Search in sources :

Example 71 with STSPropertiesMBean

use of org.apache.cxf.sts.STSPropertiesMBean in project ddf by codice.

the class TestX509PathTokenValidator method testValidateBadToken.

@Test
public void testValidateBadToken() {
    X509PathTokenValidator x509PathTokenValidator = new X509PathTokenValidator();
    try {
        Credential credential = mock(Credential.class);
        X509Certificate x509Certificate = mock(X509Certificate.class);
        X500Principal x500Principal = new X500Principal("cn=myxman,ou=someunit,o=someorg");
        when(x509Certificate.getSubjectX500Principal()).thenReturn(x500Principal);
        X509Certificate[] x509Certificates = new X509Certificate[] { x509Certificate };
        when(credential.getCertificates()).thenReturn(x509Certificates);
        when(validator.validate(any(Credential.class), any(RequestData.class))).thenThrow(new WSSecurityException(WSSecurityException.ErrorCode.SECURITY_ERROR));
    } catch (WSSecurityException e) {
    //ignore
    }
    x509PathTokenValidator.setValidator(validator);
    TokenValidatorParameters tokenParameters = mock(TokenValidatorParameters.class);
    STSPropertiesMBean stsPropertiesMBean = mock(STSPropertiesMBean.class);
    when(tokenParameters.getStsProperties()).thenReturn(stsPropertiesMBean);
    Crypto crypto = mock(Crypto.class);
    when(stsPropertiesMBean.getSignatureCrypto()).thenReturn(crypto);
    ReceivedToken receivedToken = mock(ReceivedToken.class);
    doCallRealMethod().when(receivedToken).setState(any(ReceivedToken.STATE.class));
    doCallRealMethod().when(receivedToken).getState();
    when(tokenParameters.getToken()).thenReturn(receivedToken);
    when(receivedToken.isBinarySecurityToken()).thenReturn(true);
    BinarySecurityTokenType binarySecurityTokenType = mock(BinarySecurityTokenType.class);
    when(receivedToken.getToken()).thenReturn(binarySecurityTokenType);
    when(binarySecurityTokenType.getEncodingType()).thenReturn(X509PathTokenValidator.BASE64_ENCODING);
    when(binarySecurityTokenType.getValueType()).thenReturn("valuetype");
    when(binarySecurityTokenType.getValue()).thenReturn("data");
    TokenValidatorResponse tokenValidatorResponse = x509PathTokenValidator.validateToken(tokenParameters);
    assertEquals(ReceivedToken.STATE.INVALID, tokenValidatorResponse.getToken().getState());
}
Also used : Credential(org.apache.wss4j.dom.validate.Credential) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) X509Certificate(java.security.cert.X509Certificate) TokenValidatorParameters(org.apache.cxf.sts.token.validator.TokenValidatorParameters) Crypto(org.apache.wss4j.common.crypto.Crypto) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) BinarySecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType) RequestData(org.apache.wss4j.dom.handler.RequestData) X500Principal(javax.security.auth.x500.X500Principal) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) Test(org.junit.Test)

Example 72 with STSPropertiesMBean

use of org.apache.cxf.sts.STSPropertiesMBean in project ddf by codice.

the class TestX509PathTokenValidator method testAdditionalPropertyEmail.

@Test
public void testAdditionalPropertyEmail() {
    try {
        Credential credential = mock(Credential.class);
        X509Certificate x509Certificate = mock(X509Certificate.class);
        X500Principal x500Principal = new X500Principal("cn=myxman,ou=someunit,o=someorg,EMAILADDRESS=name@example.com");
        when(x509Certificate.getSubjectX500Principal()).thenReturn(x500Principal);
        X509Certificate[] x509Certificates = new X509Certificate[] { x509Certificate };
        when(credential.getCertificates()).thenReturn(x509Certificates);
        when(validator.validate(any(Credential.class), any(RequestData.class))).thenReturn(credential);
    } catch (WSSecurityException e) {
    //ignore
    }
    x509PathTokenValidator.setValidator(validator);
    TokenValidatorParameters tokenParameters = mock(TokenValidatorParameters.class);
    STSPropertiesMBean stsPropertiesMBean = mock(STSPropertiesMBean.class);
    when(tokenParameters.getStsProperties()).thenReturn(stsPropertiesMBean);
    Crypto crypto = mock(Crypto.class);
    when(stsPropertiesMBean.getSignatureCrypto()).thenReturn(crypto);
    ReceivedToken receivedToken = mock(ReceivedToken.class);
    doCallRealMethod().when(receivedToken).setState(any(ReceivedToken.STATE.class));
    doCallRealMethod().when(receivedToken).getState();
    when(tokenParameters.getToken()).thenReturn(receivedToken);
    when(receivedToken.isBinarySecurityToken()).thenReturn(true);
    BinarySecurityTokenType binarySecurityTokenType = mock(BinarySecurityTokenType.class);
    when(binarySecurityTokenType.getValueType()).thenReturn(X509TokenValidator.X509_V3_TYPE);
    when(receivedToken.getToken()).thenReturn(binarySecurityTokenType);
    when(binarySecurityTokenType.getEncodingType()).thenReturn(X509PathTokenValidator.BASE64_ENCODING);
    when(binarySecurityTokenType.getValue()).thenReturn("data");
    TokenValidatorResponse tokenValidatorResponse = x509PathTokenValidator.validateToken(tokenParameters);
    assertEquals(ReceivedToken.STATE.VALID, tokenValidatorResponse.getToken().getState());
    assertEquals("name@example.com", tokenValidatorResponse.getAdditionalProperties().get(SubjectUtils.EMAIL_ADDRESS_CLAIM_URI));
}
Also used : Credential(org.apache.wss4j.dom.validate.Credential) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) X509Certificate(java.security.cert.X509Certificate) TokenValidatorParameters(org.apache.cxf.sts.token.validator.TokenValidatorParameters) Crypto(org.apache.wss4j.common.crypto.Crypto) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) BinarySecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType) RequestData(org.apache.wss4j.dom.handler.RequestData) X500Principal(javax.security.auth.x500.X500Principal) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) Test(org.junit.Test)

Example 73 with STSPropertiesMBean

use of org.apache.cxf.sts.STSPropertiesMBean in project ddf by codice.

the class TestX509PathTokenValidator method testAdditionalPropertyBoth.

@Test
public void testAdditionalPropertyBoth() {
    try {
        Credential credential = mock(Credential.class);
        X509Certificate x509Certificate = mock(X509Certificate.class);
        X500Principal x500Principal = new X500Principal("cn=myxman,ou=someunit,o=someorg,C=US,EMAILADDRESS=name@example.com");
        when(x509Certificate.getSubjectX500Principal()).thenReturn(x500Principal);
        X509Certificate[] x509Certificates = new X509Certificate[] { x509Certificate };
        when(credential.getCertificates()).thenReturn(x509Certificates);
        when(validator.validate(any(Credential.class), any(RequestData.class))).thenReturn(credential);
    } catch (WSSecurityException e) {
    //ignore
    }
    x509PathTokenValidator.setValidator(validator);
    TokenValidatorParameters tokenParameters = mock(TokenValidatorParameters.class);
    STSPropertiesMBean stsPropertiesMBean = mock(STSPropertiesMBean.class);
    when(tokenParameters.getStsProperties()).thenReturn(stsPropertiesMBean);
    Crypto crypto = mock(Crypto.class);
    when(stsPropertiesMBean.getSignatureCrypto()).thenReturn(crypto);
    ReceivedToken receivedToken = mock(ReceivedToken.class);
    doCallRealMethod().when(receivedToken).setState(any(ReceivedToken.STATE.class));
    doCallRealMethod().when(receivedToken).getState();
    when(tokenParameters.getToken()).thenReturn(receivedToken);
    when(receivedToken.isBinarySecurityToken()).thenReturn(true);
    BinarySecurityTokenType binarySecurityTokenType = mock(BinarySecurityTokenType.class);
    when(binarySecurityTokenType.getValueType()).thenReturn(X509TokenValidator.X509_V3_TYPE);
    when(receivedToken.getToken()).thenReturn(binarySecurityTokenType);
    when(binarySecurityTokenType.getEncodingType()).thenReturn(X509PathTokenValidator.BASE64_ENCODING);
    when(binarySecurityTokenType.getValue()).thenReturn("data");
    TokenValidatorResponse tokenValidatorResponse = x509PathTokenValidator.validateToken(tokenParameters);
    assertEquals(ReceivedToken.STATE.VALID, tokenValidatorResponse.getToken().getState());
    assertEquals("US", tokenValidatorResponse.getAdditionalProperties().get(SubjectUtils.COUNTRY_CLAIM_URI));
    assertEquals("name@example.com", tokenValidatorResponse.getAdditionalProperties().get(SubjectUtils.EMAIL_ADDRESS_CLAIM_URI));
}
Also used : Credential(org.apache.wss4j.dom.validate.Credential) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) X509Certificate(java.security.cert.X509Certificate) TokenValidatorParameters(org.apache.cxf.sts.token.validator.TokenValidatorParameters) Crypto(org.apache.wss4j.common.crypto.Crypto) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) BinarySecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType) RequestData(org.apache.wss4j.dom.handler.RequestData) X500Principal(javax.security.auth.x500.X500Principal) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) Test(org.junit.Test)

Example 74 with STSPropertiesMBean

use of org.apache.cxf.sts.STSPropertiesMBean in project ddf by codice.

the class WebSSOTokenValidator method validateToken.

/**
     * Validate a Token using the given TokenValidatorParameters.
     */
@Override
public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParameters) {
    LOGGER.debug("Validating SSO Token");
    STSPropertiesMBean stsProperties = tokenParameters.getStsProperties();
    Crypto sigCrypto = stsProperties.getSignatureCrypto();
    CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
    RequestData requestData = new RequestData();
    requestData.setSigVerCrypto(sigCrypto);
    WSSConfig wssConfig = WSSConfig.getNewInstance();
    requestData.setWssConfig(wssConfig);
    requestData.setCallbackHandler(callbackHandler);
    LOGGER.debug("Setting validate state to invalid before check.");
    TokenValidatorResponse response = new TokenValidatorResponse();
    ReceivedToken validateTarget = tokenParameters.getToken();
    validateTarget.setState(STATE.INVALID);
    response.setToken(validateTarget);
    if (!validateTarget.isBinarySecurityToken()) {
        LOGGER.debug("Validate target is not a binary security token, returning invalid response.");
        return response;
    }
    LOGGER.debug("Getting binary security token from validate target");
    BinarySecurityTokenType binarySecurityToken = (BinarySecurityTokenType) validateTarget.getToken();
    //
    // Decode the token
    //
    LOGGER.debug("Decoding binary security token.");
    String base64Token = binarySecurityToken.getValue();
    String ticket = null;
    String service = null;
    try {
        byte[] token = Base64.getDecoder().decode(base64Token);
        if (token == null || token.length == 0) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "Binary security token NOT successfully decoded, is empty or null.");
        }
        String decodedToken = new String(token, Charset.forName("UTF-8"));
        if (StringUtils.isNotBlank(decodedToken)) {
            LOGGER.debug("Binary security token successfully decoded: {}", decodedToken);
            // Token is in the format ticket|service
            String[] parts = StringUtils.split(decodedToken, CAS_BST_SEP);
            if (parts.length == 2) {
                ticket = parts[0];
                service = parts[1];
            } else {
                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "Was not able to parse out BST propertly. Should be in ticket|service format.");
            }
        } else {
            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "Binary security token NOT successfully decoded, is empty or null.");
        }
    } catch (WSSecurityException wsse) {
        String msg = "Unable to decode BST into ticket and service for validation to CAS.";
        LOGGER.info(msg, wsse);
        return response;
    }
    //
    try {
        LOGGER.debug("Validating ticket [{}] for service [{}].", ticket, service);
        // validate either returns an assertion or throws an exception
        Assertion assertion = validate(ticket, service);
        AttributePrincipal principal = assertion.getPrincipal();
        LOGGER.debug("User name retrieved from CAS: {}", principal.getName());
        response.setPrincipal(principal);
        LOGGER.debug("CAS ticket successfully validated, setting state to valid.");
        validateTarget.setState(STATE.VALID);
    } catch (TicketValidationException e) {
        LOGGER.debug("Unable to validate CAS token.", e);
    }
    return response;
}
Also used : CallbackHandler(javax.security.auth.callback.CallbackHandler) Assertion(org.jasig.cas.client.validation.Assertion) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) Crypto(org.apache.wss4j.common.crypto.Crypto) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) WSSConfig(org.apache.wss4j.dom.engine.WSSConfig) BinarySecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType) RequestData(org.apache.wss4j.dom.handler.RequestData) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) AttributePrincipal(org.jasig.cas.client.authentication.AttributePrincipal) TicketValidationException(org.jasig.cas.client.validation.TicketValidationException)

Example 75 with STSPropertiesMBean

use of org.apache.cxf.sts.STSPropertiesMBean in project cxf by apache.

the class SAMLTokenProvider method createSamlToken.

private SamlAssertionWrapper createSamlToken(TokenProviderParameters tokenParameters, byte[] secret, Document doc) throws Exception {
    String realm = tokenParameters.getRealm();
    RealmProperties samlRealm = null;
    if (realm != null && realmMap.containsKey(realm)) {
        samlRealm = realmMap.get(realm);
    }
    SamlCallbackHandler handler = createCallbackHandler(tokenParameters, secret, samlRealm, doc);
    SAMLCallback samlCallback = new SAMLCallback();
    SAMLUtil.doSAMLCallback(handler, samlCallback);
    SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
    if (samlCustomHandler != null) {
        samlCustomHandler.handle(assertion, tokenParameters);
    }
    if (signToken) {
        STSPropertiesMBean stsProperties = tokenParameters.getStsProperties();
        signToken(assertion, samlRealm, stsProperties, tokenParameters.getKeyRequirements());
    }
    return assertion;
}
Also used : STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) SAMLCallback(org.apache.wss4j.common.saml.SAMLCallback) RealmProperties(org.apache.cxf.sts.token.realm.RealmProperties)

Aggregations

STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)122 Crypto (org.apache.wss4j.common.crypto.Crypto)93 JAXBElement (javax.xml.bind.JAXBElement)86 WrappedMessageContext (org.apache.cxf.jaxws.context.WrappedMessageContext)83 MessageImpl (org.apache.cxf.message.MessageImpl)83 StaticSTSProperties (org.apache.cxf.sts.StaticSTSProperties)83 RequestSecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType)83 RequestSecurityTokenResponseType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType)79 PasswordCallbackHandler (org.apache.cxf.sts.common.PasswordCallbackHandler)75 Element (org.w3c.dom.Element)70 Principal (java.security.Principal)56 ServiceMBean (org.apache.cxf.sts.service.ServiceMBean)54 StaticService (org.apache.cxf.sts.service.StaticService)54 CustomTokenPrincipal (org.apache.wss4j.common.principal.CustomTokenPrincipal)54 SecurityContext (org.apache.cxf.security.SecurityContext)49 RequestSecurityTokenResponseCollectionType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseCollectionType)49 RequestedSecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.RequestedSecurityTokenType)49 SAMLTokenProvider (org.apache.cxf.sts.token.provider.SAMLTokenProvider)43 Document (org.w3c.dom.Document)38 CallbackHandler (javax.security.auth.callback.CallbackHandler)34