            
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+        KeyManagerFactory kmf =
+            
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+        final KeyStore ts = KeyStore.getInstance("JKS");
+        try (InputStream trustStore =
+            ClassLoaderUtils.getResourceAsStream("keys/clientstore.jks", 
TransportBindingTest.class)) {
+            ts.load(trustStore, "cspass".toCharArray());
+        }
+        tmf.init(ts);
+        kmf.init(ts, "ckpass".toCharArray());
+
+        TLSClientParameters tlsParams = new TLSClientParameters();
+        tlsParams.setTrustManagers(tmf.getTrustManagers());
+        tlsParams.setKeyManagers(kmf.getKeyManagers());
+        tlsParams.setDisableCNCheck(true);
+
+        Client client = ClientProxy.getClient(transportSaml2Port);
+        HTTPConduit http = (HTTPConduit) client.getConduit();
+        http.setTlsClientParameters(tlsParams);
+
+        // STSClient configuration
+        Bus clientBus = BusFactory.newInstance().createBus();
+        STSClient stsClient = new STSClient(clientBus);
+
+        // Use a local WSDL or else we run into problems retrieving the WSDL 
over HTTPS
+        // due to lack of TLS config when creating the client
+        URL stsWsdl = 
TransportBindingTest.class.getResource("../deployment/ws-trust-1.4-service.wsdl");
+        stsClient.setWsdlLocation(stsWsdl.toString());
+        
stsClient.setServiceName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService";);
+        
stsClient.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port";);
+
+        Map<String, Object> props = new HashMap<>();
+        props.put("security.username", "alice");
+        props.put("security.callback-handler", 
"org.apache.cxf.systest.sts.common.CommonCallbackHandler");
+        props.put("security.sts.token.username", "myclientkey");
+        props.put("security.sts.token.properties", 
"clientKeystore.properties");
+        props.put("security.sts.token.usecert", "false");
+        stsClient.setProperties(props);
+
+        
((BindingProvider)transportSaml2Port).getRequestContext().put("security.sts.client",
 stsClient);
+
+        // Update ports + HTTPS configuration for the STSClient
+        updateAddressPort(stsClient.getClient(), test.getStsPort());
+        ((HTTPConduit) 
stsClient.getClient().getConduit()).setTlsClientParameters(tlsParams);
+
+        doubleIt(transportSaml2Port, 25);
+
+        ((java.io.Closeable)transportSaml2Port).close();
+        clientBus.shutdown(true);
+    }
+
     /**
      * In this test-case, the client sends another cert to the STS for 
inclusion in the
      * SAML Assertion and connects via 2-way TLS as normal to the service 
provider. The
diff --git 
a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCUnitTest.java
 
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCUnitTest.java
index a7a8469..e737bb7 100644
--- 
a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCUnitTest.java
+++ 
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCUnitTest.java
@@ -20,7 +20,9 @@
 package org.apache.cxf.systest.ws.wssc;
 
 import java.io.IOException;
+import java.io.InputStream;
 import java.net.URL;
+import java.security.KeyStore;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -28,18 +30,25 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
+import javax.net.ssl.TrustManagerFactory;
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.callback.UnsupportedCallbackException;
 import javax.xml.namespace.QName;
+import javax.xml.ws.BindingProvider;
 import javax.xml.ws.Service;
 
 import org.apache.cxf.Bus;
 import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.common.classloader.ClassLoaderUtils;
+import org.apache.cxf.configuration.jsse.TLSClientParameters;
+import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.frontend.ClientProxy;
 import org.apache.cxf.rt.security.SecurityConstants;
 import org.apache.cxf.systest.ws.common.SecurityTestUtil;
 import org.apache.cxf.systest.ws.common.TestParam;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.cxf.transport.http.HTTPConduit;
 import org.apache.cxf.ws.addressing.policy.MetadataConstants;
 import org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertion;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
@@ -131,6 +140,50 @@ public class WSSCUnitTest extends 
AbstractBusClientServerTestBase {
     }
     
     @Test
+    public void testEndorsingSecureConverationViaCode() throws Exception {
+
+        URL wsdl = WSSCUnitTest.class.getResource("DoubleItWSSC.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItTransportPort");
+        DoubleItPortType port =
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(port, test.getPort());
+
+        if (test.isStreaming()) {
+            SecurityTestUtil.enableStreaming(port);
+        }
+
+        // TLS configuration
+        TrustManagerFactory tmf =
+            
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+        final KeyStore ts = KeyStore.getInstance("JKS");
+        try (InputStream trustStore =
+            ClassLoaderUtils.getResourceAsStream("keys/Truststore.jks", 
WSSCUnitTest.class)) {
+            ts.load(trustStore, "password".toCharArray());
+        }
+        tmf.init(ts);
+
+        TLSClientParameters tlsParams = new TLSClientParameters();
+        tlsParams.setTrustManagers(tmf.getTrustManagers());
+        tlsParams.setDisableCNCheck(true);
+
+        Client client = ClientProxy.getClient(port);
+        HTTPConduit http = (HTTPConduit) client.getConduit();
+        http.setTlsClientParameters(tlsParams);
+
+        // STSClient configuration
+        Bus clientBus = BusFactory.newInstance().createBus();
+        STSClient stsClient = new STSClient(clientBus);
+        stsClient.setTlsClientParameters(tlsParams);
+
+        ((BindingProvider)port).getRequestContext().put("security.sts.client", 
stsClient);
+
+        assertEquals(50, port.doubleIt(25));
+
+        ((java.io.Closeable)port).close();
+    }
+
+    @Test
     public void testEndorsingSecureConverationSP12() throws Exception {
         
         SpringBusFactory bf = new SpringBusFactory();
@@ -347,4 +400,5 @@ public class WSSCUnitTest extends 
AbstractBusClientServerTestBase {
         }
         
     };
+
 }

-- 
To stop receiving notification emails like this one, please contact
cohei...@apache.org.

Reply via email to