Copied: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlReferenceTest.java (from r1042732, webservices/wss4j/trunk/wssec/TestWSSecuritySAMLKeyIdentifier.java) URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlReferenceTest.java?p2=webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlReferenceTest.java&p1=webservices/wss4j/trunk/wssec/TestWSSecuritySAMLKeyIdentifier.java&r1=1042732&r2=1043138&rev=1043138&view=diff ============================================================================== --- webservices/wss4j/trunk/wssec/TestWSSecuritySAMLKeyIdentifier.java (original) +++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlReferenceTest.java Tue Dec 7 17:41:05 2010 @@ -1,29 +1,23 @@ -/* - * Copyright 2010 The Apache Software Foundation. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. + * http://www.apache.org/licenses/LICENSE-2.0 * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. */ -package wssec; - -import junit.framework.Test; -import junit.framework.TestCase; -import junit.framework.TestSuite; - -import org.apache.ws.security.saml.SAMLIssuerFactory; -import org.apache.ws.security.saml.SAMLIssuer; -import org.apache.ws.security.util.WSSecurityUtil; +package org.apache.ws.security.saml; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -32,11 +26,13 @@ import org.apache.ws.security.WSEncrypti import org.apache.ws.security.WSPasswordCallback; import org.apache.ws.security.WSSecurityEngine; import org.apache.ws.security.WSSecurityEngineResult; +import org.apache.ws.security.common.SOAPUtil; import org.apache.ws.security.components.crypto.Crypto; import org.apache.ws.security.components.crypto.CryptoFactory; import org.apache.ws.security.message.WSSecEncrypt; import org.apache.ws.security.message.WSSecHeader; import org.apache.ws.security.message.token.SecurityTokenReference; +import org.apache.ws.security.util.WSSecurityUtil; import org.w3c.dom.Document; import org.w3c.dom.Element; @@ -53,12 +49,10 @@ import javax.security.auth.callback.Call import javax.security.auth.callback.UnsupportedCallbackException; /** - * Test-case for checking KeyIdentifier (and not Reference) elements - * are used to identify SAML tokens - * + * Some tests for how SAML tokens are referenced. */ -public class TestWSSecuritySAMLKeyIdentifier extends TestCase implements CallbackHandler { - private static final Log LOG = LogFactory.getLog(TestWSSecuritySAMLKeyIdentifier.class); +public class SamlReferenceTest extends org.junit.Assert implements CallbackHandler { + private static final Log LOG = LogFactory.getLog(SamlReferenceTest.class); private static final String SOAPMSG = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" + "<SOAP-ENV:Envelope " @@ -73,27 +67,12 @@ public class TestWSSecuritySAMLKeyIdenti private WSSecurityEngine secEngine = new WSSecurityEngine(); /** - * TestWSSecurity constructor - * - * @param name name of the test - */ - public TestWSSecuritySAMLKeyIdentifier(String name) { - super(name); - } - - /** - * JUnit suite - * - * @return a junit test suite - */ - public static Test suite() { - return new TestSuite(TestWSSecuritySAMLKeyIdentifier.class); - } - - /** * The body of the SOAP request is encrypted using a secret key, which is in turn encrypted * using the certificate embedded in the SAML assertion and referenced using a Key Identifier. + * This test checks that KeyIdentifier (and not Reference) elements are used to identify + * SAML tokens */ + @org.junit.Test public void testSAMLEncryptedKey() throws Exception { // Create a SAML assertion SAMLIssuer saml = SAMLIssuerFactory.getInstance("saml4.properties"); @@ -142,6 +121,59 @@ public class TestWSSecuritySAMLKeyIdenti /** + * WS-Security Test Case for WSS-178 - "signature verification failure of signed saml token + * due to "The Reference for URI (bst-saml-uri) has no XMLSignatureInput". + * + * The problem is that the signature is referring to a SecurityTokenReference via the + * STRTransform, which in turn is referring to the SAML Assertion. The request is putting + * the SAML Assertion below the SecurityTokenReference, and this is causing + * SecurityTokenReference.getTokenElement to fail. + */ + @org.junit.Test + public void testKeyIdentifier() throws Exception { + Document doc = SOAPUtil.toSOAPPart(SOAPMSG); + WSSecHeader secHeader = new WSSecHeader(); + secHeader.insertSecurityHeader(doc); + + SAMLIssuer saml = SAMLIssuerFactory.getInstance("saml.properties"); + SAMLAssertion assertion = saml.newAssertion(); + String issuerKeyName = saml.getIssuerKeyName(); + String issuerKeyPW = saml.getIssuerKeyPassword(); + Crypto issuerCrypto = saml.getIssuerCrypto(); + WSSecSignatureSAML wsSign = new WSSecSignatureSAML(); + wsSign.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER); + Document samlDoc = + wsSign.build(doc, null, assertion, issuerCrypto, + issuerKeyName, issuerKeyPW, secHeader + ); + + WSSecEncrypt builder = new WSSecEncrypt(); + builder.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e"); + builder.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE); + Crypto crypto = CryptoFactory.getInstance("crypto.properties"); + Document encryptedDoc = builder.build(samlDoc, crypto, secHeader); + + // + // Remove the assertion its place in the security header and then append it + // + org.w3c.dom.Element secHeaderElement = secHeader.getSecurityHeader(); + org.w3c.dom.Node assertionNode = + secHeaderElement.getElementsByTagNameNS(WSConstants.SAML_NS, "Assertion").item(0); + secHeaderElement.removeChild(assertionNode); + secHeaderElement.appendChild(assertionNode); + + String outputString = + org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedDoc); + if (LOG.isDebugEnabled()) { + LOG.debug("Encrypted message:"); + LOG.debug(outputString); + } + + verify(encryptedDoc, crypto); + } + + + /** * Verifies the soap envelope * * @param doc @@ -155,7 +187,7 @@ public class TestWSSecuritySAMLKeyIdenti assertTrue(outputString.indexOf("LogTestService2") > 0 ? true : false); return results; } - + public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) {
Copied: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlTokenTest.java (from r1042732, webservices/wss4j/trunk/wssec/TestWSSecurityNewST1.java) URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlTokenTest.java?p2=webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlTokenTest.java&p1=webservices/wss4j/trunk/wssec/TestWSSecurityNewST1.java&r1=1042732&r2=1043138&rev=1043138&view=diff ============================================================================== --- webservices/wss4j/trunk/wssec/TestWSSecurityNewST1.java (original) +++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlTokenTest.java Tue Dec 7 17:41:05 2010 @@ -17,11 +17,7 @@ * under the License. */ -package wssec; - -import junit.framework.Test; -import junit.framework.TestCase; -import junit.framework.TestSuite; +package org.apache.ws.security.saml; import org.apache.ws.security.saml.SAMLIssuerFactory; import org.apache.ws.security.saml.SAMLIssuer; @@ -32,6 +28,7 @@ import org.apache.commons.logging.LogFac import org.apache.ws.security.WSConstants; import org.apache.ws.security.WSSecurityEngine; import org.apache.ws.security.WSSecurityEngineResult; +import org.apache.ws.security.common.SOAPUtil; import org.apache.ws.security.message.WSSecHeader; import org.apache.ws.security.message.WSSecSAMLToken; import org.w3c.dom.Document; @@ -45,8 +42,8 @@ import java.util.List; * * @author Davanum Srinivas ([email protected]) */ -public class TestWSSecurityNewST1 extends TestCase { - private static final Log LOG = LogFactory.getLog(TestWSSecurityNewST1.class); +public class SamlTokenTest extends org.junit.Assert { + private static final Log LOG = LogFactory.getLog(SamlTokenTest.class); private static final String SOAPMSG = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" + "<SOAP-ENV:Envelope " @@ -61,26 +58,9 @@ public class TestWSSecurityNewST1 extend private WSSecurityEngine secEngine = new WSSecurityEngine(); /** - * TestWSSecurity constructor - * - * @param name name of the test - */ - public TestWSSecurityNewST1(String name) { - super(name); - } - - /** - * JUnit suite - * - * @return a junit test suite - */ - public static Test suite() { - return new TestSuite(TestWSSecurityNewST1.class); - } - - /** * Test that creates, sends and processes an unsigned SAML assertion. */ + @org.junit.Test public void testSAMLUnsignedSenderVouches() throws Exception { SAMLIssuer saml = SAMLIssuerFactory.getInstance("saml.properties"); Copied: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SignedSamlTokenTest.java (from r1042732, webservices/wss4j/trunk/wssec/TestWSSecurityNewST2.java) URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SignedSamlTokenTest.java?p2=webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SignedSamlTokenTest.java&p1=webservices/wss4j/trunk/wssec/TestWSSecurityNewST2.java&r1=1042732&r2=1043138&rev=1043138&view=diff ============================================================================== --- webservices/wss4j/trunk/wssec/TestWSSecurityNewST2.java (original) +++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SignedSamlTokenTest.java Tue Dec 7 17:41:05 2010 @@ -17,11 +17,7 @@ * under the License. */ -package wssec; - -import junit.framework.Test; -import junit.framework.TestCase; -import junit.framework.TestSuite; +package org.apache.ws.security.saml; import org.apache.ws.security.saml.SAMLIssuerFactory; import org.apache.ws.security.saml.SAMLIssuer; @@ -33,13 +29,14 @@ import org.apache.ws.security.WSPassword import org.apache.ws.security.WSSConfig; import org.apache.ws.security.WSSecurityEngine; import org.apache.ws.security.WSSecurityEngineResult; -import org.apache.ws.security.saml.WSSecSignatureSAML; -import org.apache.ws.security.util.WSSecurityUtil; +import org.apache.ws.security.common.CustomHandler; +import org.apache.ws.security.common.SOAPUtil; import org.apache.ws.security.components.crypto.Crypto; import org.apache.ws.security.components.crypto.CryptoFactory; import org.apache.ws.security.handler.RequestData; import org.apache.ws.security.handler.WSHandlerConstants; import org.apache.ws.security.message.WSSecHeader; +import org.apache.ws.security.util.WSSecurityUtil; import org.w3c.dom.Document; import org.opensaml.SAMLAssertion; @@ -51,12 +48,12 @@ import java.io.IOException; import java.util.List; /** - * Test-case for sending and processing an signed (sender vouches) SAML Assertion. + * Test-case for sending and processing an signed SAML Assertion. * * @author Davanum Srinivas ([email protected]) */ -public class TestWSSecurityNewST2 extends TestCase implements CallbackHandler { - private static final Log LOG = LogFactory.getLog(TestWSSecurityNewST2.class); +public class SignedSamlTokenTest extends org.junit.Assert implements CallbackHandler { + private static final Log LOG = LogFactory.getLog(SignedSamlTokenTest.class); private static final String SOAPMSG = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" + "<SOAP-ENV:Envelope " @@ -72,26 +69,9 @@ public class TestWSSecurityNewST2 extend private Crypto crypto = CryptoFactory.getInstance("crypto.properties"); /** - * TestWSSecurity constructor - * - * @param name name of the test - */ - public TestWSSecurityNewST2(String name) { - super(name); - } - - /** - * JUnit suite - * - * @return a junit test suite - */ - public static Test suite() { - return new TestSuite(TestWSSecurityNewST2.class); - } - - /** * Test that creates, sends and processes an signed SAML assertion. */ + @org.junit.Test public void testSAMLSignedSenderVouches() throws Exception { SAMLIssuer saml = SAMLIssuerFactory.getInstance("saml.properties"); @@ -134,6 +114,7 @@ public class TestWSSecurityNewST2 extend * Test that creates, sends and processes an signed SAML assertion using a KeyIdentifier * instead of direct reference. */ + @org.junit.Test public void testSAMLSignedSenderVouchesKeyIdentifier() throws Exception { SAMLIssuer saml = SAMLIssuerFactory.getInstance("saml.properties"); @@ -178,6 +159,7 @@ public class TestWSSecurityNewST2 extend * and so the default value is used (A bad value was previously used for the default * value). */ + @org.junit.Test public void testDefaultIssuerClass() throws Exception { SAMLIssuer saml = SAMLIssuerFactory.getInstance("saml3.properties"); @@ -221,6 +203,7 @@ public class TestWSSecurityNewST2 extend * * https://issues.apache.org/jira/browse/WSS-62 */ + @org.junit.Test public void testWSS62() throws Exception { SAMLIssuer saml = SAMLIssuerFactory.getInstance("saml.properties"); @@ -250,7 +233,7 @@ public class TestWSSecurityNewST2 extend msgContext.put(WSHandlerConstants.SIG_PROP_FILE, "crypto.properties"); reqData.setMsgContext(msgContext); - MyHandler handler = new MyHandler(); + CustomHandler handler = new CustomHandler(); handler.receive(WSConstants.ST_SIGNED, reqData); secEngine.processSecurityHeader( @@ -263,7 +246,7 @@ public class TestWSSecurityNewST2 extend msgContext.put(WSHandlerConstants.SIG_PROP_FILE, "crypto.properties.na"); reqData.setMsgContext(msgContext); - handler = new MyHandler(); + handler = new CustomHandler(); try { handler.receive(WSConstants.ST_SIGNED, reqData); fail("Failure expected on a bad crypto properties file"); @@ -271,6 +254,152 @@ public class TestWSSecurityNewST2 extend // expected } } + + /** + * Test that creates, sends and processes an signed SAML assertion. + */ + @org.junit.Test + public void testSAMLSignedKeyHolder() throws Exception { + Document doc = SOAPUtil.toSOAPPart(SOAPMSG); + + SAMLIssuer saml = SAMLIssuerFactory.getInstance("saml4.properties"); + // Provide info to SAML issuer that it can construct a Holder-of-key + // SAML token. + saml.setInstanceDoc(doc); + saml.setUserCrypto(crypto); + saml.setUsername("16c73ab6-b892-458f-abf5-2f875f74882e"); + SAMLAssertion assertion = saml.newAssertion(); + + WSSecSignatureSAML wsSign = new WSSecSignatureSAML(); + wsSign.setDigestAlgo("http://www.w3.org/2001/04/xmlenc#sha256";); + wsSign.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";); + wsSign.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE); + wsSign.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security"); + + WSSecHeader secHeader = new WSSecHeader(); + secHeader.insertSecurityHeader(doc); + + LOG.info("Before SAMLSignedKeyHolder...."); + + // + // set up for keyHolder + // + Document signedDoc = wsSign.build(doc, crypto, assertion, null, null, null, secHeader); + LOG.info("After SAMLSignedKeyHolder...."); + + String outputString = + org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(signedDoc); + if (LOG.isDebugEnabled()) { + LOG.debug("Signed SAML message (key holder):"); + LOG.debug(outputString); + } + assertTrue(outputString.indexOf("http://www.w3.org/2001/04/xmlenc#sha256";) != -1); + assertTrue(outputString.indexOf("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";) != -1); + + List<WSSecurityEngineResult> results = verify(signedDoc); + WSSecurityEngineResult actionResult = + WSSecurityUtil.fetchActionResult(results, WSConstants.ST_UNSIGNED); + SAMLAssertion receivedAssertion = + (SAMLAssertion) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION); + assertTrue(receivedAssertion != null); + } + + /** + * Test that creates, sends and processes a signed SAML assertion containing + * only key material and not an entire X509Certificate. + */ + @org.junit.Test + public void testSAMLSignedKeyHolderSendKeyValue() throws Exception { + Document doc = SOAPUtil.toSOAPPart(SOAPMSG); + + SAMLIssuer saml = SAMLIssuerFactory.getInstance("saml4sendKeyValue.properties"); + // Provide info to SAML issuer that it can construct a Holder-of-key + // SAML token. + saml.setInstanceDoc(doc); + saml.setUserCrypto(crypto); + saml.setUsername("16c73ab6-b892-458f-abf5-2f875f74882e"); + SAMLAssertion assertion = saml.newAssertion(); + + WSSecSignatureSAML wsSign = new WSSecSignatureSAML(); + wsSign.setDigestAlgo("http://www.w3.org/2001/04/xmlenc#sha256";); + wsSign.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";); + wsSign.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE); + wsSign.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security"); + + WSSecHeader secHeader = new WSSecHeader(); + secHeader.insertSecurityHeader(doc); + + LOG.info("Before SAMLSignedKeyHolder...."); + + // + // set up for keyHolder + // + Document signedDoc = wsSign.build(doc, crypto, assertion, null, null, null, secHeader); + LOG.info("After SAMLSignedKeyHolder...."); + + String outputString = + org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(signedDoc); + if (LOG.isDebugEnabled()) { + LOG.debug("Signed SAML message (key holder):"); + LOG.debug(outputString); + } + assertTrue(outputString.indexOf("http://www.w3.org/2001/04/xmlenc#sha256";) != -1); + assertTrue(outputString.indexOf("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";) != -1); + + List<WSSecurityEngineResult> results = verify(signedDoc); + WSSecurityEngineResult actionResult = + WSSecurityUtil.fetchActionResult(results, WSConstants.ST_UNSIGNED); + SAMLAssertion receivedAssertion = + (SAMLAssertion) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION); + assertTrue(receivedAssertion != null); + } + + + /** + * Test that creates, sends and processes an signed SAML assertion using a KeyIdentifier + * instead of direct reference. + */ + @org.junit.Test + public void testSAMLSignedKeyHolderKeyIdentifier() throws Exception { + Document doc = SOAPUtil.toSOAPPart(SOAPMSG); + + SAMLIssuer saml = SAMLIssuerFactory.getInstance("saml4.properties"); + // Provide info to SAML issuer that it can construct a Holder-of-key + // SAML token. + saml.setInstanceDoc(doc); + saml.setUserCrypto(crypto); + saml.setUsername("16c73ab6-b892-458f-abf5-2f875f74882e"); + SAMLAssertion assertion = saml.newAssertion(); + + WSSecSignatureSAML wsSign = new WSSecSignatureSAML(); + wsSign.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER); + wsSign.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security"); + + WSSecHeader secHeader = new WSSecHeader(); + secHeader.insertSecurityHeader(doc); + + LOG.info("Before SAMLSignedKeyHolder...."); + + // + // set up for keyHolder + // + Document signedDoc = wsSign.build(doc, crypto, assertion, null, null, null, secHeader); + LOG.info("After SAMLSignedKeyHolder...."); + + if (LOG.isDebugEnabled()) { + LOG.debug("Signed SAML message (key holder):"); + String outputString = + org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(signedDoc); + LOG.debug(outputString); + } + + List<WSSecurityEngineResult> results = verify(signedDoc); + WSSecurityEngineResult actionResult = + WSSecurityUtil.fetchActionResult(results, WSConstants.ST_UNSIGNED); + SAMLAssertion receivedAssertion = + (SAMLAssertion) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION); + assertTrue(receivedAssertion != null); + } /**
