Search in sources :

Example 66 with STSPropertiesMBean

use of org.apache.cxf.sts.STSPropertiesMBean in project ddf by codice.

the class TestUsernameTokenValidator method testNoParser.

@Test(expected = IllegalStateException.class)
public void testNoParser() {
    UsernameTokenValidator usernameTokenValidator = getUsernameTokenValidator(null, meanValidator);
    usernameTokenValidator.addRealm(null);
    TokenValidatorParameters tokenValidatorParameters = mock(TokenValidatorParameters.class);
    STSPropertiesMBean stsPropertiesMBean = mock(STSPropertiesMBean.class);
    when(stsPropertiesMBean.getSignatureCrypto()).thenReturn(mock(Crypto.class));
    when(tokenValidatorParameters.getStsProperties()).thenReturn(stsPropertiesMBean);
    ReceivedToken receivedToken = mock(ReceivedToken.class);
    doCallRealMethod().when(receivedToken).setState(any(ReceivedToken.STATE.class));
    doCallRealMethod().when(receivedToken).getState();
    when(receivedToken.isUsernameToken()).thenReturn(true);
    when(tokenValidatorParameters.getToken()).thenReturn(receivedToken);
    Set<Class<?>> classes = new HashSet<>();
    classes.add(ObjectFactory.class);
    classes.add(org.apache.cxf.ws.security.sts.provider.model.wstrust14.ObjectFactory.class);
    JAXBContextCache.CachedContextAndSchemas cache = null;
    try {
        cache = JAXBContextCache.getCachedContextAndSchemas(classes, null, null, null, false);
    } catch (JAXBException e) {
        fail(e.getMessage());
    }
    JAXBContext jaxbContext = cache.getContext();
    Unmarshaller unmarshaller = null;
    try {
        if (jaxbContext != null) {
            unmarshaller = jaxbContext.createUnmarshaller();
        }
    } catch (JAXBException e) {
        fail(e.getMessage());
    }
    JAXBElement<?> token = null;
    if (unmarshaller != null) {
        try {
            token = (JAXBElement<?>) unmarshaller.unmarshal(this.getClass().getResourceAsStream("/user-no-password.xml"));
        } catch (JAXBException e) {
            fail(e.getMessage());
        }
    }
    when(receivedToken.getToken()).thenReturn(token.getValue());
    usernameTokenValidator.validateToken(tokenValidatorParameters);
}
Also used : JAXBContextCache(org.apache.cxf.common.jaxb.JAXBContextCache) JAXBException(javax.xml.bind.JAXBException) JAXBContext(javax.xml.bind.JAXBContext) TokenValidatorParameters(org.apache.cxf.sts.token.validator.TokenValidatorParameters) Crypto(org.apache.wss4j.common.crypto.Crypto) JAASUsernameTokenValidator(org.apache.wss4j.dom.validate.JAASUsernameTokenValidator) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) Unmarshaller(javax.xml.bind.Unmarshaller) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 67 with STSPropertiesMBean

use of org.apache.cxf.sts.STSPropertiesMBean in project ddf by codice.

the class X509PathTokenValidator method validateToken.

/**
     * Validate a Token using the given TokenValidatorParameters.
     *
     * @param tokenParameters
     * @return TokenValidatorResponse
     */
public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParameters) {
    LOGGER.trace("Validating X.509 Token");
    STSPropertiesMBean stsProperties = tokenParameters.getStsProperties();
    Crypto sigCrypto = stsProperties.getSignatureCrypto();
    CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
    RequestData requestData = new RequestData();
    requestData.setSigVerCrypto(sigCrypto);
    requestData.setWssConfig(WSSConfig.getNewInstance());
    requestData.setCallbackHandler(callbackHandler);
    requestData.setMsgContext(tokenParameters.getMessageContext());
    requestData.setSubjectCertConstraints(certConstraints.getCompiledSubjectContraints());
    TokenValidatorResponse response = new TokenValidatorResponse();
    ReceivedToken validateTarget = tokenParameters.getToken();
    validateTarget.setState(STATE.INVALID);
    response.setToken(validateTarget);
    BinarySecurity binarySecurity = null;
    BinarySecurityTokenType binarySecurityType = null;
    if (validateTarget.isBinarySecurityToken()) {
        binarySecurityType = (BinarySecurityTokenType) validateTarget.getToken();
        // Test the encoding type
        String encodingType = binarySecurityType.getEncodingType();
        if (!BASE64_ENCODING.equals(encodingType)) {
            LOGGER.trace("Bad encoding type attribute specified: {}", encodingType);
            return response;
        }
        //
        // Turn the received JAXB object into a DOM element
        //
        Document doc = DOMUtils.createDocument();
        binarySecurity = new X509Security(doc);
        binarySecurity.setEncodingType(encodingType);
        binarySecurity.setValueType(binarySecurityType.getValueType());
        String data = binarySecurityType.getValue();
        Node textNode = doc.createTextNode(data);
        binarySecurity.getElement().appendChild(textNode);
    } else if (validateTarget.isDOMElement()) {
        try {
            Document doc = DOMUtils.createDocument();
            binarySecurity = new X509Security(doc);
            binarySecurity.setEncodingType(BASE64_ENCODING);
            X509Data x509Data = new X509Data((Element) validateTarget.getToken(), "");
            if (x509Data.containsCertificate()) {
                XMLX509Certificate xmlx509Certificate = x509Data.itemCertificate(0);
                if (xmlx509Certificate == null) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN);
                }
                X509Certificate cert = xmlx509Certificate.getX509Certificate();
                ((X509Security) binarySecurity).setX509Certificate(cert);
            }
        } catch (WSSecurityException ex) {
            LOGGER.debug("Unable to set certificate", ex);
            return response;
        } catch (XMLSecurityException ex) {
            LOGGER.debug("Unable to get certificates", ex);
            return response;
        }
    } else {
        return response;
    }
    //
    try {
        Credential credential = new Credential();
        credential.setBinarySecurityToken(binarySecurity);
        if (merlin != null) {
            byte[] token = binarySecurity.getToken();
            if (token != null) {
                if (binarySecurityType != null) {
                    if (binarySecurityType.getValueType().equals(X509_PKI_PATH)) {
                        X509Certificate[] certificates = merlin.getCertificatesFromBytes(token);
                        if (certificates != null) {
                            credential.setCertificates(certificates);
                        }
                    } else {
                        X509Certificate singleCert = merlin.loadCertificate(new ByteArrayInputStream(token));
                        credential.setCertificates(new X509Certificate[] { singleCert });
                    }
                }
            } else {
                LOGGER.debug("Binary Security Token bytes were null.");
            }
        }
        Credential returnedCredential = validator.validate(credential, requestData);
        X500Principal subjectX500Principal = returnedCredential.getCertificates()[0].getSubjectX500Principal();
        response.setPrincipal(subjectX500Principal);
        if (response.getAdditionalProperties() == null) {
            response.setAdditionalProperties(new HashMap<>());
        }
        try {
            String emailAddress = SubjectUtils.getEmailAddress(subjectX500Principal);
            if (emailAddress != null) {
                response.getAdditionalProperties().put(SubjectUtils.EMAIL_ADDRESS_CLAIM_URI, emailAddress);
            }
            String country = SubjectUtils.getCountry(subjectX500Principal);
            if (country != null) {
                response.getAdditionalProperties().put(SubjectUtils.COUNTRY_CLAIM_URI, country);
            }
        } catch (Exception e) {
            LOGGER.debug("Unable to set email address or country from certificate.", e);
        }
        validateTarget.setState(STATE.VALID);
        validateTarget.setPrincipal(subjectX500Principal);
    } catch (WSSecurityException ex) {
        LOGGER.debug("Unable to validate credentials.", ex);
    }
    return response;
}
Also used : CallbackHandler(javax.security.auth.callback.CallbackHandler) Node(org.w3c.dom.Node) Element(org.w3c.dom.Element) Document(org.w3c.dom.Document) X509Data(org.apache.xml.security.keys.content.X509Data) BinarySecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType) RequestData(org.apache.wss4j.dom.handler.RequestData) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) X509Security(org.apache.wss4j.common.token.X509Security) Credential(org.apache.wss4j.dom.validate.Credential) BinarySecurity(org.apache.wss4j.common.token.BinarySecurity) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) X509Certificate(java.security.cert.X509Certificate) XMLX509Certificate(org.apache.xml.security.keys.content.x509.XMLX509Certificate) XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) IOException(java.io.IOException) XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException) XMLX509Certificate(org.apache.xml.security.keys.content.x509.XMLX509Certificate) Crypto(org.apache.wss4j.common.crypto.Crypto) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) ByteArrayInputStream(java.io.ByteArrayInputStream) X500Principal(javax.security.auth.x500.X500Principal) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse)

Example 68 with STSPropertiesMBean

use of org.apache.cxf.sts.STSPropertiesMBean in project ddf by codice.

the class UPBSTValidatorTest method setup.

@Before
public void setup() {
    niceValidator.setContextName("realm");
    meanValidator.setContextName("realm");
    stsPropertiesMBean = mock(STSPropertiesMBean.class);
    when(stsPropertiesMBean.getSignatureCrypto()).thenReturn(new Merlin());
    when(stsPropertiesMBean.getCallbackHandler()).thenReturn(callbacks -> {
    });
    UPAuthenticationToken upAuthenticationToken = new UPAuthenticationToken("good", "password", "realm");
    BinarySecurityTokenType binarySecurityTokenType = new BinarySecurityTokenType();
    binarySecurityTokenType.setValueType(UPAuthenticationToken.UP_TOKEN_VALUE_TYPE);
    binarySecurityTokenType.setEncodingType(BSTAuthenticationToken.BASE64_ENCODING);
    binarySecurityTokenType.setId(UPAuthenticationToken.BST_USERNAME_LN);
    binarySecurityTokenType.setValue(upAuthenticationToken.getEncodedCredentials());
    upbstToken = new JAXBElement<>(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "BinarySecurityToken"), BinarySecurityTokenType.class, binarySecurityTokenType);
    failedLoginDelayer = mock(FailedLoginDelayer.class);
}
Also used : STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) BinarySecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType) QName(javax.xml.namespace.QName) UPAuthenticationToken(org.codice.ddf.security.handler.api.UPAuthenticationToken) Merlin(org.apache.wss4j.common.crypto.Merlin) FailedLoginDelayer(org.codice.ddf.security.common.FailedLoginDelayer) Before(org.junit.Before)

Example 69 with STSPropertiesMBean

use of org.apache.cxf.sts.STSPropertiesMBean in project ddf by codice.

the class TestX509PathTokenValidator method goodToken.

private void goodToken(String type) {
    try {
        Credential credential = mock(Credential.class);
        X509Certificate x509Certificate = mock(X509Certificate.class);
        X500Principal x500Principal = new X500Principal("cn=myxman,ou=someunit,o=someorg");
        when(x509Certificate.getSubjectX500Principal()).thenReturn(x500Principal);
        X509Certificate[] x509Certificates = new X509Certificate[] { x509Certificate };
        when(credential.getCertificates()).thenReturn(x509Certificates);
        when(validator.validate(any(Credential.class), any(RequestData.class))).thenReturn(credential);
    } catch (WSSecurityException e) {
    //ignore
    }
    x509PathTokenValidator.setValidator(validator);
    TokenValidatorParameters tokenParameters = mock(TokenValidatorParameters.class);
    STSPropertiesMBean stsPropertiesMBean = mock(STSPropertiesMBean.class);
    when(tokenParameters.getStsProperties()).thenReturn(stsPropertiesMBean);
    Crypto crypto = mock(Crypto.class);
    when(stsPropertiesMBean.getSignatureCrypto()).thenReturn(crypto);
    ReceivedToken receivedToken = mock(ReceivedToken.class);
    doCallRealMethod().when(receivedToken).setState(any(ReceivedToken.STATE.class));
    doCallRealMethod().when(receivedToken).getState();
    when(tokenParameters.getToken()).thenReturn(receivedToken);
    when(receivedToken.isBinarySecurityToken()).thenReturn(true);
    BinarySecurityTokenType binarySecurityTokenType = mock(BinarySecurityTokenType.class);
    when(binarySecurityTokenType.getValueType()).thenReturn(type);
    when(receivedToken.getToken()).thenReturn(binarySecurityTokenType);
    when(binarySecurityTokenType.getEncodingType()).thenReturn(X509PathTokenValidator.BASE64_ENCODING);
    when(binarySecurityTokenType.getValue()).thenReturn("data");
    TokenValidatorResponse tokenValidatorResponse = x509PathTokenValidator.validateToken(tokenParameters);
    assertEquals(ReceivedToken.STATE.VALID, tokenValidatorResponse.getToken().getState());
}
Also used : Credential(org.apache.wss4j.dom.validate.Credential) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) X509Certificate(java.security.cert.X509Certificate) TokenValidatorParameters(org.apache.cxf.sts.token.validator.TokenValidatorParameters) Crypto(org.apache.wss4j.common.crypto.Crypto) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) BinarySecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType) RequestData(org.apache.wss4j.dom.handler.RequestData) X500Principal(javax.security.auth.x500.X500Principal) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)

Example 70 with STSPropertiesMBean

use of org.apache.cxf.sts.STSPropertiesMBean in project ddf by codice.

the class TestX509PathTokenValidator method testAdditionalPropertyCountry.

@Test
public void testAdditionalPropertyCountry() {
    try {
        Credential credential = mock(Credential.class);
        X509Certificate x509Certificate = mock(X509Certificate.class);
        X500Principal x500Principal = new X500Principal("cn=myxman,ou=someunit,o=someorg,C=US");
        when(x509Certificate.getSubjectX500Principal()).thenReturn(x500Principal);
        X509Certificate[] x509Certificates = new X509Certificate[] { x509Certificate };
        when(credential.getCertificates()).thenReturn(x509Certificates);
        when(validator.validate(any(Credential.class), any(RequestData.class))).thenReturn(credential);
    } catch (WSSecurityException e) {
    //ignore
    }
    x509PathTokenValidator.setValidator(validator);
    TokenValidatorParameters tokenParameters = mock(TokenValidatorParameters.class);
    STSPropertiesMBean stsPropertiesMBean = mock(STSPropertiesMBean.class);
    when(tokenParameters.getStsProperties()).thenReturn(stsPropertiesMBean);
    Crypto crypto = mock(Crypto.class);
    when(stsPropertiesMBean.getSignatureCrypto()).thenReturn(crypto);
    ReceivedToken receivedToken = mock(ReceivedToken.class);
    doCallRealMethod().when(receivedToken).setState(any(ReceivedToken.STATE.class));
    doCallRealMethod().when(receivedToken).getState();
    when(tokenParameters.getToken()).thenReturn(receivedToken);
    when(receivedToken.isBinarySecurityToken()).thenReturn(true);
    BinarySecurityTokenType binarySecurityTokenType = mock(BinarySecurityTokenType.class);
    when(binarySecurityTokenType.getValueType()).thenReturn(X509TokenValidator.X509_V3_TYPE);
    when(receivedToken.getToken()).thenReturn(binarySecurityTokenType);
    when(binarySecurityTokenType.getEncodingType()).thenReturn(X509PathTokenValidator.BASE64_ENCODING);
    when(binarySecurityTokenType.getValue()).thenReturn("data");
    TokenValidatorResponse tokenValidatorResponse = x509PathTokenValidator.validateToken(tokenParameters);
    assertEquals(ReceivedToken.STATE.VALID, tokenValidatorResponse.getToken().getState());
    assertEquals("US", tokenValidatorResponse.getAdditionalProperties().get(SubjectUtils.COUNTRY_CLAIM_URI));
}
Also used : Credential(org.apache.wss4j.dom.validate.Credential) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) X509Certificate(java.security.cert.X509Certificate) TokenValidatorParameters(org.apache.cxf.sts.token.validator.TokenValidatorParameters) Crypto(org.apache.wss4j.common.crypto.Crypto) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) BinarySecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType) RequestData(org.apache.wss4j.dom.handler.RequestData) X500Principal(javax.security.auth.x500.X500Principal) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) Test(org.junit.Test)

Aggregations

STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)122 Crypto (org.apache.wss4j.common.crypto.Crypto)93 JAXBElement (javax.xml.bind.JAXBElement)86 WrappedMessageContext (org.apache.cxf.jaxws.context.WrappedMessageContext)83 MessageImpl (org.apache.cxf.message.MessageImpl)83 StaticSTSProperties (org.apache.cxf.sts.StaticSTSProperties)83 RequestSecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType)83 RequestSecurityTokenResponseType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType)79 PasswordCallbackHandler (org.apache.cxf.sts.common.PasswordCallbackHandler)75 Element (org.w3c.dom.Element)70 Principal (java.security.Principal)56 ServiceMBean (org.apache.cxf.sts.service.ServiceMBean)54 StaticService (org.apache.cxf.sts.service.StaticService)54 CustomTokenPrincipal (org.apache.wss4j.common.principal.CustomTokenPrincipal)54 SecurityContext (org.apache.cxf.security.SecurityContext)49 RequestSecurityTokenResponseCollectionType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseCollectionType)49 RequestedSecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.RequestedSecurityTokenType)49 SAMLTokenProvider (org.apache.cxf.sts.token.provider.SAMLTokenProvider)43 Document (org.w3c.dom.Document)38 CallbackHandler (javax.security.auth.callback.CallbackHandler)34