Adding support for WS-Security kerberos credential delegation + a system test
Conflicts: rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosTokenTest.java services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-service.xml Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/009e15fd Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/009e15fd Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/009e15fd Branch: refs/heads/2.7.x-fixes Commit: 009e15fd03ebf52622a478821ee65c1f9b8975ad Parents: 04667db Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Wed Aug 6 12:21:20 2014 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Wed Aug 6 15:04:01 2014 +0100 ---------------------------------------------------------------------- .../cxf/ws/security/SecurityConstants.java | 14 ++ .../ws/security/kerberos/KerberosClient.java | 52 ++++++- .../ws/security/wss4j/WSS4JInInterceptor.java | 11 ++ .../sts/kerberos/DoubleItPortTypeImpl.java | 50 +++++++ .../cxf/systest/sts/kerberos/Intermediary.java | 46 ++++++ .../sts/kerberos/IntermediaryPortTypeImpl.java | 90 ++++++++++++ .../kerberos/KerberosDelegationTokenTest.java | 113 +++++++++++++++ .../systest/sts/kerberos/KerberosTokenTest.java | 6 +- .../sts/kerberos/DoubleItIntermediary.wsdl | 142 +++++++++++++++++++ .../sts/kerberos/cxf-intermediary-client.xml | 48 +++++++ .../systest/sts/kerberos/cxf-intermediary.xml | 102 +++++++++++++ .../cxf/systest/sts/kerberos/cxf-service.xml | 27 ++++ 12 files changed, 699 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/009e15fd/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java index dcf4a62..4ab0e50 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java @@ -528,6 +528,13 @@ public final class SecurityConstants { * The default value is "true". */ public static final String SC_FROM_JAAS_SUBJECT = "ws-security.sc.jaas-subject"; + + /** + * A delegated credential to use for WS-Security. Currently only a Kerberos GSSCredential + * Object is supported. This is used to retrieve a service ticket instead of using the + * client credentials. + */ + public static final String DELEGATED_CREDENTIAL = "ws-security.delegated.credential"; // // Internal tags @@ -556,8 +563,15 @@ public final class SecurityConstants { DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS, STS_TOKEN_CRYPTO, STS_TOKEN_PROPERTIES, STS_TOKEN_USERNAME, STS_TOKEN_ACT_AS, STS_TOKEN_ON_BEHALF_OF, TOKEN, TOKEN_ID, SUBJECT_ROLE_CLASSIFIER, SUBJECT_ROLE_CLASSIFIER_TYPE, MUST_UNDERSTAND, +<<<<<<< HEAD ASYMMETRIC_SIGNATURE_ALGORITHM, ENABLE_SAML_ONE_TIME_USE_CACHE, SAML_ONE_TIME_USE_CACHE_INSTANCE, CACHE_IDENTIFIER, CACHE_ISSUED_TOKEN_IN_ENDPOINT, PREFER_WSMEX_OVER_STS_CLIENT_CONFIG +======= + ASYMMETRIC_SIGNATURE_ALGORITHM, PASSWORD_ENCRYPTOR_INSTANCE, ENABLE_SAML_ONE_TIME_USE_CACHE, + SAML_ONE_TIME_USE_CACHE_INSTANCE, ENABLE_STREAMING_SECURITY, RETURN_SECURITY_ERROR, + CACHE_IDENTIFIER, CACHE_ISSUED_TOKEN_IN_ENDPOINT, PREFER_WSMEX_OVER_STS_CLIENT_CONFIG, + DELEGATED_CREDENTIAL +>>>>>>> 6e6c139... Adding support for WS-Security kerberos credential delegation + a system test })); ALL_PROPERTIES = Collections.unmodifiableSet(s); } http://git-wip-us.apache.org/repos/asf/cxf/blob/009e15fd/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java index 23c06ba..cc54a10 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java @@ -29,11 +29,22 @@ import org.apache.cxf.Bus; import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.configuration.Configurable; import org.apache.cxf.helpers.DOMUtils; +import org.apache.cxf.message.Message; +import org.apache.cxf.phase.PhaseInterceptorChain; +import org.apache.cxf.ws.security.SecurityConstants; import org.apache.cxf.ws.security.tokenstore.SecurityToken; +<<<<<<< HEAD import org.apache.ws.security.WSSConfig; import org.apache.ws.security.message.token.KerberosSecurity; import org.apache.ws.security.util.Base64; import org.apache.ws.security.util.WSSecurityUtil; +======= +import org.apache.wss4j.dom.WSSConfig; +import org.apache.wss4j.dom.message.token.KerberosSecurity; +import org.apache.wss4j.dom.util.WSSecurityUtil; +import org.apache.xml.security.utils.Base64; +import org.ietf.jgss.GSSCredential; +>>>>>>> 6e6c139... Adding support for WS-Security kerberos credential delegation + a system test /** * A class that obtains a ticket from a KDC and wraps it in a SecurityToken object. @@ -47,6 +58,9 @@ public class KerberosClient implements Configurable { private CallbackHandler callbackHandler; private String contextName; private WSSConfig wssConfig = WSSConfig.getNewInstance(); + private boolean requestCredentialDelegation; + private boolean isUsernameServiceNameForm; + private boolean useDelegatedCredential; @Deprecated public KerberosClient(Bus b) { @@ -126,12 +140,24 @@ public class KerberosClient implements Configurable { } public SecurityToken requestSecurityToken() throws Exception { + // See if we have a delegated Credential to use + Message message = PhaseInterceptorChain.getCurrentMessage(); + GSSCredential delegatedCredential = null; + if (message != null && useDelegatedCredential) { + Object obj = message.getContextualProperty(SecurityConstants.DELEGATED_CREDENTIAL); + if (obj instanceof GSSCredential) { + delegatedCredential = (GSSCredential)obj; + } + } + if (LOG.isLoggable(Level.FINE)) { LOG.fine("Requesting Kerberos ticket for " + serviceName + " using JAAS Login Module: " + getContextName()); } KerberosSecurity bst = new KerberosSecurity(DOMUtils.createDocument()); - bst.retrieveServiceTicket(getContextName(), callbackHandler, serviceName); + bst.retrieveServiceTicket(getContextName(), callbackHandler, serviceName, + isUsernameServiceNameForm, requestCredentialDelegation, + delegatedCredential); bst.addWSUNamespace(); bst.setID(wssConfig.getIdAllocator().createSecureId("BST-", bst)); @@ -149,4 +175,28 @@ public class KerberosClient implements Configurable { return token; } + public boolean isUsernameServiceNameForm() { + return isUsernameServiceNameForm; + } + + public void setUsernameServiceNameForm(boolean usernameServiceNameForm) { + this.isUsernameServiceNameForm = usernameServiceNameForm; + } + + public boolean isRequestCredentialDelegation() { + return requestCredentialDelegation; + } + + public void setRequestCredentialDelegation(boolean requestCredentialDelegation) { + this.requestCredentialDelegation = requestCredentialDelegation; + } + + public boolean isUseDelegatedCredential() { + return useDelegatedCredential; + } + + public void setUseDelegatedCredential(boolean useDelegatedCredential) { + this.useDelegatedCredential = useDelegatedCredential; + } + } http://git-wip-us.apache.org/repos/asf/cxf/blob/009e15fd/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java index 0011ef1..9d7cf6e 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java @@ -554,7 +554,18 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor { if (!utWithCallbacks) { WSS4JTokenConverter.convertToken(msg, p); } +<<<<<<< HEAD Object receivedAssertion = null; +======= + Object receivedAssertion = o.get(WSSecurityEngineResult.TAG_SAML_ASSERTION); + if (receivedAssertion == null) { + receivedAssertion = o.get(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN); + } + if (o.get(WSSecurityEngineResult.TAG_DELEGATION_CREDENTIAL) != null) { + msg.put(SecurityConstants.DELEGATED_CREDENTIAL, + o.get(WSSecurityEngineResult.TAG_DELEGATION_CREDENTIAL)); + } +>>>>>>> 6e6c139... Adding support for WS-Security kerberos credential delegation + a system test List<String> roles = null; if (o.get(WSSecurityEngineResult.TAG_SAML_ASSERTION) != null) { http://git-wip-us.apache.org/repos/asf/cxf/blob/009e15fd/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/DoubleItPortTypeImpl.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/DoubleItPortTypeImpl.java b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/DoubleItPortTypeImpl.java new file mode 100644 index 0000000..11e187a --- /dev/null +++ b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/DoubleItPortTypeImpl.java @@ -0,0 +1,50 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.systest.sts.kerberos; + +import java.security.Principal; + +import javax.annotation.Resource; +import javax.jws.WebService; +import javax.xml.ws.WebServiceContext; + +import org.apache.cxf.feature.Features; +import org.example.contract.doubleit.DoubleItPortType; +import org.junit.Assert; + +@WebService(targetNamespace = "http://www.example.org/contract/DoubleIt", + serviceName = "DoubleItService", + endpointInterface = "org.example.contract.doubleit.DoubleItPortType") +@Features(features = "org.apache.cxf.feature.LoggingFeature") +public class DoubleItPortTypeImpl implements DoubleItPortType { + + @Resource + WebServiceContext wsContext; + + public int doubleIt(int numberToDouble) { + Principal pr = wsContext.getUserPrincipal(); + + Assert.assertNotNull("Principal must not be null", pr); + Assert.assertNotNull("Principal.getName() must not return null", pr.getName()); + Assert.assertTrue(pr.getName().startsWith("alice")); + + return numberToDouble * 2; + } + +} http://git-wip-us.apache.org/repos/asf/cxf/blob/009e15fd/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/Intermediary.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/Intermediary.java b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/Intermediary.java new file mode 100644 index 0000000..4ad2822 --- /dev/null +++ b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/Intermediary.java @@ -0,0 +1,46 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.systest.sts.kerberos; + +import java.net.URL; + +import org.apache.cxf.Bus; +import org.apache.cxf.BusFactory; +import org.apache.cxf.bus.spring.SpringBusFactory; +import org.apache.cxf.testutil.common.AbstractBusTestServerBase; + +public class Intermediary extends AbstractBusTestServerBase { + + public Intermediary() { + + } + + protected void run() { + URL busFile = Intermediary.class.getResource("cxf-intermediary.xml"); + Bus busLocal = new SpringBusFactory().createBus(busFile); + BusFactory.setDefaultBus(busLocal); + setBus(busLocal); + + try { + new Intermediary(); + } catch (Exception e) { + e.printStackTrace(); + } + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/009e15fd/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/IntermediaryPortTypeImpl.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/IntermediaryPortTypeImpl.java b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/IntermediaryPortTypeImpl.java new file mode 100644 index 0000000..1d4bcc0 --- /dev/null +++ b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/IntermediaryPortTypeImpl.java @@ -0,0 +1,90 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.systest.sts.kerberos; + +import java.net.URL; +import java.security.Principal; +import java.util.Map; + +import javax.annotation.Resource; +import javax.jws.WebService; +import javax.xml.namespace.QName; +import javax.xml.ws.BindingProvider; +import javax.xml.ws.Service; +import javax.xml.ws.WebServiceContext; +import javax.xml.ws.handler.MessageContext; + +import org.apache.cxf.feature.Features; +import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase; +import org.apache.cxf.ws.security.SecurityConstants; +import org.apache.cxf.ws.security.trust.STSClient; +import org.example.contract.doubleit.DoubleItPortType; +import org.ietf.jgss.GSSCredential; +import org.junit.Assert; + +@WebService(targetNamespace = "http://www.example.org/contract/DoubleIt", + serviceName = "DoubleItService", + endpointInterface = "org.example.contract.doubleit.DoubleItPortType") +@Features(features = "org.apache.cxf.feature.LoggingFeature") +public class IntermediaryPortTypeImpl extends AbstractBusClientServerTestBase implements DoubleItPortType { + + private static final String NAMESPACE = "http://www.example.org/contract/DoubleIt"; + private static final QName SERVICE_QNAME = new QName(NAMESPACE, "DoubleItService"); + + @Resource + WebServiceContext wsc; + + public int doubleIt(int numberToDouble) { + Principal pr = wsc.getUserPrincipal(); + + Assert.assertNotNull("Principal must not be null", pr); + Assert.assertNotNull("Principal.getName() must not return null", pr.getName()); + + URL wsdl = IntermediaryPortTypeImpl.class.getResource("DoubleIt.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML2Port"); + DoubleItPortType transportPort = + service.getPort(portQName, DoubleItPortType.class); + try { + updateAddressPort(transportPort, KerberosDelegationTokenTest.PORT); + } catch (Exception ex) { + ex.printStackTrace(); + } + + // Retrieve delegated credential + set it on the outbound message + MessageContext messageContext = wsc.getMessageContext(); + GSSCredential delegatedCredential = + (GSSCredential)messageContext.get(SecurityConstants.DELEGATED_CREDENTIAL); + Map<String, Object> context = ((BindingProvider)transportPort).getRequestContext(); + context.put(SecurityConstants.DELEGATED_CREDENTIAL, delegatedCredential); + + STSClient stsClient = (STSClient)context.get(SecurityConstants.STS_CLIENT); + if (stsClient != null) { + String location = stsClient.getWsdlLocation(); + if (location.contains("8443")) { + stsClient.setWsdlLocation( + location.replace("8443", KerberosDelegationTokenTest.STSPORT) + ); + } + } + + return transportPort.doubleIt(numberToDouble); + } + +} http://git-wip-us.apache.org/repos/asf/cxf/blob/009e15fd/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosDelegationTokenTest.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosDelegationTokenTest.java b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosDelegationTokenTest.java new file mode 100644 index 0000000..17c33a0 --- /dev/null +++ b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosDelegationTokenTest.java @@ -0,0 +1,113 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.systest.sts.kerberos; + +import java.net.URL; + +import javax.xml.namespace.QName; +import javax.xml.ws.BindingProvider; +import javax.xml.ws.Service; + +import org.apache.cxf.Bus; +import org.apache.cxf.bus.spring.SpringBusFactory; +import org.apache.cxf.systest.sts.common.SecurityTestUtil; +import org.apache.cxf.systest.sts.common.TokenTestUtils; +import org.apache.cxf.systest.sts.deployment.STSServer; +import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase; +import org.example.contract.doubleit.DoubleItPortType; +import org.junit.BeforeClass; + +/** + * This tests credential delegation. The client enables credential delegation + sends a Kerberos + * token to an Intermediary via WS-Security. The Intermediary validates the token, and then + * uses the delgated credential to obtain a ticket to in turn retrieve a SAML token from the + * STS. The SAML token is used to secure access to the backend service. + * + * The tests are @Ignored by default, as a KDC is needed. To replicate the test scenario, set up a KDC with + * user principal "alice" (keytab in "/etc/alice.keytab"), and host service "b...@service.ws.apache.org" + * (keytab in "/etc/bob.keytab"). + */ +@org.junit.Ignore +public class KerberosDelegationTokenTest extends AbstractBusClientServerTestBase { + + static final String STSPORT = allocatePort(STSServer.class); + static final String PORT = allocatePort(Server.class); + static final String INTERMEDIARY_PORT = allocatePort(Intermediary.class); + + private static final String NAMESPACE = "http://www.example.org/contract/DoubleIt"; + private static final QName SERVICE_QNAME = new QName(NAMESPACE, "DoubleItService"); + + @BeforeClass + public static void startServers() throws Exception { + assertTrue( + "Server failed to launch", + // run the server in the same process + // set this to false to fork + launchServer(Server.class, true) + ); + assertTrue( + "Server failed to launch", + // run the server in the same process + // set this to false to fork + launchServer(STSServer.class, true) + ); + assertTrue( + "Server failed to launch", + // run the server in the same process + // set this to false to fork + launchServer(Intermediary.class, true) + ); + } + + @org.junit.AfterClass + public static void cleanup() throws Exception { + SecurityTestUtil.cleanup(); + stopAllServers(); + } + + @org.junit.Test + public void testKerberosToken() throws Exception { + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = KerberosDelegationTokenTest.class.getResource("cxf-intermediary-client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = KerberosDelegationTokenTest.class.getResource("DoubleItIntermediary.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItTransportKerberosPort"); + DoubleItPortType transportSaml2Port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(transportSaml2Port, INTERMEDIARY_PORT); + + TokenTestUtils.updateSTSPort((BindingProvider)transportSaml2Port, STSPORT); + + doubleIt(transportSaml2Port, 25); + + ((java.io.Closeable)transportSaml2Port).close(); + bus.shutdown(true); + } + + private static void doubleIt(DoubleItPortType port, int numToDouble) { + int resp = port.doubleIt(numToDouble); + assertEquals(numToDouble * 2 , resp); + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/009e15fd/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosTokenTest.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosTokenTest.java b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosTokenTest.java index 6ddc9ad..e8a8498 100644 --- a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosTokenTest.java +++ b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosTokenTest.java @@ -42,6 +42,11 @@ import org.junit.BeforeClass; * user principal "alice" (keytab in "/etc/alice.keytab"), and host service "b...@service.ws.apache.org" * (keytab in "/etc/bob.keytab"). */ +<<<<<<< HEAD +======= +@RunWith(value = org.junit.runners.Parameterized.class) +@org.junit.Ignore +>>>>>>> 6e6c139... Adding support for WS-Security kerberos credential delegation + a system test public class KerberosTokenTest extends AbstractBusClientServerTestBase { static final String STSPORT = allocatePort(STSServer.class); @@ -74,7 +79,6 @@ public class KerberosTokenTest extends AbstractBusClientServerTestBase { } @org.junit.Test - @org.junit.Ignore public void testKerberosToken() throws Exception { SpringBusFactory bf = new SpringBusFactory(); http://git-wip-us.apache.org/repos/asf/cxf/blob/009e15fd/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/DoubleItIntermediary.wsdl ---------------------------------------------------------------------- diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/DoubleItIntermediary.wsdl b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/DoubleItIntermediary.wsdl new file mode 100644 index 0000000..d1d56a5 --- /dev/null +++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/DoubleItIntermediary.wsdl @@ -0,0 +1,142 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<wsdl:definitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:di="http://www.example.org/schema/DoubleIt" xmlns:tns="http://www.example.org/contract/DoubleIt" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wsaw="http://www.w3.org/2005/08/addressing" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" name="DoubleIt" targetNamespace="http://www.example.org/contract/DoubleIt"> + <wsdl:import location="src/test/resources/DoubleItLogical.wsdl" namespace="http://www.example.org/contract/DoubleIt"/> + <wsdl:binding name="DoubleItTransportKerberosBinding" type="tns:DoubleItPortType"> + <wsp:PolicyReference URI="#DoubleItBindingTransportKerberosPolicy"/> + <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/> + <wsdl:operation name="DoubleIt"> + <soap:operation soapAction=""/> + <wsdl:input> + <soap:body use="literal"/> + <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/> + </wsdl:input> + <wsdl:output> + <soap:body use="literal"/> + <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/> + </wsdl:output> + </wsdl:operation> + </wsdl:binding> + <wsdl:service name="DoubleItService"> + <wsdl:port name="DoubleItTransportKerberosPort" binding="tns:DoubleItTransportKerberosBinding"> + <soap:address location="https://localhost:8081/doubleit/services/doubleittransportkerberos"/> + </wsdl:port> + </wsdl:service> + <wsp:Policy wsu:Id="DoubleItBindingTransportKerberosPolicy"> + <wsp:ExactlyOne> + <wsp:All> + <wsam:Addressing wsp:Optional="false"> + <wsp:Policy/> + </wsam:Addressing> + <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:TransportToken> + <wsp:Policy> + <sp:HttpsToken> + <wsp:Policy/> + </sp:HttpsToken> + </wsp:Policy> + </sp:TransportToken> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:TripleDes/> + </wsp:Policy> + </sp:AlgorithmSuite> + <sp:Layout> + <wsp:Policy> + <sp:Lax/> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp/> + </wsp:Policy> + </sp:TransportBinding> + <sp:SupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:KerberosToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Once"> + <wsp:Policy> + <sp:WssGssKerberosV5ApReqToken11/> + </wsp:Policy> + </sp:KerberosToken> + </wsp:Policy> + </sp:SupportingTokens> + <sp:Wss11> + <wsp:Policy> + <sp:MustSupportRefIssuerSerial/> + <sp:MustSupportRefThumbprint/> + <sp:MustSupportRefEncryptedKey/> + </wsp:Policy> + </sp:Wss11> + <sp:Trust13> + <wsp:Policy> + <sp:MustSupportIssuedTokens/> + <sp:RequireClientEntropy/> + <sp:RequireServerEntropy/> + </wsp:Policy> + </sp:Trust13> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:EncryptedParts> + <sp:Body/> + </sp:EncryptedParts> + <sp:SignedParts> + <sp:Body/> + <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="AckRequested" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/> + <sp:Header Name="SequenceAcknowledgement" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/> + <sp:Header Name="Sequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/> + <sp:Header Name="CreateSequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/> + </sp:SignedParts> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Output_Policy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:EncryptedParts> + <sp:Body/> + </sp:EncryptedParts> + <sp:SignedParts> + <sp:Body/> + <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="AckRequested" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/> + <sp:Header Name="SequenceAcknowledgement" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/> + <sp:Header Name="Sequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/> + <sp:Header Name="CreateSequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/> + </sp:SignedParts> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> +</wsdl:definitions> http://git-wip-us.apache.org/repos/asf/cxf/blob/009e15fd/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-intermediary-client.xml ---------------------------------------------------------------------- diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-intermediary-client.xml b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-intermediary-client.xml new file mode 100644 index 0000000..8bfbaae --- /dev/null +++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-intermediary-client.xml @@ -0,0 +1,48 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:cxf="http://cxf.apache.org/core" xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:sec="http://cxf.apache.org/configuration/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd"> + <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/> + <cxf:bus> + <cxf:features> + <cxf:logging/> + </cxf:features> + </cxf:bus> + <bean class="org.apache.cxf.ws.security.kerberos.KerberosClient" id="kerberosClient"> + <constructor-arg ref="cxf"/> + <property name="contextName" value="alice"/> + <property name="serviceName" value="b...@service.ws.apache.org"/> + <property name="requestCredentialDelegation" value="true"/> + </bean> + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItTransportKerberosPort" createdFromAPI="true"> + <jaxws:properties> + <entry key="ws-security.kerberos.client" value-ref="kerberosClient"/> + </jaxws:properties> + </jaxws:client> + <http:conduit name="https://localhost:.*"> + <http:tlsClientParameters disableCNCheck="true"> + <sec:trustManagers> + <sec:keyStore type="jks" password="sspass" resource="servicestore.jks"/> + </sec:trustManagers> + <sec:keyManagers keyPassword="skpass"> + <sec:keyStore type="jks" password="sspass" resource="servicestore.jks"/> + </sec:keyManagers> + </http:tlsClientParameters> + </http:conduit> +</beans> http://git-wip-us.apache.org/repos/asf/cxf/blob/009e15fd/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-intermediary.xml ---------------------------------------------------------------------- diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-intermediary.xml b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-intermediary.xml new file mode 100644 index 0000000..0398a7e --- /dev/null +++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-intermediary.xml @@ -0,0 +1,102 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans" xmlns:cxf="http://cxf.apache.org/core" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://cxf.apache.org/configuration/security" xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" xmlns:jaxws="http://cxf.apache.org/jaxws" xsi:schemaLocation=" http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> + <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/> + <cxf:bus> + <cxf:features> + <cxf:logging/> + </cxf:features> + </cxf:bus> + + <bean id="kerberosValidator" class="org.apache.wss4j.dom.validate.KerberosTokenValidator"> + <property name="contextName" value="bob"/> + <property name="serviceName" value="b...@service.ws.apache.org"/> + </bean> + + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="doubleittransportkerberos" implementor="org.apache.cxf.systest.sts.kerberos.IntermediaryPortTypeImpl" endpointName="s:DoubleItTransportKerberosPort" serviceName="s:DoubleItService" depends-on="ClientAuthHttpsSettings" address="https://localhost:${testutil.ports.Intermediary}/doubleit/services/doubleittransportkerberos" wsdlLocation="org/apache/cxf/systest/sts/kerberos/DoubleItIntermediary.wsdl"> + <jaxws:properties> + <entry key="ws-security.bst.validator" value-ref="kerberosValidator"/> + </jaxws:properties> + </jaxws:endpoint> + + <bean class="org.apache.cxf.ws.security.kerberos.KerberosClient" id="kerberosClient"> + <constructor-arg ref="cxf"/> + <property name="contextName" value="bob"/> + <property name="serviceName" value="b...@service.ws.apache.org"/> + <property name="useDelegatedCredential" value="true"/> + </bean> + + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItTransportSAML2Port" createdFromAPI="true"> + <jaxws:properties> + <entry key="ws-security.username" value="myclientkey"/> + <entry key="ws-security.signature.properties" value="clientKeystore.properties"/> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/> + <entry key="ws-security.sts.client"> + <bean class="org.apache.cxf.ws.security.trust.STSClient"> + <constructor-arg ref="cxf"/> + <property name="wsdlLocation" value="https://localhost:${testutil.ports.STSServer}/SecurityTokenService/Kerberos?wsdl"/> + <property name="serviceName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"/> + <property name="endpointName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Kerberos_Port"/> + <property name="properties"> + <map> + <entry key="ws-security.username" value="alice"/> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/> + <entry key="ws-security.sts.token.username" value="myclientkey"/> + <entry key="ws-security.sts.token.properties" value="clientKeystore.properties"/> + <entry key="ws-security.sts.token.usecert" value="true"/> + <entry key="ws-security.kerberos.client" value-ref="kerberosClient"/> + </map> + </property> + </bean> + </entry> + </jaxws:properties> + </jaxws:client> + + <httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf"> + <httpj:engine port="${testutil.ports.Intermediary}"> + <httpj:tlsServerParameters> + <sec:keyManagers keyPassword="skpass"> + <sec:keyStore type="jks" password="sspass" resource="servicestore.jks"/> + </sec:keyManagers> + <sec:cipherSuitesFilter> + <sec:include>.*_EXPORT_.*</sec:include> + <sec:include>.*_EXPORT1024_.*</sec:include> + <sec:include>.*_WITH_DES_.*</sec:include> + <sec:include>.*_WITH_AES_.*</sec:include> + <sec:include>.*_WITH_NULL_.*</sec:include> + <sec:exclude>.*_DH_anon_.*</sec:exclude> + </sec:cipherSuitesFilter> + <sec:clientAuthentication want="false" required="false"/> + </httpj:tlsServerParameters> + </httpj:engine> + </httpj:engine-factory> + + <http:conduit name="https://localhost:.*"> + <http:tlsClientParameters disableCNCheck="true"> + <sec:trustManagers> + <sec:keyStore type="jks" password="sspass" resource="servicestore.jks"/> + </sec:trustManagers> + <sec:keyManagers keyPassword="skpass"> + <sec:keyStore type="jks" password="sspass" resource="servicestore.jks"/> + </sec:keyManagers> + </http:tlsClientParameters> + </http:conduit> + +</beans> http://git-wip-us.apache.org/repos/asf/cxf/blob/009e15fd/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-service.xml ---------------------------------------------------------------------- diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-service.xml b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-service.xml index de1feac..717f772 100644 --- a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-service.xml +++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-service.xml @@ -44,6 +44,7 @@ <cxf:logging/> </cxf:features> </cxf:bus> +<<<<<<< HEAD <jaxws:endpoint id="doubleittransportsaml2" implementor="org.apache.cxf.systest.sts.common.DoubleItPortTypeImpl" @@ -80,5 +81,31 @@ </httpj:engine> </httpj:engine-factory> +======= + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="doubleittransportsaml2" implementor="org.apache.cxf.systest.sts.kerberos.DoubleItPortTypeImpl" endpointName="s:DoubleItTransportSAML2Port" serviceName="s:DoubleItService" depends-on="ClientAuthHttpsSettings" address="https://localhost:${testutil.ports.Server}/doubleit/services/doubleittransportsaml2" wsdlLocation="org/apache/cxf/systest/sts/kerberos/DoubleIt.wsdl"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/> + <entry key="ws-security.signature.properties" value="serviceKeystore.properties"/> + </jaxws:properties> + </jaxws:endpoint> + <httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf"> + <httpj:engine port="${testutil.ports.Server}"> + <httpj:tlsServerParameters> + <sec:keyManagers keyPassword="skpass"> + <sec:keyStore type="jks" password="sspass" resource="servicestore.jks"/> + </sec:keyManagers> + <sec:cipherSuitesFilter> + <sec:include>.*_EXPORT_.*</sec:include> + <sec:include>.*_EXPORT1024_.*</sec:include> + <sec:include>.*_WITH_DES_.*</sec:include> + <sec:include>.*_WITH_AES_.*</sec:include> + <sec:include>.*_WITH_NULL_.*</sec:include> + <sec:exclude>.*_DH_anon_.*</sec:exclude> + </sec:cipherSuitesFilter> + <sec:clientAuthentication want="false" required="false"/> + </httpj:tlsServerParameters> + </httpj:engine> + </httpj:engine-factory> +>>>>>>> 6e6c139... Adding support for WS-Security kerberos credential delegation + a system test </beans>